X.509 at the University of Michigan
Download
Report
Transcript X.509 at the University of Michigan
X.509 at the
University of Michigan
CIC-RPG Meeting June 7, 1999
Kevin Coffman ([email protected])
Bill Doster ([email protected])
Project Goals
Transparent Web Authentication
Eliminate password prompts
Lotus Notes Authentication
Position for inter-institution
Authentication
Non-Goals
Not a complete PKI
Not to be used for document signing
Not to be used for encryption
Not a complete replacement of the
current cookie method
Why X.509?
An accepted standard
Application support out of the box
– Web servers, web browsers, directory
servers, IMAP servers, etc.
Allows the possibility for inter-institution
authentication
No need for N²-1 cross-realm trusts
Description
Use short-term (approximately 1 day)
certificates - “Junk Keys”
Obtain certificates securely
For Authentication ONLY!
Use OpenSSL for creating and signing
certificates
Why “Junk Keys”?
Revocation becomes a non-issue
Private Key storage is less an issue
Certificate publication for sharing is not
necessary
Certificate management is less critical
Drawbacks
Cannot be used for signing or
encryption
Not possible to verify certificate via
LDAP
Options for obtaining the
CA’s Certificate
Bake it into browsers we distribute
Via a web interface using SSL and
Verisign Certificate
Store it in the file-system
Obtaining CA
Certificate via Web
Green lines imply
SSL Protected
CA
Browser
Netscape or
Internet Explorer
Certificate
Apache + OpenSSL
+ Scripts
+ Verisign Certificate
Options for obtaining the
User Certificate
Via a web-based interface [ SSL ]
Pam / Gina / Login [ TGT or SSL ]
Standalone program [ TGT (or SSL) ]
Leave it up to application [ TGT (or SSL) ]
Obtaining User Certificate via
Web (Netscape)
Web server / CA
Netscape Browser
User selects URL
ID and password??
ID and password
Verify identity
keyGen
Generate key pair
and store keys
Public Key
Signed Certificate
Store Certificate
• Lookup full name
• Lookup Entity ID
• Generate and
Sign Certificate
Obtaining User Certificate via
Web (IE part 1)
Web server / CA
Internet Explorer Browser
ieReq.pl
User selects URL
ID ??
Send a VBScript
asking for
user’s unique ID
Obtaining User Certificate via
Web (IE part 2)
Web server / CA
Internet Explorer Browser
ID (uniqname)
password ??
Run VBScript to
generate key pair
and PKCS #10 request
ieGenReq.pl
• Lookup full name
• Lookup Entity ID
• Generate VBScript
to create key pair
and PKCS #10
request
Obtaining User Certificate via
Web (IE part 3)
Web server / CA
Internet Explorer Browser
password +
PKCS #10
PKCS #7
Run VBSript to
accept PKCS #7
Phew! Done!
ieTreatReq.pl
• Check password
• Generate
certificate
and wrap it in
PKCS #7 format
• Generate
VBScript to
accept PKCS #7
Obtaining User Certificate via
Standalone Pgm (Netscape)
Certificate Authority
Client Machine
public key
getcert
keyutil
certutil
key3.db
cert7.db
signed certificate
• Lookup full name
• Lookup Entity ID
• Generate and sign
certificate
Orange lines imply
Kerberized exchange
Obtaining User Certificate via
Standalone Program (IE)
Certificate Authority
Client Machine
Use OpenSSL to
generate key pair
public key
signed certificate
• Store key pair
• Store certificate
• Lookup full name
• Lookup Entity ID
• Generate and sign
certificate
Storing the Certificates
How to destroy the certificates after
use?
NT 4.0 w/SP3 and later has special
storage classes that lives only for the
life of a login
Make use of Kerberos credential
storage?
Internet Explorer vs. Netscape
Problems
Documentation - Flood or Drought
Macintosh support lags other platforms
Current Status
Internet Explorer (Windows only) looks
promising
Netscape (Windows, Solaris) do-able
but not clean
Macintosh support does not currently
look promising for either browser
References
This presentation:
– http://www.citi.umich.edu/u/kwc/Presentations/X509June1999
OpenSSL:
– http://www.openssl.org/
Netscape Security Services:
– http://home.netscape.com/nss/v1.2/index.html
Microsoft CryptoAPI:
– http://www.microsoft.com/security/tech/CryptoAPI/default.asp
?? Questions / Discussion ??