X.509 at the University of Michigan

Download Report

Transcript X.509 at the University of Michigan

X.509 at the
University of Michigan
CIC-RPG Meeting June 7, 1999
Kevin Coffman ([email protected])
Bill Doster ([email protected])
Project Goals
Transparent Web Authentication
 Eliminate password prompts
 Lotus Notes Authentication
 Position for inter-institution
Authentication

Non-Goals
Not a complete PKI
 Not to be used for document signing
 Not to be used for encryption
 Not a complete replacement of the
current cookie method

Why X.509?
An accepted standard
 Application support out of the box

– Web servers, web browsers, directory
servers, IMAP servers, etc.
Allows the possibility for inter-institution
authentication
 No need for N²-1 cross-realm trusts

Description
Use short-term (approximately 1 day)
certificates - “Junk Keys”
 Obtain certificates securely
 For Authentication ONLY!
 Use OpenSSL for creating and signing
certificates

Why “Junk Keys”?
Revocation becomes a non-issue
 Private Key storage is less an issue
 Certificate publication for sharing is not
necessary
 Certificate management is less critical

Drawbacks
Cannot be used for signing or
encryption
 Not possible to verify certificate via
LDAP

Options for obtaining the
CA’s Certificate
Bake it into browsers we distribute
 Via a web interface using SSL and
Verisign Certificate
 Store it in the file-system

Obtaining CA
Certificate via Web
Green lines imply
SSL Protected
CA
Browser
Netscape or
Internet Explorer
Certificate
Apache + OpenSSL
+ Scripts
+ Verisign Certificate
Options for obtaining the
User Certificate
Via a web-based interface [ SSL ]
 Pam / Gina / Login [ TGT or SSL ]
 Standalone program [ TGT (or SSL) ]
 Leave it up to application [ TGT (or SSL) ]

Obtaining User Certificate via
Web (Netscape)
Web server / CA
Netscape Browser
User selects URL
ID and password??
ID and password
Verify identity
keyGen
Generate key pair
and store keys
Public Key
Signed Certificate
Store Certificate
• Lookup full name
• Lookup Entity ID
• Generate and
Sign Certificate
Obtaining User Certificate via
Web (IE part 1)
Web server / CA
Internet Explorer Browser
ieReq.pl
User selects URL
ID ??
Send a VBScript
asking for
user’s unique ID
Obtaining User Certificate via
Web (IE part 2)
Web server / CA
Internet Explorer Browser
ID (uniqname)
password ??
Run VBScript to
generate key pair
and PKCS #10 request
ieGenReq.pl
• Lookup full name
• Lookup Entity ID
• Generate VBScript
to create key pair
and PKCS #10
request
Obtaining User Certificate via
Web (IE part 3)
Web server / CA
Internet Explorer Browser
password +
PKCS #10
PKCS #7
Run VBSript to
accept PKCS #7
Phew! Done!
ieTreatReq.pl
• Check password
• Generate
certificate
and wrap it in
PKCS #7 format
• Generate
VBScript to
accept PKCS #7
Obtaining User Certificate via
Standalone Pgm (Netscape)
Certificate Authority
Client Machine
public key
getcert
keyutil
certutil
key3.db
cert7.db
signed certificate
• Lookup full name
• Lookup Entity ID
• Generate and sign
certificate
Orange lines imply
Kerberized exchange
Obtaining User Certificate via
Standalone Program (IE)
Certificate Authority
Client Machine
Use OpenSSL to
generate key pair
public key
signed certificate
• Store key pair
• Store certificate
• Lookup full name
• Lookup Entity ID
• Generate and sign
certificate
Storing the Certificates
How to destroy the certificates after
use?
 NT 4.0 w/SP3 and later has special
storage classes that lives only for the
life of a login
 Make use of Kerberos credential
storage?
 Internet Explorer vs. Netscape

Problems
Documentation - Flood or Drought
 Macintosh support lags other platforms

Current Status
Internet Explorer (Windows only) looks
promising
 Netscape (Windows, Solaris) do-able
but not clean
 Macintosh support does not currently
look promising for either browser

References

This presentation:
– http://www.citi.umich.edu/u/kwc/Presentations/X509June1999

OpenSSL:
– http://www.openssl.org/

Netscape Security Services:
– http://home.netscape.com/nss/v1.2/index.html

Microsoft CryptoAPI:
– http://www.microsoft.com/security/tech/CryptoAPI/default.asp
?? Questions / Discussion ??