Computer and Network Security Group
Download
Report
Transcript Computer and Network Security Group
EuroPKI
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
The Copernican revolution
secure
Web
secure
e-mail
secure
remote
access
IP
security
secure
boot
X.509
certificate
secure
VPN
Win2000
security
no viruses
& Trojan horses
role-based
security
secure
DNS
The actual (Ptolemaic) poor situation
file
transfer
login
login
DBMS
SSH (univ.)
S/MIME
pwd (univ.)
POP
web
web
pwd (ISP)
PKI (X)
What is EuroPKI?
EuroPKI is a spontaneous aggregation of
certification authorities that share the vision
of setting-up a pan-European PKI to support
the deployment of effective interoperable
network security techniques.
Background
ICE-TEL project (1997-1998)
ICE-CAR project (1999-2000)
various national projects (1996-2000)
since January 1, 2000: EuroPKI
EuroPKI
EuroPKI
Austria
EuroPKI
Slovenia
EuroPKI TLCA
EuroPKI
Italy
people
servers
Politecnico di
Torino CA
EETIC CA
City of
Rome CA
Costituency
root +
AT (IAIK)
IE (TCD)
IT (POLITO)
Italian tree, with 4 City Halls
integration with the Italian identity chip-card
SI (IJS)
Slovenian tree
UK (UCL)
Prospective partners
there have been talks within the TERENA
PKI-coord task force
expressions of interest from:
Surfnet (NL)
Rediris (ES)
Thessaloniki Univ. (GR)
Garr (IT)
Why a hierarchy?
it’s the only solution that works
now
for most applications (especially COTS)
EuroPKI might move to other schemas
(e.g., cross-certification, bridge) if and
when applications will be available
EuroPKI services
EuroPKI is not “selling” services although it
provides:
certification
revocation
publication
data and cert validation
aggregation point for:
competence centre
coordination
Certification
X.509v3 certificates
global CP (Certification Policy)
local CPS (Certification Practice Statement)
Certification policy
current draft:
28 pages
based on RFC-2527 (with extensions)
basic idea:
be as little restrictive as possible to allow
anybody to join ...
... while retaining a level of security
useful for practical applications
Strong CP requirements
personal identification of the subject
secure management of the CA
periodic publication of CRL
Applications supported
Web:
SSL/TLS
signed applets
SSL-based applications:
telnet, FTP, SMTP, POP, IMAP, ...
e-mail and secure documents:
S/MIME, PKCS-7, CMS, …
IPsec (also on routers via SCEP)
(looking into secure DNS)
Publication
certificates and CRLs
Web servers:
for humans
directory server:
for applications
LDAP (local) directories
X.500 (global) directory
X.521 schema
Revocation
CRL (Certificate Revocation List)
cumulative list of revoked certificates
issued periodically
updated as needed
OCSP (On-Line Certificate Status Protocol):
“is this cert valid now?”
unknown, valid, invalid
Time-stamping
proof of data existence at a given date
IETF-PKIX-TSP-draft-14
TSP server (Win32, Unix)
TSP client (cmd-line, GUI only for Win32)
TSP server
OCSP
OCSP server (Unix, Win32)
automatic CRL collection from several Cas
OCSP library + cmd-line client (Unix, NT)
CRL
OCSP
(embedded)
client
OCSP
server
CRL
SSL-telnet, SSL-ftp
SSL channel
server authentication
client authentication can supplement or
replace passwords
server for Unix and Win32 (FTP only)
client for Unix (cmd-line) and Win32 (GUI)
SSL-x client
SSL-x server
LDAP, OCSP
Authentication or authorization?
most of the problems are trust-related
often this is due to the wrong and
unnecessary coupling of authentication with
authorization
we need to cut this node:
authenticate only once and globally
authorization on a local basis, with local
control
Attributes / roles / permissions …
where should
I put additional
infos related
to a certificate?
inside the certificate, in order
to keep all data together
in a directory, or
in an attribute certificate
Next steps
European digital signature law:
qualified certificates
voluntary accreditation
support for other EC projects:
NASTEC (PKI-based secure IS; PKI at least
for Poland and Romania)
TESI (CDSA-based security middleware)
On-going technical work
cleanly separate authentication and
authorization (local file, LDAP, AC, …)
DNS as a repository, DNSsec
automatic policy negotiation (L3 … L7):
policy description (XML-based language)
policy negotiation (ISPP)
policy compliance (enforcement gateway)
integration with Win2000:
LDAP
IPsec
DNSsec
Future
I have a dream ...
... a pan-european
open and public PKI
to enable network security
who is interested?
EuroPKI?