Computer and Network Security Group - TERENA Networking ...

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 8 months ago)

69 views


EuroPKI



Antonio Lioy

< lioy @ polito.it >


Politecnico di Torino

Dip. Automatica e Informatica

secure

Web

secure

e
-
mail

secure

remote

access

secure

VPN

secure

DNS

X.509

certificate

The Copernican revolution

Win2000

security

secure

boot

no viruses

& Trojan horses

IP

security

role
-
based

security

The actual (Ptolemaic) poor situation

pwd (ISP)

POP

web

login

pwd (univ.)

DBMS

SSH (univ.)

login

file

transfer

PKI (X)

S/MIME

web

What is EuroPKI?

EuroPKI is a spontaneous aggregation of
certification authorities that share the vision
of setting
-
up a pan
-
European PKI to support
the deployment of effective interoperable
network security techniques.

Background


ICE
-
TEL project (1997
-
1998)


ICE
-
CAR project (1999
-
2000)


various national projects (1996
-
2000)



since January 1, 2000:
EuroPKI

EuroPKI

EuroPKI TLCA

Politecnico di

Torino CA

City of

Rome CA

people

servers

EETIC CA

EuroPKI

Slovenia

EuroPKI

Italy

EuroPKI

Austria

Costituency


root +


AT (IAIK)


IE (TCD)


IT (POLITO)


Italian tree, with 4 City Halls


integration with the Italian identity chip
-
card


SI (IJS)


Slovenian tree


UK (UCL)

Prospective partners


there have been talks within the TERENA
PKI
-
coord task force


expressions of interest from:


Surfnet (NL)


Rediris (ES)


Thessaloniki Univ. (GR)


Garr (IT)

Why a hierarchy?


it’s the only solution that works


now


for most applications (especially COTS)



EuroPKI might move to other schemas
(e.g., cross
-
certification, bridge) if and
when
applications

will be available

EuroPKI services


EuroPKI is not “selling” services although it
provides:


certification


revocation


publication


data and cert validation



aggregation point for:


competence centre


coordination

Certification


X.509v3 certificates



global CP (Certification Policy)



local CPS (Certification Practice Statement)


Certification policy


current draft:


28 pages


based on RFC
-
2527 (with extensions)


basic idea:


be as little restrictive as possible to allow
anybody to join ...


... while retaining a level of security
useful for practical applications

Strong
CP requirements


personal identification of the subject



secure management of the CA



periodic publication of CRL

Applications supported


Web:


SSL/TLS


signed applets


SSL
-
based applications:


telnet, FTP, SMTP, POP, IMAP, ...


e
-
mail

and secure documents
:


S/MIME
, PKCS
-
7, CMS, …


IPsec (
also on routers via

SCEP)


(looking into secure
DNS
)

Publication


certificates and CRLs



Web servers:


for humans



directory server:


for applications


LDAP (local) directories


X.500 (global) directory


X.521 schema

Revocation


CRL (Certificate Revocation List)


cumulative list of revoked certificates


issued periodically


updated as needed



OCSP (On
-
Line Certificate Status Protocol):


“is this cert valid now?”


unknown, valid, invalid

Time
-
stamping


proof of data existence at a given date


IETF
-
PKIX
-
TSP
-
draft
-
14


TSP server (Win32, Unix)


TSP client (
cmd
-
line,
GUI
only
for Win32)

TSP server

OCSP


OCSP server (Unix, Win32)


automatic CRL collection from several Cas


OCSP library + cmd
-
line client (Unix, NT)

OCSP

server

CRL

CRL

OCSP

(embedded)

client

SSL
-
telnet, SSL
-
ftp


SSL channel


server authentication


client authentication can supplement or
replace passwords


server for Unix and Win32 (FTP only)


client for Unix (cmd
-
line) and Win32 (GUI)

SSL
-
x server

SSL
-
x client

LDAP, OCSP

Authentication or authorization?


most of the problems are trust
-
related


often this is due to the wrong and
unnecessary coupling of authentication with
authorization


we need to cut this node:


authenticate only once and globally


authorization on a local basis, with local
control

Attribute
s / roles / permissions …

where should

I put additional

infos related

to a certificate?

in a
directory
, or

in an
attribute certificate

inside the certificate, in order

to keep all data together

Next steps


European digital signature law
:


qualified certificates


voluntary accreditation



support for other EC projects:


NASTEC (PKI
-
based secure IS; PKI at least
for Poland and Romania)


TESI (CDSA
-
based security middleware)

On
-
going technical work


cleanly separate authentication and
authorization (local file, LDAP, AC, …)


DNS as a repository, DNSsec


automatic policy negotiation

(L3 … L7):


policy description (XML
-
based language)


policy negotiation (ISPP)


policy compliance (enforcement gateway)


integration with Win2000:


LDAP


IPsec


DNSsec

Future


I have a dream ...



... a pan
-
european

open and public PKI

to enable network security



who is interested?

EuroPKI?