Computer and Network Security Group

Download Report

Transcript Computer and Network Security Group 

EuroPKI
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
The Copernican revolution
secure
Web
secure
e-mail
secure
remote
access
IP
security
secure
boot
X.509
certificate
secure
VPN
Win2000
security
no viruses
& Trojan horses
role-based
security
secure
DNS
The actual (Ptolemaic) poor situation
file
transfer
login
login
DBMS
SSH (univ.)
S/MIME
pwd (univ.)
POP
web
web
pwd (ISP)
PKI (X)
What is EuroPKI?
EuroPKI is a spontaneous aggregation of
certification authorities that share the vision
of setting-up a pan-European PKI to support
the deployment of effective interoperable
network security techniques.
Background

ICE-TEL project (1997-1998)
ICE-CAR project (1999-2000)
various national projects (1996-2000)

since January 1, 2000: EuroPKI


EuroPKI
EuroPKI
Austria
EuroPKI
Slovenia
EuroPKI TLCA
EuroPKI
Italy
people
servers
Politecnico di
Torino CA
EETIC CA
City of
Rome CA
Costituency

root +
 AT (IAIK)
 IE (TCD)
 IT (POLITO)
 Italian tree, with 4 City Halls
 integration with the Italian identity chip-card
 SI (IJS)
 Slovenian tree
 UK (UCL)
Prospective partners


there have been talks within the TERENA
PKI-coord task force
expressions of interest from:
 Surfnet (NL)
 Rediris (ES)
 Thessaloniki Univ. (GR)
 Garr (IT)
Why a hierarchy?

it’s the only solution that works
 now
 for most applications (especially COTS)

EuroPKI might move to other schemas
(e.g., cross-certification, bridge) if and
when applications will be available
EuroPKI services

EuroPKI is not “selling” services although it
provides:
 certification
 revocation
 publication
 data and cert validation

aggregation point for:
 competence centre
 coordination
Certification

X.509v3 certificates

global CP (Certification Policy)

local CPS (Certification Practice Statement)
Certification policy


current draft:
 28 pages
 based on RFC-2527 (with extensions)
basic idea:
 be as little restrictive as possible to allow
anybody to join ...
 ... while retaining a level of security
useful for practical applications
Strong CP requirements

personal identification of the subject

secure management of the CA

periodic publication of CRL
Applications supported





Web:
 SSL/TLS
 signed applets
SSL-based applications:
 telnet, FTP, SMTP, POP, IMAP, ...
e-mail and secure documents:
 S/MIME, PKCS-7, CMS, …
IPsec (also on routers via SCEP)
(looking into secure DNS)
Publication

certificates and CRLs

Web servers:
 for humans

directory server:
 for applications
 LDAP (local) directories
 X.500 (global) directory
 X.521 schema
Revocation

CRL (Certificate Revocation List)
 cumulative list of revoked certificates
 issued periodically
 updated as needed

OCSP (On-Line Certificate Status Protocol):
 “is this cert valid now?”
 unknown, valid, invalid
Time-stamping




proof of data existence at a given date
IETF-PKIX-TSP-draft-14
TSP server (Win32, Unix)
TSP client (cmd-line, GUI only for Win32)
TSP server
OCSP



OCSP server (Unix, Win32)
automatic CRL collection from several Cas
OCSP library + cmd-line client (Unix, NT)
CRL
OCSP
(embedded)
client
OCSP
server
CRL
SSL-telnet, SSL-ftp





SSL channel
server authentication
client authentication can supplement or
replace passwords
server for Unix and Win32 (FTP only)
client for Unix (cmd-line) and Win32 (GUI)
SSL-x client
SSL-x server
LDAP, OCSP
Authentication or authorization?



most of the problems are trust-related
often this is due to the wrong and
unnecessary coupling of authentication with
authorization
we need to cut this node:
 authenticate only once and globally
 authorization on a local basis, with local
control
Attributes / roles / permissions …
where should
I put additional
infos related
to a certificate?
inside the certificate, in order
to keep all data together
in a directory, or
in an attribute certificate
Next steps

European digital signature law:
 qualified certificates
 voluntary accreditation

support for other EC projects:
 NASTEC (PKI-based secure IS; PKI at least
for Poland and Romania)
 TESI (CDSA-based security middleware)
On-going technical work




cleanly separate authentication and
authorization (local file, LDAP, AC, …)
DNS as a repository, DNSsec
automatic policy negotiation (L3 … L7):
 policy description (XML-based language)
 policy negotiation (ISPP)
 policy compliance (enforcement gateway)
integration with Win2000:
 LDAP
 IPsec
 DNSsec
Future

I have a dream ...

... a pan-european
open and public PKI
to enable network security

who is interested?
EuroPKI?