Transcript Personal Digital Certificates at Virginia Tech: Who Are You? Mary Dunker

Personal Digital Certificates
at Virginia Tech:
Who Are You?
Mary Dunker
Internet-2
December 4, 2006
[email protected]
1
Personal Digital Certificates at VT
• Background
• Implementation
– Application Selection
– Sponsorship
– Six Projects
• Future Challenges
2
Personal Digital Certificates at VT:
Background
Why issue VT Personal Digital Certificates?
• Move processes online where
ID/Password is not good enough to
replace pen and ink.
• Implement two-factor authentication, per
recommendation from VT IT Security Task
Force.
• Establish VT issuance procedure.
3
Personal Digital Certificates at VT
How do we know who you are?
4
Personal Digital Certificates at VT
Challenge: Application Selection
• Leave Reports
• Grant Proposals
• Travel Vouchers
• S/MIME e-mail
• Various departmental forms
• Phone Bills
• ~20 more ideas…
5
Personal Digital Certificates at VT
Digital Signatures for Leave Reports: an
ambitious endeavor
• All employees (a challenge as well as a
plus)
• Secure online process improvement
• Does not require key escrow
• Departments would create their own leave
solutions anyway if we did nothing
centrally.
• Phased approach. HR required all
employees in a department to sign leave
report the same way.
6
Personal Digital Certificates at VT
Sponsorship
• Vice President for Information Technology
• Funding from Executive Vice President
7
Personal Digital Certificates at VT
Six Projects: A coordination challenge
1.
2.
3.
4.
5.
6.
Infrastructure
Policy
Device Selection
Integration
Token Administration System
Documentation and Communication
8
Personal Digital Certificates at VT
Infrastructure Project
• Root CA – offline, already in place
• Class 1 Server CA – offline, already in
place
• Middleware CA – offline, already in place
• User CA – online, needed to be created
9
Personal Digital Certificates at VT
Infrastructure Project
• IBM xSeries 335 and Dell PowerEdge
1850 class servers. Redundant, manual
fail-over.
• Redhat Linux
• OpenCA 0.9.1 for Root, Class 1 and
Middleware
• OpenCA 0.9.2 for User CA
10
Personal Digital Certificates at VT
Infrastructure Project
•
•
•
•
•
OpenCA software works as designed.
0.9.2 performance increase over 0.9.1.
Documentation needs work.
User interface needs work.
VT end users do not interact with
OpenCA.
11
Personal Digital Certificates at VT
Hardware Security Modules
• 1 offline, 1 online for User CA
• LunaCA3 and LunaSA, FIPS 140-2 Level
3
• Strong multifactor authentication
• CA Administrator uses key token and PIN
to access private area of HSM that
contains private keys.
• Very secure, but requires m of n people in
order to sign or change.
12
Personal Digital Certificates at VT
Policy Project
• VT Certification Policy created before PKILite was completed.
• Modeled on RFC 2527, obsoleted by
Internet X.509 Public Key Infrastructure
Certificate Policy and Certification
Practices Framework
• Policy Management Authority created to
approve policies, resolve issues.
13
Personal Digital Certificates at VT
Policy Project
• Policy Project team drafted CPS, brought
questions to PMA.
• User CPS drove development and
administration of Token Administration
System (TAS).
• Lengthy process but extremely valuable
• VT Internal Audit involved
14
Personal Digital Certificates at VT
Device Selection Project
• Preliminary Work by eProvisioning group
• Form Factor considerations
• Must work on Windows, Macintosh,
Linux.
• Integration with Hokie Passport card
considered but rejected for now.
15
Personal Digital Certificates at VT
Device Selection Project
Aladdin eToken
•
Works with I.E., Firefox, Netscape on required
platforms. Safari not supported, but planned.
•
USB token form factor does not require reader
•
IT already had purchased a few hundred
•
More research for phase II. Will eToken hold up?
•
What form factor for students?
•
Lost tokens
•
Installation scripts had to be written to download VT
certificates.
16
Personal Digital Certificates at VT
Integration Project
• Digital signature added to existing leave
report application. Sign vs. submit.
• Leave information stored in data base
• Does not require Adobe Acrobat
Pro/Writer
• HTML -> PDF -> Base 64 encoded file
signed/stored-> PDF for display.
• Web service validates signature.
• Workflow for approval
17
Personal Digital Certificates at VT
Digitally signed leave report
• Required close work with HR.
• Departmental phase-in
• Requirement: entire department convert
to digital signature
• Exceptions for people on disability leave
• Departmental leave representatives key
players
18
Personal Digital Certificates at VT
Digitally signed leave report
• Generated lots of questions about how
leave system worked that no one had
asked for years.
• How to handle leave that one person
enters for another?
• What about people without computers?
• Approvals not based on known
supervisory structure.
19
Personal Digital Certificates at VT
Token Administration System (TAS)
• Issues personal digital certificate (PDC)
on Aladdin eToken
• Multiple roles. Procedures documented
in User CPS, approved by PMA
• Uses information from VT Enterprise
Directory, not active Directory as did
Aladdin administrative tool
• Allows distributed operation
• Works great when it works
20
Personal Digital Certificates at VT
Token Administration System (TAS)
• LOTS of policy and procedural decisions.
• Two-person process
1. Verify identity information using 2 picture IDs
and questions.
2. Write certificate and private key onto eToken
•
•
•
Private key not exported off of token.
Terms and conditions digitally signed by
applicant. No sharing of passwords.
Extension agents at > 100 sites!!!
21
Personal Digital Certificates at VT
Documentation and Communication Project
• How do you explain all this?
• Project Plans
• Web site – “internal use” updates to
http://www.pki.vt.edu/pdc
• E-mail communications from VP for IT
• FAQs
• Knowledge base articles
• Scheduling groups to pick up PDCs
• Presentations to end users
22
Personal Digital Certificates at VT
Future Challenges
• Phase II of leave report: entire university
(6500 employees)
– Re-evaluation of device
– How to issue PDCs at remote sites?
– Employees who do not use computers
•
Supporting other applications
– E-mail, Word documents
– Departmental applications
– Two-factor authentication, CAS
•
Recognizing VT PDCs outside of VT
23
Personal Digital Certificates at VT
Future Challenges
• Students (28,000)
– Device selection
– Support
•
Switching devices requires:
–
–
–
–
–
Re-testing
TAS support
New policies/procedures?
New installation scripts
New training
24
Personal Digital Certificates at VT
References
• www.pki.vt.edu/pdc
• X.509 specification
http://www.ietf.org/rfc/rfc2459.txt
• Educause Effective Security Practice
http://www.educause.edu/Browse/705&IT
EM_ID=286
25