Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Dynamic Host Configuration Protocol wikipedia , lookup
Computer security wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Cross-site scripting wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
EuroPKI Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica The Copernican revolution secure Web secure e-mail secure remote access IP security secure boot X.509 certificate secure VPN Win2000 security no viruses & Trojan horses role-based security secure DNS The actual (Ptolemaic) poor situation file transfer login login DBMS SSH (univ.) S/MIME pwd (univ.) POP web web pwd (ISP) PKI (X) What is EuroPKI? EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques. Background ICE-TEL project (1997-1998) ICE-CAR project (1999-2000) various national projects (1996-2000) since January 1, 2000: EuroPKI EuroPKI EuroPKI Austria EuroPKI Slovenia EuroPKI TLCA EuroPKI Italy people servers Politecnico di Torino CA EETIC CA City of Rome CA Costituency root + AT (IAIK) IE (TCD) IT (POLITO) Italian tree, with 4 City Halls integration with the Italian identity chip-card SI (IJS) Slovenian tree UK (UCL) Prospective partners there have been talks within the TERENA PKI-coord task force expressions of interest from: Surfnet (NL) Rediris (ES) Thessaloniki Univ. (GR) Garr (IT) Why a hierarchy? it’s the only solution that works now for most applications (especially COTS) EuroPKI might move to other schemas (e.g., cross-certification, bridge) if and when applications will be available EuroPKI services EuroPKI is not “selling” services although it provides: certification revocation publication data and cert validation aggregation point for: competence centre coordination Certification X.509v3 certificates global CP (Certification Policy) local CPS (Certification Practice Statement) Certification policy current draft: 28 pages based on RFC-2527 (with extensions) basic idea: be as little restrictive as possible to allow anybody to join ... ... while retaining a level of security useful for practical applications Strong CP requirements personal identification of the subject secure management of the CA periodic publication of CRL Applications supported Web: SSL/TLS signed applets SSL-based applications: telnet, FTP, SMTP, POP, IMAP, ... e-mail and secure documents: S/MIME, PKCS-7, CMS, … IPsec (also on routers via SCEP) (looking into secure DNS) Publication certificates and CRLs Web servers: for humans directory server: for applications LDAP (local) directories X.500 (global) directory X.521 schema Revocation CRL (Certificate Revocation List) cumulative list of revoked certificates issued periodically updated as needed OCSP (On-Line Certificate Status Protocol): “is this cert valid now?” unknown, valid, invalid Time-stamping proof of data existence at a given date IETF-PKIX-TSP-draft-14 TSP server (Win32, Unix) TSP client (cmd-line, GUI only for Win32) TSP server OCSP OCSP server (Unix, Win32) automatic CRL collection from several Cas OCSP library + cmd-line client (Unix, NT) CRL OCSP (embedded) client OCSP server CRL SSL-telnet, SSL-ftp SSL channel server authentication client authentication can supplement or replace passwords server for Unix and Win32 (FTP only) client for Unix (cmd-line) and Win32 (GUI) SSL-x client SSL-x server LDAP, OCSP Authentication or authorization? most of the problems are trust-related often this is due to the wrong and unnecessary coupling of authentication with authorization we need to cut this node: authenticate only once and globally authorization on a local basis, with local control Attributes / roles / permissions … where should I put additional infos related to a certificate? inside the certificate, in order to keep all data together in a directory, or in an attribute certificate Next steps European digital signature law: qualified certificates voluntary accreditation support for other EC projects: NASTEC (PKI-based secure IS; PKI at least for Poland and Romania) TESI (CDSA-based security middleware) On-going technical work cleanly separate authentication and authorization (local file, LDAP, AC, …) DNS as a repository, DNSsec automatic policy negotiation (L3 … L7): policy description (XML-based language) policy negotiation (ISPP) policy compliance (enforcement gateway) integration with Win2000: LDAP IPsec DNSsec Future I have a dream ... ... a pan-european open and public PKI to enable network security who is interested? EuroPKI?