11

Personal Digital CertificatesPersonal Digital Certificates at Virginia Tech: at Virginia Tech:

Who Are You?Who Are You?Mary DunkerMary Dunker

Internet-2Internet-2December 4, 2006December 4, 2006

dunker@vt.edudunker@vt.edu

22

Personal Digital Certificates at VTPersonal Digital Certificates at VT

• Background

• Implementation– Application Selection– Sponsorship– Six Projects

• Future Challenges

33

Personal Digital Certificates at VT: Personal Digital Certificates at VT: BackgroundBackground

Why issue VT Personal Digital Certificates?

• Move processes online where ID/Password is not good enough to replace pen and ink.

• Implement two-factor authentication, per recommendation from VT IT Security Task Force.

• Establish VT issuance procedure.

44

Personal Digital Certificates at VT Personal Digital Certificates at VT How do we know who you are?How do we know who you are?

55

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Challenge: Application Selection• Leave Reports• Grant Proposals• Travel Vouchers• S/MIME e-mail• Various departmental forms• Phone Bills• ~20 more ideas…

66

Personal Digital Certificates at VT Personal Digital Certificates at VT Digital Signatures for Leave Reports: an ambitious

endeavor • All employees (a challenge as well as a plus)• Secure online process improvement• Does not require key escrow• Departments would create their own leave

solutions anyway if we did nothing centrally.• Phased approach. HR required all employees in

a department to sign leave report the same way. • Phase I: IT organization, ~400 employees

77

Personal Digital Certificates at VT Personal Digital Certificates at VT

Sponsorship

• Vice President for Information Technology

• Funding from Executive Vice President

88

Personal Digital Certificates at VT Personal Digital Certificates at VT

Six Projects: A coordination challenge

1. Infrastructure

2. Policy

3. Device Selection

4. Integration

5. Token Administration System

6. Documentation and Communication

99

Personal Digital Certificates at VT Personal Digital Certificates at VT

Infrastructure Project

• Root CA – offline, already in place

• Class 1 Server CA – offline, already in place

• Middleware CA – offline, already in place

• User CA – online, needed to be created

1010

Personal Digital Certificates at VT Personal Digital Certificates at VT

Infrastructure Project

• IBM xSeries 335 and Dell PowerEdge 1850 class servers. Redundant, manual fail-over.

• Redhat Linux• OpenCA 0.9.1 for Root, Class 1 and

Middleware• OpenCA 0.9.2 for User CA

1111

Personal Digital Certificates at VT Personal Digital Certificates at VT

Infrastructure Project

• OpenCA software works as designed.

• 0.9.2 performance increase over 0.9.1.

• Documentation needs work.

• User interface needs work.

• VT end users do not interact with OpenCA.

1212

Personal Digital Certificates at VT Personal Digital Certificates at VT Hardware Security Modules

• 1 offline, 1 online for User CA

• LunaCA3 and LunaSA, FIPS 140-2 Level 3

• Strong multifactor authentication

• CA Administrator uses key token and PIN to access private area of HSM that contains private keys.

• Very secure, but requires m of n people in order to sign or change.

1313

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Policy Project

• VT Certification Policy created before PKI-Lite was completed.

• Modeled on RFC 2527, obsoleted by Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework

• Policy Management Authority created to approve policies, resolve issues.

1414

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Policy Project• Policy Project team drafted CPS, brought

questions to PMA.• User CPS drove development and

administration of Token Administration System (TAS).

• Lengthy process but extremely valuable• VT Internal Audit involved

1515

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Device Selection Project

• Preliminary Work by eProvisioning group

• Form Factor considerations

• Must work on Windows, Macintosh, Linux.

• Integration with Hokie Passport card considered but rejected for now.

1616

Personal Digital Certificates at VTPersonal Digital Certificates at VTDevice Selection ProjectAladdin eToken • Works with I.E., Firefox, Netscape on required

platforms. Safari not supported, but planned.• USB token form factor does not require reader• IT already had purchased a few hundred• More research for phase II. Will eToken hold up?• What form factor for students?• Lost tokens• Installation scripts had to be written to download VT

certificates.

1717

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Integration Project• Digital signature added to existing leave

report application. Sign vs. submit.• Leave information stored in data base• Does not require Adobe Acrobat Pro/Writer• HTML -> PDF -> Base 64 encoded file

signed/stored-> PDF for display.• Web service validates signature.• Workflow for approval

1818

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Digitally signed leave report

• Required close work with HR.

• Departmental phase-in

• Requirement: entire department convert to digital signature

• Exceptions for people on disability leave

• Departmental leave representatives key players

1919

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Digitally signed leave report

• Generated lots of questions about how leave system worked that no one had asked for years.

• How to handle leave that one person enters for another?

• What about people without computers?

• Approvals not based on known supervisory structure.

2020

Personal Digital Certificates at VT Personal Digital Certificates at VT

Token Administration System (TAS)• Issues personal digital certificate (PDC) on

Aladdin eToken• Multiple roles. Procedures documented in

User CPS, approved by PMA• Uses information from VT Enterprise

Directory, not active Directory as did Aladdin administrative tool

• Allows distributed operation• Works great when it works

2121

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Token Administration System (TAS) • LOTS of policy and procedural decisions.• Two-person process

1. Verify identity information using 2 picture IDs and questions.

2. Write certificate and private key onto eToken

• Private key not exported off of token.• Terms and conditions digitally signed by

applicant. No sharing of passwords.• Extension agents at > 100 sites!!!

2222

Personal Digital Certificates at VTPersonal Digital Certificates at VT

Documentation and Communication Project • How do you explain all this? • Project Plans• Web site – “internal use” updates to http://

www.pki.vt.edu/pdc• E-mail communications from VP for IT • FAQs• Knowledge base articles• Scheduling groups to pick up PDCs• Presentations to end users

2323

Personal Digital Certificates at VT Personal Digital Certificates at VT Future Challenges• Phase II of leave report: entire university (6500

employees)– Re-evaluation of device– How to issue PDCs at remote sites?– Employees who do not use computers

• Supporting other applications – E-mail, Word documents– Departmental applications– Two-factor authentication, CAS

• Recognizing VT PDCs outside of VT

2424

Personal Digital Certificates at VT Personal Digital Certificates at VT

Future Challenges• Students (28,000)

– Device selection– Support

• Switching devices requires:– Re-testing– TAS support– New policies/procedures?– New installation scripts– New training

2525

Personal Digital Certificates at VT Personal Digital Certificates at VT

References

• www.pki.vt.edu/pdc

• X.509 specification http://www.ietf.org/rfc/rfc2459.txt

• Educause Effective Security Practice http://www.educause.edu/Browse/705&ITEM_ID=286