pkix based certification infrastructure implementation adapted to non personal end entities jacob...
TRANSCRIPT
PKIX BASED CERTIFICATION INFRASTRUCTURE
IMPLEMENTATION ADAPTED TO NON PERSONAL END
ENTITIES
Jacob E., Liberal F., Unzilla J.{jtpjatae, jtplimaf, jtpungaj}@bi.ehu.es
Department of Electronics and TelecommunicationsFaculty of Engineering
University of the Basque CountryBilbao (Spain)
http://det.bi.ehu.es/git
2
SUMMARY
INTRODUCTION
MAIN GOALS
IMPLEMENTATION
STATUS OF THE PROJECT
SYSTEM ARCHITECTURE
WAY OF OPERATION
FUTURE WORK
3
IntroductionNeed to set trust agents => PKI: certification servicesBackground:
Oriented to end users => www Inflexibility, interface-processing dependence Lack of interoperability
Results => PKIs have been replaced by other systems: ssh, PGP, “home made” SSL Proposed system
PKIX Automate standard interfaces Specific application scope
4
Main Goals
Speed up proceduresGuarantee scalability/interoperabilityMake services more flexibleEase user’s accessProvide mechanisms for new services
Develop a fully-functional PKI system
5
General Architecture
CR
Ls
AN
D C
ER
TIF
ICA
TE
S R
EP
OS
ITO
RY
CA
other CA
RA
PKI USERS
PKI MANAGEMENT
ENTITIES
OPERATIONAL AND MANAGEMENT TRANSACTIONS
MANAGEMENT TRANSACTIONS
PUBLISH CERTS AND CRLs
MANAGEMENT TRANSACTIONS
RA
END ENTITY (EE)
RA RARA RA RARA
CACA
CR
Ls
& C
ER
TIF
ICA
TE
S R
EP
OS
ITO
RY
CR
Ls
& C
ER
TIF
ICA
TE
S R
EP
OS
ITO
RY
END ENTITY (EE)END ENTITY (EE)
REGISTER EEs AUTHENTICATE FORWARD REQUESTS
REGISTER RAs
OPERATIONS WITH CERTs
6
COMMANDS
ANSWERS
ACKs
AdministrativeData
Way of operation: Registration I
RAOPERATOR
RA
CERT.TYPES
PasswordID
NEWUSER
7
[root@afrodita /root]# iradop –f raOperator.pem ra1.ipkix.com iradop V1.0 iPKIX 2001 (C) Fidel Liberal Malaina [email protected] OP-> adduser
ACK OP-# username Fidel Liberal Malaina
ACK OP-# Fidel Liberal Malaina
ACK OP-# C/Portal de Vitoria 30 1º izda
ACK .......
ACK OP-# admindataend
ACK OP-# certtype 1
CERTINFO_COUNTRYNAME_MODE OP-# CERTINFO_COUNTRYNAME_MODE ES
CERTINFO_STATEORPROVINCENAME_MODE OP-# CERTINFO_STATEORPROVINCENAME_MODE Álava
CERTINFO_LOCALITYNAME_MODE OP-# CERTINFO_LOCALITYNAME_MODE Vitoria
CERTINFO_ORGANIZATIONALUNITNAME_MODE OP-# CERTINFO_ORGANIZATIONALUNITNAME_MODE Certificados
CERTINFO_COMMONNAME_MODE OP-# CERTINFO_COMMONNAME_MODE Fidel Liberal Malaina
CERTINFO_RFC822NAME_MODE OP-# CERTINFO_RFC822NAME_MODE [email protected]
....... SENDERKID KJSDFNAKJ23HKASDASDFLJ PASSWORD ASINL345V54561FASV014F
OP-# COMMIT ACK
OP->
Way of operation: Registration I.a
8
Way of Operation: Registration II
End UserEnd User
APPLICATIONS WITH
PKIX SUPPORT
CRYPTO
SUPPORT
ADAPTATION LAYER
OPERATIONS WITH
CERTIFICATES
CHECK CERTIFICATES
SECURE CONNECTIONS MANAGEMENT
DOWNLOAD CERTIFICATES
OPERATIONS WITH
CERTIFICATES
GENERAL FUNCTIONS (CERTIFICATES MANAGEMENT)
IDID CMPCMP PASSPASS
RegistrationAuthority
RegistrationAuthority
9
Entidad Registro
Entidad Registro IDID CMPCMP PASSPASSIDID PASSPASS
ADMINISTRATIVEDATA
ADMINISTRATIVEDATA
Way of Operation: Registration II.a
10
RegistrationAuthority
RegistrationAuthority IDID CMPCMP PASSPASSIDID CMPCMP
PRE-REQUESTS
PRE-REQUESTS
IDID CMPCMPCMPCMP
PP
SENDTO CA
SSIDID CMPCMP
RA
CA
Way of Operation: Registration II.b
11
CertificationAuthority
CertificationAuthority IDID CMPCMP
AUTHORIZEDRAs
AUTHORIZEDRAs
CERTIFICATESCERTIFICATES
CMP
SEND BACK TO RA
STORE INREPOSITORY
RA
CAREPOSITORY
Way of Operation: Registration III
12
Implementation
Linux O.S. Daemon servers in C languagePthreads (Posix threads)
MySQL DBMS
cryptlib © cryptographic library
OpenLDAP
13
P K I X a c c e s s
M a n a g e m e n tP r o t o c o l s
( C M P )
C O N T R O L M O D U L E
R E Q U E S T S T A T E S
R E G I S T R Y A D M I N I S T R A T I O N
R E G I S T R Y
A D M I N I S T R A T O R M O D U L E
A L M A C E N A M I E N T O
Y A C C E S O A L P S E
O p e r a t o r I n t e r f a c e
R e q u e s t s t o C A
R e q u e s t q u e r i e s
P K I X A C C E S S
i r a d
M Ó D U L O O P E R A D O R
A d m i n i s t r a t o r I n t e r f a c e
A d m i n i s . D a t a
Q u e r i e s F u n c t i o n s
A c c e s s C o n t r o l
d e a c c e s o
PK IX ACCESS OCSP
CONTROL
CMP
SERVING THREADS
SERVING THREADSREQUESTS
Implementation: RA
14
irad.log
SSL ADMIN. CONNECTION
DEBUGLOG
#DEBUG1: Debug thread created
#DEBUG1: Creating CMPSpareServer 0, line 166
#DEBUG3: Adding node to general list
#DEBUG3: Adding node to idle list
#DEBUG3: Number of CMP threads created: 1
#DEBUG3: Number of CMP threads idle: 1
#DEBUG3: Adding node to general list
#DEBUG3: Adding node to idle list
#DEBUG3: Number of CMP threads created: 2
#DEBUG3: Number of CMP threads idle: 2
#DEBUG1: Creating CMPSpareServer 1, line 166
#DEBUG1: Creating OCSPSpareServer 0
#DEBUG3: Adding node to general list
#DEBUG3: Adding node to idle list
#DEBUG3: Number of OCSP threads created: 1
#DEBUG3: Number of OCSP threads idle: 1
#DEBUG1: Creating OCSPSpareServer 1
#DEBUG3: Adding node to general list
#DEBUG3: Adding node to idle list
#DEBUG3: Number of OCSP threads created: 2
Implementation: RA II
15
Implementation: CA
“ R A s ” S E R V E R
C E R T I F I C A T E S T A T E
R E G I S T R Y
O P E R A T O R M O D U L E
P E R I O D I C A L L Y C R L s S U B M I S I O N
P S E A C C E S S A N D
S T O R A G E
R E Q U E S T S F R O M R A s
i c a d
P U B L I S H C R L s
A D M I N . M O D U L E
O P E R A T O R I N T E R F A C E
I N T E R F A Z A D M I N I S T R A D O R
C E R T I F I C A T O R AUTOMATED OPERATION!!
16
Status of the project10.000 C code linesFunctional system integrating RA and CA in oneRA server, operator and administrator clients and Java© front-endscryptlib © library
Advantages:Ease of use due to standarized interfaces (cryptSetAttribute(), CRYPT_CERTIFICATE, CRYPT_SESSION...)Development period short
Disadvantages:Very high-level interface :
Development period longer for specific projectsLack of low-level documentation=> ~reverse engineering, bootstrapping.
Network support MySQL support
17
Future work
Adapt PSE access modules to hardware devices, such as smartcards, crypto-tokens…Integration with other certifications systems like PGP.Inclusion of attribute certificates.Development of Windows© family client libraries.Integration of certificate services.A real application?