Who Are You? Leveraging PKI for Digital Signatures at Virginia Tech

Mary DunkerEducause Security Professionals Conference 2008May 4, 2008dunker@vt.edu

Copyright [your name] [year]. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2

Who Are You? Leveraging PKI for Digital Signatures at

Virginia Tech

Who Are You? Leveraging PKI for Digital Signatures at

Virginia TechCopyright Mary Dunker 2008. This work is

the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3

Who Are You?Who Are You?

• What problem are we trying to solve?• Historical background• How did we solve it?• Technology• Application Selection• Sponsorship• Six Projects

• How well did we do?

4

Who Are You?Who Are You?

What problem are we trying to solve?

• Expedite processes by moving them online securely.

• Manage identities securely.

• Reduce paper handling and accumulation.

5

Who Are You?Who Are You?

Background• 1999 Virginia COTS Privacy, Security

& Access workgroup, Governor’s executive order 65 on E-government, 2000.

• Commercial solutions very expensive at the time.

• Virginia Tech Certification Authority, PKI, in production, 2003.

6

Who are You?Who are You?

7

Who are You?Who are You?How did we solve the problem?• Virginia Tech has a PKI. • Digital signatures using Personal Digital

Certificates (PDCs) on hardware tokens.• To replace pen and ink; trust in personal

digital certificate is greater than ID/Password.

• Increase level of assurance by using multiple factors and trusted in-house process.

8

Who Are You?Who Are You?

Initial Application Selection• Leave Reports• Research Grant Proposals• Travel Vouchers• S/MIME e-mail• Various departmental forms• Phone Bills• ~20 more ideas…

9

Who Are You?Who Are You?Digital Signatures for Leave Reports: an

ambitious endeavor • All employees (pros and cons)• Secure online process improvement• Does not require key escrow• Departments would create their own

leave solutions anyway if we did nothing centrally.

• Phased approach. HR required consistency in dept.

10

Who Are You? Who Are You?

Phase I: IT organization, ~400 employees

Sponsorship

• Vice President for Information Technology

• Funding from Executive Vice President

11

Who Are You? Who Are You?

Six Projects: A coordination challenge

1. Infrastructure

2. Policy

3. Device Selection

4. Integration

5. Token Administration System

6. Documentation and Communication

12

Who Are You? Who Are You? Six Projects: Personnel required• Project Coordinator

• Unit managers, developers, project leaders, testers SETI, IRM, AIS, NI&S

• Managers and support staff from Student Telecommunications, Help desk

• Human Resources

• Campus input for policy

• Internal Audit

13

Who Are You? Who Are You?

Infrastructure Project• Hierarchical architecture• Root CA – offline, already in

place• SSL Server CA, Middleware A –

offline, already in place• User CA – online, needed to be

created

14

Who Are You? Who Are You?

Infrastructure Project• IBM xSeries 335 and Dell

PowerEdge 1850 class servers. Redundant, manual fail-over.

• Redhat Linux• OpenCA 0.9.1 for Root, Server

and Middleware• OpenCA 0.9.2 for User CA

15

Who Are You? Who Are You? Infrastructure Project

• OpenCA software works as designed. Requires expertise.

• 0.9.2 performance increase over 0.9.1.

• Documentation needs work.

• RA Admin interface: approvals

• CA Admin interface: issue cert

• Public interface: submit CSR, search, view CRL

16

Who Are You? Who Are You? Infrastructure -- Hardware Security

Modules• LunaCA3 (FIPS 140-1 level 3), LunaSA

(FIPS 140-2 Level 3) • Strong multifactor authentication• CA Administrator uses key token and PIN

to access private area of HSM that contains private keys.

• Very secure; requires 3 of 6 people to access Root CA

17

Who Are You?Who Are You?

Policy Project• VT Certification Policy created

before PKI-Lite • Modeled on RFC 2527, obsoleted

by RFC 3647• Policy Management Authority

approves policies, resolves issues.

18

Who Are You?Who Are You?Policy Project• Policy Project team drafted

Certification Practices Statement, brought questions to Policy Management Auth.

• User CPS drove development and administration of Token Administration System (TAS)

• Internal Audit, legal involvement

• Lengthy process but extremely valuable

19

Who Are You?Who Are You?Device Selection Project• Preliminary Work by eProvisioning

group• Form Factor considerations• Must work on Windows, Macintosh,

Linux• Integration with Hokie Passport card

considered but rejected for now.

20

Who Are You?Who Are You?Device Selected: Aladdin eToken

• FIPS 140-2 Level 3• I.E., Firefox on Windows & MAC &

Linux; no Safari • USB vs. smartcard form factor• Installation scripts install eToken

software, certificate chain• More research for students• Will eToken hold up?

21

Who Are You?Who Are You?Integration: Leave Report• Digital signature added to existing leave

report app• Leave info. stored in data base, viewed

w/browser• Adobe Acrobat Reader• HTML -> PDF -> Base 64 encoded file

signed/stored-> PDF for display.• Web service validates signature, uses

OCSP• Workflow for approval

22

Who Are You?Who Are You?Integration: Leave Report• Close work with HR.• Departmental phase-in• Requirement: entire department

needed to convert to digital signature• Departmental leave representatives

key players• Exceptions for people on disability

leave

23

Who Are You?Who Are You?Integration: Leave Report• Generated questions about leave

system that no one had asked for years.

• How to handle leave that one person enters for another?

• People without computers?• Approvals not based on known

hierarchy

24

Who Are You? Who Are You? Token Administration System• Issues personal digital certificate

(PDC) on Aladdin eToken• Uses information from VT Enterprise

Directory, not AD• Multiple admin roles. Procedures

documented in CPS, approved by PMA• Allows distributed operation• Works great when it works

25

Who Are You?Who Are You?Token Administration System• LOTS of policy and procedures• Two-person enrollment process

1. Verify identity information using 2 picture IDs and questions

2. Public/private keys generated on eToken, CSR sent to User CA to issue & sign certificate. Certificate imported onto eToken

• Terms and conditions digitally signed

• Private key not exportable

26

Who Are You?Who Are You?Documentation and Communication

Project • How do you explain all this? • Project Plans• Web site – “internal use”

http://www.pki.vt.edu/pdc• E-mail from VP for IT • FAQs• Knowledge base articles• Scheduling groups to pick up PDCs• Presentations to users

27

Who Are You? Who Are You? How well did we do?• Phase I on time, within budget.• Issuing certificates went well.• eToken support for Vista, Intel

Mac not available until Fall, 2007. Linux support poor.

• Digital signatures on leave reports work great in “normal” circumstances.

• Convenient for travelers

28

Who Are You? Who Are You? How well did we do?• Leave balances update differently,

led to questions.• People on leave of absence could

not get eTokens.• Everyone must sign their own

leave.• Supervisors want digital signature

approval for a companion form.

29

Who Are You? Who Are You? Future Challenges• Phase II of leave report: entire

university (6500 employees)• Issuing at remote sites• Remote password reset• Employees without computers• Supporting other applications• Two-factor authentication, CAS• External trust in VTCA

30

Who Are You? Who Are You?

Future Challenges• Students (28,000)• Device selection• Support

• Switching devices requires:• Re-testing• TAS support• New policies/procedures?• New installation scripts• New training

31

Who Are You? Who Are You? Future Opportunities• Investigate EJB CA• Standards for university use• Improving security by requiring

two-factor authentication• Using PDCs to “self-service”

reset other passwords• Generic signature applications

32

Who Are You? Who Are You? References• www.pki.vt.edu/pdc• X.509 specification

http://www.ietf.org/rfc/rfc3280.txt • Educause Effective Security Practice:

Developing a Certification Authority for PKI at Virginia Tech http://www.educause.edu/Browse/705&ITEM_ID=286