who are you? leveraging pki for digital signatures at virginia tech mary dunker educause security...
TRANSCRIPT
Who Are You? Leveraging PKI for Digital Signatures at Virginia Tech
Mary DunkerEducause Security Professionals Conference 2008May 4, [email protected]
Copyright [your name] [year]. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Who Are You? Leveraging PKI for Digital Signatures at
Virginia Tech
Who Are You? Leveraging PKI for Digital Signatures at
Virginia TechCopyright Mary Dunker 2008. This work is
the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
3
Who Are You?Who Are You?
• What problem are we trying to solve?• Historical background• How did we solve it?• Technology• Application Selection• Sponsorship• Six Projects
• How well did we do?
4
Who Are You?Who Are You?
What problem are we trying to solve?
• Expedite processes by moving them online securely.
• Manage identities securely.
• Reduce paper handling and accumulation.
5
Who Are You?Who Are You?
Background• 1999 Virginia COTS Privacy, Security
& Access workgroup, Governor’s executive order 65 on E-government, 2000.
• Commercial solutions very expensive at the time.
• Virginia Tech Certification Authority, PKI, in production, 2003.
6
Who are You?Who are You?
7
Who are You?Who are You?How did we solve the problem?• Virginia Tech has a PKI. • Digital signatures using Personal Digital
Certificates (PDCs) on hardware tokens.• To replace pen and ink; trust in personal
digital certificate is greater than ID/Password.
• Increase level of assurance by using multiple factors and trusted in-house process.
8
Who Are You?Who Are You?
Initial Application Selection• Leave Reports• Research Grant Proposals• Travel Vouchers• S/MIME e-mail• Various departmental forms• Phone Bills• ~20 more ideas…
9
Who Are You?Who Are You?Digital Signatures for Leave Reports: an
ambitious endeavor • All employees (pros and cons)• Secure online process improvement• Does not require key escrow• Departments would create their own
leave solutions anyway if we did nothing centrally.
• Phased approach. HR required consistency in dept.
10
Who Are You? Who Are You?
Phase I: IT organization, ~400 employees
Sponsorship
• Vice President for Information Technology
• Funding from Executive Vice President
11
Who Are You? Who Are You?
Six Projects: A coordination challenge
1. Infrastructure
2. Policy
3. Device Selection
4. Integration
5. Token Administration System
6. Documentation and Communication
12
Who Are You? Who Are You? Six Projects: Personnel required• Project Coordinator
• Unit managers, developers, project leaders, testers SETI, IRM, AIS, NI&S
• Managers and support staff from Student Telecommunications, Help desk
• Human Resources
• Campus input for policy
• Internal Audit
13
Who Are You? Who Are You?
Infrastructure Project• Hierarchical architecture• Root CA – offline, already in
place• SSL Server CA, Middleware A –
offline, already in place• User CA – online, needed to be
created
14
Who Are You? Who Are You?
Infrastructure Project• IBM xSeries 335 and Dell
PowerEdge 1850 class servers. Redundant, manual fail-over.
• Redhat Linux• OpenCA 0.9.1 for Root, Server
and Middleware• OpenCA 0.9.2 for User CA
15
Who Are You? Who Are You? Infrastructure Project
• OpenCA software works as designed. Requires expertise.
• 0.9.2 performance increase over 0.9.1.
• Documentation needs work.
• RA Admin interface: approvals
• CA Admin interface: issue cert
• Public interface: submit CSR, search, view CRL
16
Who Are You? Who Are You? Infrastructure -- Hardware Security
Modules• LunaCA3 (FIPS 140-1 level 3), LunaSA
(FIPS 140-2 Level 3) • Strong multifactor authentication• CA Administrator uses key token and PIN
to access private area of HSM that contains private keys.
• Very secure; requires 3 of 6 people to access Root CA
17
Who Are You?Who Are You?
Policy Project• VT Certification Policy created
before PKI-Lite • Modeled on RFC 2527, obsoleted
by RFC 3647• Policy Management Authority
approves policies, resolves issues.
18
Who Are You?Who Are You?Policy Project• Policy Project team drafted
Certification Practices Statement, brought questions to Policy Management Auth.
• User CPS drove development and administration of Token Administration System (TAS)
• Internal Audit, legal involvement
• Lengthy process but extremely valuable
19
Who Are You?Who Are You?Device Selection Project• Preliminary Work by eProvisioning
group• Form Factor considerations• Must work on Windows, Macintosh,
Linux• Integration with Hokie Passport card
considered but rejected for now.
20
Who Are You?Who Are You?Device Selected: Aladdin eToken
• FIPS 140-2 Level 3• I.E., Firefox on Windows & MAC &
Linux; no Safari • USB vs. smartcard form factor• Installation scripts install eToken
software, certificate chain• More research for students• Will eToken hold up?
21
Who Are You?Who Are You?Integration: Leave Report• Digital signature added to existing leave
report app• Leave info. stored in data base, viewed
w/browser• Adobe Acrobat Reader• HTML -> PDF -> Base 64 encoded file
signed/stored-> PDF for display.• Web service validates signature, uses
OCSP• Workflow for approval
22
Who Are You?Who Are You?Integration: Leave Report• Close work with HR.• Departmental phase-in• Requirement: entire department
needed to convert to digital signature• Departmental leave representatives
key players• Exceptions for people on disability
leave
23
Who Are You?Who Are You?Integration: Leave Report• Generated questions about leave
system that no one had asked for years.
• How to handle leave that one person enters for another?
• People without computers?• Approvals not based on known
hierarchy
24
Who Are You? Who Are You? Token Administration System• Issues personal digital certificate
(PDC) on Aladdin eToken• Uses information from VT Enterprise
Directory, not AD• Multiple admin roles. Procedures
documented in CPS, approved by PMA• Allows distributed operation• Works great when it works
25
Who Are You?Who Are You?Token Administration System• LOTS of policy and procedures• Two-person enrollment process
1. Verify identity information using 2 picture IDs and questions
2. Public/private keys generated on eToken, CSR sent to User CA to issue & sign certificate. Certificate imported onto eToken
• Terms and conditions digitally signed
• Private key not exportable
26
Who Are You?Who Are You?Documentation and Communication
Project • How do you explain all this? • Project Plans• Web site – “internal use”
http://www.pki.vt.edu/pdc• E-mail from VP for IT • FAQs• Knowledge base articles• Scheduling groups to pick up PDCs• Presentations to users
27
Who Are You? Who Are You? How well did we do?• Phase I on time, within budget.• Issuing certificates went well.• eToken support for Vista, Intel
Mac not available until Fall, 2007. Linux support poor.
• Digital signatures on leave reports work great in “normal” circumstances.
• Convenient for travelers
28
Who Are You? Who Are You? How well did we do?• Leave balances update differently,
led to questions.• People on leave of absence could
not get eTokens.• Everyone must sign their own
leave.• Supervisors want digital signature
approval for a companion form.
29
Who Are You? Who Are You? Future Challenges• Phase II of leave report: entire
university (6500 employees)• Issuing at remote sites• Remote password reset• Employees without computers• Supporting other applications• Two-factor authentication, CAS• External trust in VTCA
30
Who Are You? Who Are You?
Future Challenges• Students (28,000)• Device selection• Support
• Switching devices requires:• Re-testing• TAS support• New policies/procedures?• New installation scripts• New training
31
Who Are You? Who Are You? Future Opportunities• Investigate EJB CA• Standards for university use• Improving security by requiring
two-factor authentication• Using PDCs to “self-service”
reset other passwords• Generic signature applications
32
Who Are You? Who Are You? References• www.pki.vt.edu/pdc• X.509 specification
http://www.ietf.org/rfc/rfc3280.txt • Educause Effective Security Practice:
Developing a Certification Authority for PKI at Virginia Tech http://www.educause.edu/Browse/705&ITEM_ID=286