Esecurity framework-camp-final

Editor's Notes

• #4: Authentication is the assurance that the entity proves that she, he, or it is who it claims to be. Authentication finds application in two contexts: entity identification and data origin identification. Entity identification serves merely to identify the specific entity involved and is independent from whatever activity the entity wishes to perform. The process of entity identification usually produces a concrete result that can be used to enable other activities or communications. For example: the process of identifying an entity may unlock a symmetric key that can then be used to decrypt a file or to subsequently authenticate the entity to a remote environment. Data origin identification recognises a specific entity as the source of a given piece of data, regardless of any subsequent activities that the entity may engage. Integrity is the assurance to an entity that data has not been undetectably modified, either intentionally or unintentionally, between here and there or between then and now. PKI provides the means to ensure data integrity in a transparent fashion. Confidentiality is the assurance of data privacy. No one can read a piece of data except for the intended receiver entity (or entities).
• #5: In 1976 Diffie and Hellman developed a new concept known as public-key cryptography[1], also called Diffie-Hellman encryption or asymmetric encryption. Asymmetric encryption uses two keys instead of one key (symmetric encryption[2]). In public-key cryptography two keys are used, public and private keys. These keys are different but also related in a way that only the corresponding private key can decrypt a message encrypted with the corresponding public key. Theoretically given enough computing power a private key may be derived from a public key. In practice not many organisations have enough resources to attempt this. [1] W. Diffie and M. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, Vol 22, No 6, November 1976, pp.644 [2] In Symmetric encryption the same key is used to encrypt and decrypt a piece of data. For example the sender and the receiver ‘share a secret’ in the form of a password which they have exchanged in advance. The message is encrypted with the sender's key and the recipient decrypts the message using the same key.
• #6: The CA vouchsafes for the binding of the entities’ identity and its key par.
• #7: Digital Signature is similar to a handwritten signature where one entity can sign some data, but many entities can read the signature and verify its accuracy. In the digital signature process a private-key operation is performed on data in which the resulting value is a signature. This signature can than be verified by using the corresponding public-key.
• #8: Digital certificate is similar to an electronic "credit card" that establishes your credentials when doing business or other transactions over unsecured networks. It is issued by a certification authority (CA). It contains a users name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to the X.509 standard. X.509 standard defines a standard certificate format for public key certificates and certification validation.
• #9: CA: certifies the public key/identity by digitally signing a data structure that contains some representation of the identity and a corresponding public key. A CA is a critical component of many large-scale PKI and is responsible for issuing these public key certificates. A CA can take on a number of different representations depending on the trust model embodied by that CA. This will be discussed in detail later. RA: support the CA in the end-entity registration requirements. A given RA may perform a number of tasks, such as establishing and confirming the identity of an individual seeking to obtain a public-key certificate, initiating a certification process with a CA on behalf of the end-user, performing certain key/certificate life-cycle management functions. CP: is a collection of rules that indicate the applicability of a certificate to a particular community or class of application with common security requirements. CP is high-level document that describes requirements and limitations associated with the proposed use of the certificates issued under such a policy. CPS: a statement of the practices which a certification authority employs in issuing certificates. is a detailed document that describes internal operating procedures of the CA. It often contains very sensitive information about the CA operation. PMA’s primary responsibility is to manage the CP/CPS documents. The PMA provides points of contact for insiders – relying parties and subscribers in its PKI. The PMA also provides points of contact for external entities – other PKI PMA’s, potential new members or relying parties.
• #11: The eSecurity Framework is a follow on project of its predecessor CAUDIT PKI, that aimed at an interoperability and capability study of PKI for the higher education sector. Its main objective was to enable collaboration among universities, while keeping a closer look at infrastructures used elsewhere to maintain interoperability with other PKI initiatives around the world. This pilot developed initial draft policies and a prototype system. The eSecurity Framework is funded by DEST, The University of Queensland is the lead institution with support from AusCERT, MAMS, CAUDIT, APAC (via VPAC) and Aarnet.
• #12: The main objectives of this project include: Develop a PKI that could be taken into production for the HE and research sector. Reduce the costs of PKI uptake by producing documentation that can be used by universities, sharing lessons learnt and supporting the community. Establish a PKI and Shibboleth alignment drawing on the expertise developed by the MAMS project and developing a common trust federation for the sector. Integrate the GRID community needs with PKI and Shibboleth by working closely with the GridShib project.
• #13: A focal point of this project is to further develop the collaboration and interoperation study that was set in motion last year with the CAUDIT PKI project. We intend to further develop and strengthen the trust fabric between Higher Education sector, Research Institutions and AusCERT. We are developing a PK Infrastructure which will be the medium to enable this trust fabric. We are developing a capability study based on the HE needs that will serve as a base to further develop policies, practices and standards which will be made available to the community. We are also drawing on developments from other successful PKI implementations at national and international levels to avoid retro-fitting and to ensure interoperability with other PKIs.
• #14: A Federation is formed by organisations or a community that have common goals and objectives. They agree on a set of rules and follow them. Depending on the federation institution’s rules can be mapped against the federation rules. In general there is a body that oversees its management and ensures compliance to these rules by the community.
• #15: Trust seems to be a common denominator between implementations such as PKI, Shib or Grid Services.
• #16: A vision of the future is that one would be able to put into operation an Australian Higher Education and Research Federation that would support and address the sector needs for cooperation and interoperation. While there are a number of independent initiatives trying to address the HE and Research requirements it would make sense to have one infrastructure encompassing all initiatives and avoid doubling up work. An alternative of what it would look like is shown in this diagram: the AHERCA, the Grid Computing Federation and the MAMS Federation. In such federation there would be a body to oversee the policies management which would allow anyone in this federation to know who the members of the federation are and what process was used to identify these individuals.
• #17: The near future awaits us with a number of challenges to be faced, for this architecture to be refined and adjusted to the HE and Research sector needs we must further develop the trust fabric and implement the trust model. This can only be done with the support and input from the sector. We have created a mailing list and a wiki to facilitate the dissemination and sharing of information and we would like expressions of interest from institutions that would like to participate in this project. We are looking into ways to keep the costs minimal for institutions to participate in this federation and we’ll make available guidelines, policies and procedures to be used as a starting point by institutions. John will now present the second part of this presentation on the tests we’ve been doing with Grid Computing.
• #19: There are a few concepts that we need to understand in order to enable the What is a trust fabric? It is an exercise in understanding human behaviour and how they relate and what makes one individual trust another. Trust model on the other hand can only enhance an existing Trust Fabric. Technology cannot develop a trust fabric as it is based on human behavior, rules and relationships.
• #20: The next slides explain definitions of trust from diverse view points, they are here for completeness. According to ITU (International Telecommunication Union)’s recommendation on public key and attribute certificate framework: An entity trusts a second entity when it believes the second entity will behave exactly as expected by the first entity, and it may apply only for a specific function. In the case of authentication a relationship between an entity and an authority are created, where the entity expects the authority to create valid and reliable certificates.
• #21: The next slides explain definitions of trust from diverse view points, they are here for completeness. According to ITU (International Telecommunication Union)’s recommendation on public key and attribute certificate framework: An entity trusts a second entity when it believes the second entity will behave exactly as expected by the first entity, and it may apply only for a specific function. In the case of authentication a relationship between an entity and an authority are created, where the entity expects the authority to create valid and reliable certificates.
• #22: According to the Online Ethics center for engineering and science, trust is defined as confident reliance, one not only believes and expects a predictable behaviour, but also relies on them.
• #25: What does trust mean to the HE sector and research community for the purpose of this project? Basically the community agrees on a set of rules that everyone is comfortable to follow. Everyone benefits from this trust and are willing to work towards a common goal. We choose to rely on each other as a community and support each other, by choosing to trust the identification process used by the HE sector in general.
• #26: What do we need to ‘trust’? Firstly we identify the community willing to develop the trust fabric. Which in our case is straight forward: All Australian and New Zealand Higher Education and Research Sectors About 53+ Institutions formed by peer institutions About 1,000,000+ people spread within these institutions.
• #27: What else do we need? We must identify and further develop commonality in this community. It has to be relevant to the community otherwise, why bother. This needs to inspire confident predictability, the way it works for me is the same way it works for you, and the way it works today is the same way it will work tomorrow and after tomorrow and so on. It has to be transparent and auditable.
• #28: We now must consider some engineering issues: Has to be simple Complex things break easily Complex things don’t get implemented Has to be inclusive Must cover full spectrum of possibilities within the community Has to have minimal impact on an institution’s business process Institutions don’t like being told what to do Has to be flexible to fit an institution’s particular “uniqueness”.
• #29: The trust fabric commonality proposed is based on the strength of the identification process. It must be simple – it is based on Australian Law and Breeder Documents, such as the ‘Identification Record for a Signatory to an Account ‘ and must support Identity management, as it is part of any institution. Should cause minimal impact on institutions as it Only measures the strength of an institution’s identification process. Doesn’t change it An Institution can pick and choose what it wants to implement
• #30: The Authentication Process and Authorization Process are agnostic. The identification process is independent of Technology and requires support Processes and Practices to complete the whole picture: For PKI needs CP/CPS For Shibboleth needs Federation Participation Agreements InCommon MAMS Federation (http://federation.org.au)
• #31: Why are we focussing on identity? Because it is the base for trust, if you don’t know who you are trusting chances are you will not trust him/her. This is also where all starts going wrong. We agree that we are trying to protect valuable information for the sector. To reach that information an authorization process is in place and access is granted based on users attributes, before the authorisation takes place a user must authenticate providing evidence of possession of credential. But before one can authenticate one must proffer ones identity via an identification process, in which a credential is issued. There are cracks on the identification process, authentication process and authorization process and that is why we must have a reliable way to determine the strength of ones Identity.
• #32: Obviously Institutions have their own processes to identify individuals’ identities. What we would like to do is to be able to apply a metric to the identification process. For example what are the types of identification that we could use: No identification process Use another’s identification process that you trust, for example QTAC You do the identification process yourself For this trust fabric no one will opt for the ‘no identification process’ for obvious reasons. When doing your own identification process it makes sense to base it on the Australian Financial Transaction Record that is unquestionably accepted by anyone in Australia. We than consider individuals that accrue less than 100 points, 100 points and more than 100 points. This can easily be mapped into the certification levels as shown on this diagram.
• #33: This diagram is an example of how the identity check will be carried on for the different certification levels. For level 1 there will be no proactive check in the presence of an RA. For level 2 the subject must provide proof of identity by in-person appearance to an RA. Accrues less than 100 points For level 3 the subject is required to provide proof of identity by an in-person appearance to the RA. That proof should accrue to at least 100 points of identity. For level 4 the subject is required to provide the same information for Level 3 certification in addition to a positive check to be conducted by an appropriate external agency. One of the fundamental issues with any successful PKI implementation centres on the identity of the end user, or entity and how well this identity has been checked and verified. As mentioned previously, one of the main virtues of X.509 certificates is the integrity of the binding of a name to a public key and the vouchsafing of this binding by a trusted third party, namely the CA. However, the identification of end entities is fraught with various problems; especially so in the education arena. Issues such as privacy arise and finding a balance between usability and privacy can be challenging. While it is usually the case that an institution has a good understanding of the identity of its staff (at least staff on its payroll), it may not be so assured about the identity of its students. Also there exists a class of people within a typical institution’s circle that are neither paid staff or fee-paying student but never the less require access to resources that involve PKI or protected by PKI. This pilot has several levels of identity certification that correspond only to the strength of the identification process of the end entity[1] and not what they are or what they do within the institution. (Each level will also correspond to a different signing private key for the appropriate CA). Moreover we also propose to base the identification process on the Australian 100 points of identity system[2] and have a modified version of Form 201 (http://www.austrac.gov.au/guidelines/forms/201.pdf) which end users are required to fill out and sign in the presence of a RA. It is proposed that four levels of certification be considered for the production of the CAUDIT PKI. [1] This is a well known technique to address this problem and several well known CA’s employ it. [2] See Financial Transaction Reports Act 1988 and Financial Transaction Reports Regulations 1990.
• #40: AusCERT Root CA plans to cross-certify with national, international and global PKIs, such as HEBCA.
• #50: 8 CAs on a single host - multiple completely separate installations of OpenCA and a bunch of <Location> directives to identify each of these Certificate Authorities. Given the significant overlap in these, there is a locally developed meta-build system that takes some configuration files which read templates - from these, the installation OpenCA templates are constructed and when OpenCA is configured locally, these templates build the local runtime configuration files for the OpenCA installation(s).
• #52: The highlighted commands are ones that I plan to specific mention later. OCSP - Online Certificate Status Protocol RFC2560
• #53: The pkcs8 command processes private keys in PKCS#8 format. It can handle both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. PKCS#10 files are the certificate signing request - the initial request that is generated to begin the process of obtaining a Public-Key certificate. It contains a signed request with a list of desired attributes. The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example. PKCS#11 is the protocol used to communicate with hardware cryptographic devices such as smartcards and other tokens. OpenSSL provides a mechanism to extend its support of different vendor products via the ‘openssl engine’ cryptographic engine plugin. PKCS#12 files are typically used to securely transfer full certificate information (key, certificate and full certificate chain) in an encrypted manner. PFX, p12 and pkcs12 files are normally also used in browsers and email clients such as MSIE and MS Outlook, Mozilla/Thunderbird and Firefix and Apple Keychain.
• #55: Passphrase (to encrypt the private key) and a whole bunch of entries regarding the certificate identity you are requesting. Country Name, State/Province, Locality/City, Organisation Name, OrgUnit Name, YOUR NAME (or that of the end entity for this certificate) and an Email Address. It will also request a challenge password and an optional company name.
• #71: Reducing overhead to entry
• #72: Explain what feature we want to support in the clients and what is available. What are the X509 Extensions available? How they are proven to work? MS CAPI versus other verfication and validation methods. Authority Information Access The AIA extension allows the certificate user to obtain a current copy of the CAs current certificate. CA certificates are required when a certificate chain is built. Chain building is performed as part of the certificate verification process. When you configure AIA extensions, use the same attention to detail that you use when you configure CRL distribution point extensions. See the following example for more information about the AIA extension in a certificate.