Dartmouth PKI Update

Robert Brentrup

Internet2 Member Meeting

April 21, 2004

Dartmouth PKI Lab• R&D to make PKI a practical component of a

campus network• Dual objectives:

– Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere).

– Improve the current state of the art.• Identify security issues in current products.• Develop solutions to the problems.

• Sponsored by the Mellon Foundation, Intenet2/AT&T, NSF, DHS, Cisco, HP Labs, IBM Research

PKI Implementation

• Commercial CA Software (Sun/iPlanet)

• Sun 250 server

• Single Online CA Server– Hardware Key Storage– Dedicated Firewall– Publishes CRLs and provides OCSP

LDAP Directory

• Maintained from Institutional Systems– SIS, HR, Sponsored Guests

• Automated Addition and Deletion

• CA Publishes Certificates and CRLs to LDAP

User Enrollment

• Key Generation by Web Browser– Internet Explorer and Netscape/Mozilla

• Cross platform

– Software Key and Certificate Storage

• LDAP authorization, self-service

Production Applications

• Web Services Authentication– Student Information System– Library Journals– Business School Portal– Software Downloads– Course Management System (Blackboard)

• SSL for IMAP Servers

• VPN Authentication

Pilot Applications

• Shibboleth Authentication• Hardware Key Storage (USB Tokens)• Secure Mail and List Server• Document Signatures

– Acrobat, Office, XML (NIH)

• Wireless Network Authentication• Application and OS Sign-on with Tokens• Grids

PKI Deployment Timeline

• Planning late 2001• Staffing Jan - April 2002• HW/SW Acquisition began Feb 2002• CA Installation began June 2002• Test CA available Sept 2002• Production CA available Jan 2003• First Applications

– Library Jun 2003, Banner Aug 2003

Certificates Issued

• On April 15, 2004– 1542 Certificates Issued– 749 Unique Individuals– 542 Students (10%)– 207 Faculty and Staff (8%)– 68 Servers, Network Devices and CMS Admin

Devices with Certificates

• Web Server Certificates (18)– Sponsored Research System (SRS)– Bio-Informatics– Eng. Course evaluation system– Letters of Evaluation On-line (LEO) – Computing Service Internal

Devices with Certificates• Mail Servers (8)

• Sympa List Server (S/MIME)

• VPN Concentrators (2)

• Grids (2)– fMRI, Physics

• Directory Servers (5)– LDAP, Active Directory

Rollout Activities

• Integrated user documentation on web, software downloads

• Support staff training and early adopters• Add PKI functionality in System Updates• Offer PKI as first authentication option• Kerberos authentication error messages suggest

PKI alternative• PKI Configuration and SW on Disk images, for

public computers and new purchases

Research Projects

• Guest Authentication to Wireless Network

• Open Source CA software– Installation, Packaging, Features

• Secure Hardware Applications– TPM and IBM 4758– Enforcer - Secure Linux Kernel

• (available at http://enforcer.sourceforge.net)

For More Information• Dartmouth Support Web:

www.dartmouth.edu/~pki

• Dartmouth PKI Lab:www.dartmouth.edu/~pkilab

• PKI Outreach web:www.dartmouth.edu/~deploypki

Robert.J.Brentrup@dartmouth.edu