X.509 at the University of Michigan. Project Goals презентация

Содержание

Слайд 1X.509 at the University of Michigan
CIC-RPG Meeting June 7, 1999
Kevin Coffman (kwc@umich.edu)
Bill

Doster (billdo@umich.edu)

Слайд 2Project Goals
Transparent Web Authentication
Eliminate password prompts
Lotus Notes Authentication
Position for inter-institution Authentication

Слайд 3Non-Goals
Not a complete PKI
Not to be used for document signing
Not to

be used for encryption
Not a complete replacement of the current cookie method

Слайд 4Why X.509?
An accepted standard
Application support out of the box
Web servers, web

browsers, directory servers, IMAP servers, etc.
Allows the possibility for inter-institution authentication
No need for N²-1 cross-realm trusts

Слайд 5Description
Use short-term (approximately 1 day) certificates - “Junk Keys”
Obtain certificates securely
For

Authentication ONLY!
Use OpenSSL for creating and signing certificates

Слайд 6Why “Junk Keys”?
Revocation becomes a non-issue
Private Key storage is less an

issue
Certificate publication for sharing is not necessary
Certificate management is less critical

Слайд 7Drawbacks
Cannot be used for signing or encryption
Not possible to verify certificate

via LDAP

Слайд 8Options for obtaining the CA’s Certificate
Bake it into browsers we distribute
Via a

web interface using SSL and Verisign Certificate
Store it in the file-system

Слайд 9Obtaining CA Certificate via Web
CA
Apache + OpenSSL
+ Scripts
+ Verisign Certificate
Browser
Netscape or
Internet Explorer
Certificate
Green

lines imply SSL Protected

Слайд 10Options for obtaining the User Certificate
Via a web-based interface [ SSL ]
Pam

/ Gina / Login [ TGT or SSL ]
Standalone program [ TGT (or SSL) ]
Leave it up to application [ TGT (or SSL) ]

Слайд 11Obtaining User Certificate via Web (Netscape)


User selects URL
ID and password??
ID and

password

Lookup full name
Lookup Entity ID
Generate and
Sign Certificate

Verify identity

keyGen

Public Key

Signed Certificate

Generate key pair and store keys

Store Certificate

Netscape Browser

Web server / CA

Слайд 12Obtaining User Certificate via Web (IE part 1)


User selects URL
ID ??
Send

a VBScript asking for
user’s unique ID


ieReq.pl

Web server / CA

Internet Explorer Browser

Слайд 13Obtaining User Certificate via Web (IE part 2)


password ??

ieGenReq.pl
Web server /

CA

Internet Explorer Browser

ID (uniqname)

Lookup full name
Lookup Entity ID
Generate VBScript to create key pair and PKCS #10 request


Run VBScript to generate key pair and PKCS #10 request

Слайд 14Obtaining User Certificate via Web (IE part 3)


PKCS #7
Check password

Generate certificate and wrap it in PKCS #7 format
Generate VBScript to accept PKCS #7


ieTreatReq.pl

Web server / CA

Internet Explorer Browser

password + PKCS #10

Run VBSript to accept PKCS #7

Phew! Done!

Слайд 15Obtaining User Certificate via Standalone Pgm (Netscape)


public key
signed certificate
Client Machine
Certificate Authority

getcert

keyutil

certutil

key3.db

cert7.db

Lookup full name
Lookup Entity ID
Generate and sign certificate

Orange lines imply Kerberized exchange

Слайд 16Obtaining User Certificate via Standalone Program (IE)


signed certificate
Certificate Authority
Client Machine
Use OpenSSL

to generate key pair

public key

Store key pair
Store certificate


Lookup full name
Lookup Entity ID
Generate and sign certificate

Слайд 17Storing the Certificates
How to destroy the certificates after use?
NT 4.0 w/SP3

and later has special storage classes that lives only for the life of a login
Make use of Kerberos credential storage?
Internet Explorer vs. Netscape

Слайд 18Problems
Documentation - Flood or Drought
Macintosh support lags other platforms

Слайд 19Current Status
Internet Explorer (Windows only) looks promising
Netscape (Windows, Solaris) do-able but

not clean
Macintosh support does not currently look promising for either browser

Слайд 20References
This presentation:
http://www.citi.umich.edu/u/kwc/Presentations/X509June1999
OpenSSL:
http://www.openssl.org/
Netscape Security Services:
http://home.netscape.com/nss/v1.2/index.html
Microsoft CryptoAPI:
http://www.microsoft.com/security/tech/CryptoAPI/default.asp

Слайд 21?? Questions / Discussion ??

Похожие презентации

GUI composer. Embedded development tools 411
ИС Астана - 1. Сотрудничество КГД МФ РК с ЮНКТАД ООН 346
Синтаксический анализ языков программирования. Распознаватели. Задача разбора. (Глава 4) 383
Рекурсия. Перебор 842
Системная динамика 397
Scala. Java to Scala 314

Обратная связь

Если не удалось найти и скачать презентацию, Вы можете заказать его на нашем сайте. Мы постараемся найти нужный Вам материал и отправим по электронной почте. Не стесняйтесь обращаться к нам, если у вас возникли вопросы или пожелания:

Email: Нажмите что бы посмотреть 

Что такое ThePresentation.ru?

Это сайт презентаций, докладов, проектов, шаблонов в формате PowerPoint. Мы помогаем школьникам, студентам, учителям, преподавателям хранить и обмениваться учебными материалами с другими пользователями.

Для правообладателей

Яндекс.Метрика