Doster (billdo@umich.edu)
- Главная
- Разное
- Дизайн
- Бизнес и предпринимательство
- Аналитика
- Образование
- Развлечения
- Красота и здоровье
- Финансы
- Государство
- Путешествия
- Спорт
- Недвижимость
- Армия
- Графика
- Культурология
- Еда и кулинария
- Лингвистика
- Английский язык
- Астрономия
- Алгебра
- Биология
- География
- Детские презентации
- Информатика
- История
- Литература
- Маркетинг
- Математика
- Медицина
- Менеджмент
- Музыка
- МХК
- Немецкий язык
- ОБЖ
- Обществознание
- Окружающий мир
- Педагогика
- Русский язык
- Технология
- Физика
- Философия
- Химия
- Шаблоны, картинки для презентаций
- Экология
- Экономика
- Юриспруденция
X.509 at the University of Michigan. Project Goals презентация
Содержание
- 1. X.509 at the University of Michigan. Project Goals
- 2. Project Goals Transparent Web Authentication Eliminate password prompts Lotus Notes Authentication Position for inter-institution Authentication
- 3. Non-Goals Not a complete PKI Not to
- 4. Why X.509? An accepted standard Application support
- 5. Description Use short-term (approximately 1 day) certificates
- 6. Why “Junk Keys”? Revocation becomes a non-issue
- 7. Drawbacks Cannot be used for signing or encryption Not possible to verify certificate via LDAP
- 8. Options for obtaining the CA’s Certificate Bake
- 9. Obtaining CA Certificate via Web CA Apache
- 10. Options for obtaining the User Certificate Via
- 11. Obtaining User Certificate via Web (Netscape)
- 12. Obtaining User Certificate via Web (IE part
- 13. Obtaining User Certificate via Web (IE part
- 14. Obtaining User Certificate via Web (IE part
- 15. Obtaining User Certificate via Standalone Pgm (Netscape)
- 16. Obtaining User Certificate via Standalone Program (IE)
- 17. Storing the Certificates How to destroy the
- 18. Problems Documentation - Flood or Drought Macintosh support lags other platforms
- 19. Current Status Internet Explorer (Windows only) looks
- 20. References This presentation: http://www.citi.umich.edu/u/kwc/Presentations/X509June1999 OpenSSL: http://www.openssl.org/ Netscape Security Services: http://home.netscape.com/nss/v1.2/index.html Microsoft CryptoAPI: http://www.microsoft.com/security/tech/CryptoAPI/default.asp
- 21. ?? Questions / Discussion ??
Project Goals Transparent Web Authentication Eliminate password prompts Lotus Notes Authentication Position for inter-institution Authentication
Слайд 1X.509 at the
University of Michigan
CIC-RPG Meeting June 7, 1999
Kevin Coffman (kwc@umich.edu)
Bill
Слайд 2Project Goals
Transparent Web Authentication
Eliminate password prompts
Lotus Notes Authentication
Position for inter-institution Authentication
Слайд 3Non-Goals
Not a complete PKI
Not to be used for document signing
Not to
be used for encryption
Not a complete replacement of the current cookie method
Not a complete replacement of the current cookie method
Слайд 4Why X.509?
An accepted standard
Application support out of the box
Web servers, web
browsers, directory servers, IMAP servers, etc.
Allows the possibility for inter-institution authentication
No need for N²-1 cross-realm trusts
Allows the possibility for inter-institution authentication
No need for N²-1 cross-realm trusts
Слайд 5Description
Use short-term (approximately 1 day) certificates - “Junk Keys”
Obtain certificates securely
For
Authentication ONLY!
Use OpenSSL for creating and signing certificates
Use OpenSSL for creating and signing certificates
Слайд 6Why “Junk Keys”?
Revocation becomes a non-issue
Private Key storage is less an
issue
Certificate publication for sharing is not necessary
Certificate management is less critical
Certificate publication for sharing is not necessary
Certificate management is less critical
Слайд 8Options for obtaining the
CA’s Certificate
Bake it into browsers we distribute
Via a
web interface using SSL and Verisign Certificate
Store it in the file-system
Store it in the file-system
Слайд 9Obtaining CA
Certificate via Web
CA
Apache + OpenSSL
+ Scripts
+ Verisign Certificate
Browser
Netscape or
Internet Explorer
Certificate
Green
lines imply SSL Protected
Слайд 10Options for obtaining the
User Certificate
Via a web-based interface [ SSL ]
Pam
/ Gina / Login [ TGT or SSL ]
Standalone program [ TGT (or SSL) ]
Leave it up to application [ TGT (or SSL) ]
Standalone program [ TGT (or SSL) ]
Leave it up to application [ TGT (or SSL) ]
Слайд 11Obtaining User Certificate via Web (Netscape)
User selects URL
ID and password??
ID and
password
Lookup full name
Lookup Entity ID
Generate and
Sign Certificate
Verify identity
keyGen
Public Key
Signed Certificate
Generate key pair
and store keys
Store Certificate
Netscape Browser
Web server / CA
Слайд 12Obtaining User Certificate via Web (IE part 1)
User selects URL
ID ??
Send
a VBScript
asking for
user’s unique ID
user’s unique ID
ieReq.pl
Web server / CA
Internet Explorer Browser
Слайд 13Obtaining User Certificate via Web (IE part 2)
password ??
ieGenReq.pl
Web server /
CA
Internet Explorer Browser
ID (uniqname)
Lookup full name
Lookup Entity ID
Generate VBScript
to create key pair
and PKCS #10
request
Run VBScript to
generate key pair
and PKCS #10 request
Слайд 14Obtaining User Certificate via Web (IE part 3)
PKCS #7
Check password
Generate
certificate
and wrap it in
PKCS #7 format
Generate VBScript to accept PKCS #7
Generate VBScript to accept PKCS #7
ieTreatReq.pl
Web server / CA
Internet Explorer Browser
password +
PKCS #10
Run VBSript to
accept PKCS #7
Phew! Done!
Слайд 15Obtaining User Certificate via Standalone Pgm (Netscape)
public key
signed certificate
Client Machine
Certificate Authority
getcert
keyutil
certutil
key3.db
cert7.db
Lookup full name
Lookup Entity ID
Generate and sign certificate
Lookup Entity ID
Generate and sign certificate
Orange lines imply Kerberized exchange
Слайд 16Obtaining User Certificate via Standalone Program (IE)
signed certificate
Certificate Authority
Client Machine
Use OpenSSL
to
generate key pair
public key
Store key pair
Store certificate
Lookup full name
Lookup Entity ID
Generate and sign
certificate
Слайд 17Storing the Certificates
How to destroy the certificates after use?
NT 4.0 w/SP3
and later has special storage classes that lives only for the life of a login
Make use of Kerberos credential storage?
Internet Explorer vs. Netscape
Make use of Kerberos credential storage?
Internet Explorer vs. Netscape
Слайд 19Current Status
Internet Explorer (Windows only) looks promising
Netscape (Windows, Solaris) do-able but
not clean
Macintosh support does not currently look promising for either browser
Macintosh support does not currently look promising for either browser
Слайд 20References
This presentation:
http://www.citi.umich.edu/u/kwc/Presentations/X509June1999
OpenSSL:
http://www.openssl.org/
Netscape Security Services:
http://home.netscape.com/nss/v1.2/index.html
Microsoft CryptoAPI:
http://www.microsoft.com/security/tech/CryptoAPI/default.asp
