X.509 at the University of Michigan

About This Presentation

Title:

X.509 at the University of Michigan

Description:

Netscape Browser. Web server / CA. Obtaining User Certificate via Web (IE part 1) ... Netscape (Windows, Solaris) do-able but not clean ... – PowerPoint PPT presentation

Number of Views:42

Avg rating:3.0/5.0

Slides: 22

Provided by: kevinwc

Learn more at: http://www.citi.umich.edu

Category:

more less

Transcript and Presenter's Notes

Title: X.509 at the University of Michigan

1
X.509 at theUniversity of Michigan

CIC-RPG Meeting June 7, 1999
Kevin Coffman (kwc_at_umich.edu)
Bill Doster (billdo_at_umich.edu)

2
Project Goals

Transparent Web Authentication
Eliminate password prompts
Lotus Notes Authentication
Position for inter-institution Authentication

3
Non-Goals

Not a complete PKI
Not to be used for document signing
Not to be used for encryption
Not a complete replacement of the current cookie
method

4
Why X.509?

An accepted standard
Application support out of the box
Web servers, web browsers, directory servers,
IMAP servers, etc.
Allows the possibility for inter-institution
authentication
No need for N²-1 cross-realm trusts

5
Description

Use short-term (approximately 1 day) certificates
- Junk Keys
Obtain certificates securely
For Authentication ONLY!
Use OpenSSL for creating and signing certificates

6
Why Junk Keys?

Revocation becomes a non-issue
Private Key storage is less an issue
Certificate publication for sharing is not
necessary
Certificate management is less critical

7
Drawbacks

Cannot be used for signing or encryption
Not possible to verify certificate via LDAP

8
Options for obtaining theCAs Certificate

Bake it into browsers we distribute
Via a web interface using SSL and Verisign
Certificate
Store it in the file-system

9
Obtaining CACertificate via Web
Green lines imply SSL Protected
CA Apache OpenSSL Scripts Verisign
Certificate
Browser Netscape or Internet Explorer
Certificate
10
Options for obtaining theUser Certificate

Via a web-based interface SSL
Pam / Gina / Login TGT or SSL
Standalone program TGT (or SSL)
Leave it up to application TGT (or SSL)

11
Obtaining User Certificate via Web (Netscape)
Web server / CA
Netscape Browser
User selects URL
ID and password??
ID and password
Verify identity
keyGen
Generate key pairand store keys
Public Key

Lookup full name
Lookup Entity ID
Generate and
Sign Certificate

Signed Certificate
Store Certificate
12
Obtaining User Certificate via Web (IE part 1)
Web server / CA
Internet Explorer Browser
ieReq.pl
User selects URL
Send a VBScriptasking for users unique ID
ID ??
13
Obtaining User Certificate via Web (IE part 2)
Web server / CA
Internet Explorer Browser
ieGenReq.pl
ID (uniqname)

Lookup full name
Lookup Entity ID
Generate VBScriptto create key pairand PKCS
10request

password ??
Run VBScript togenerate key pairand PKCS 10
request
14
Obtaining User Certificate via Web (IE part 3)
Web server / CA
Internet Explorer Browser
password PKCS 10
ieTreatReq.pl

Check password
Generate certificate and wrap it in
PKCS 7 format
Generate VBScript to accept PKCS 7

PKCS 7
Run VBSript toaccept PKCS 7
Phew! Done!
15
Obtaining User Certificate via Standalone Pgm
(Netscape)
Certificate Authority
Client Machine
public key

Lookup full name
Lookup Entity ID
Generate and signcertificate

getcert
signed certificate
keyutil
certutil
key3.db
cert7.db
Orange lines imply Kerberized exchange
16
Obtaining User Certificate via Standalone Program
(IE)
Certificate Authority
Client Machine
Use OpenSSL togenerate key pair
public key

Lookup full name
Lookup Entity ID
Generate and signcertificate

signed certificate

Store key pair
Store certificate

17
Storing the Certificates

How to destroy the certificates after use?
NT 4.0 w/SP3 and later has special storage
classes that lives only for the life of a login
Make use of Kerberos credential storage?
Internet Explorer vs. Netscape

18
Problems