VTCA Project Team

1
VTCA Project Team
Secure Enterprise Technology Initiatives Internet
Application Development

e-Provisioning Group
Frank Galligan frankg_at_vt.edu
Baha Al-Amood balamood_at_vt.edu
PKI Advisory Group University Security
Office Certificate Policy Workgroup
2
Topics

• Network Security Review
• Security Issues
• Encryption As a Solution
• Why are CAs Needed?
• Public Key Encryption Example
• Digital Certificates
• CA Services
• What is the VTCA?
• PKI Background
• VTCA Project
• VTCA Architecture
• VTCA Certificate Request Process
• Future Direction

3
Security Issues
Privacy
Authentication
Interception
Spoofing
Integrity
Nonrepudiation
Modification
Proof of parties involved
4
Encryption as a Solution

• Public Key Encryption uses mathematically
  related, but not identical keys
• Public Key and Private Key pair

GTE CyberTrust

• Information encrypted with the public key can
  only be decrypted using the private key

5
Encryption Example
How does B know that its As public key?
GTE CyberTrust
Public Key
Encrypted Data

• Public Key is used to Encrypt Data
• Private Key is used to Decrypt Data

6
Digital Certificates

• B wants to be sure that the public key belongs to
  A and not to someone masquerading as A on an open
  network.
• We can use a trusted third party or Certification
  Authority (CA) to authenticate that the public
  key belongs to A.
• After A has provided proof of identity, the
  Certification Authority creates a message or
  Digital Certificate
• containing As name and public key.

Digital Certificate
7
CA Services

• CA is a Trusted Third Party or the Middleman
• CA Basic Services
• Process requests for digital certificates
  (CSR)
• Issue digital certificates
• Revoke digital certificates
• Maintain and publish a certificate
  revocation list (CRL)
• Ensure the integrity and confidentiality
  of the its private key
• CA Solutions
• Commercial Thawte, Entrust, Verisign, RSA
  Keon, Baltimore Tech UniCERT
• OpenSource OpenCA a GUI for OpenSSL

8
PKI Background

• Pilot CA running OpenCA
• IDDL S/MIME and XML forms pilot
• CS Department Globas Grid Project
• Smartcards Hokie Passport Office
• Commercial PKI Programs
• Evolving requirements for using SSL, TLS
• Virginia Tech CA Project

9
VTCA Project

• Architecture Hierarchical Model
• Level of Assurance FIPS 140-1 Level 3 HSM
• Vendor or OpenSource OpenSource OpenCA
• Deployment Model Phased
• Scope Internal Use
• Registration Authority Administrators IRM
• CP and CPS Documents University Security Office

10
VTCA Architecture
Virginia Tech Root CA
Server CA
Windows 2K3 CA ?
S/MIME CA
User CA
SSL Web Server Certificates
Personal Certificates
S/MIME Certificates
11
Certificate Request Process

Certification Authority Server
Registration Authority Server
Hardware Security Module
Subscriber
Internet
Private Network
CA Administrator
RA Administrator
12
Future Direction

• Phase I - Dec 2003
• Basic CA and RA services implemented
• Server certificates available for pilot groups
• CP and CPS documents completed
• Administrative organization in place
• Phase II VT Root Certificate Deployment June
  2004
• Links on MyPortal
• VTNET CD Fall 2004
• Media Blitz
• SSL Web Server Certificates
• User Services Training
• Phase III - December 2004
• Subordinate User CA
• Secure Email (S/MIME) certificates
• Object Signing certificates
• SSL Client Authentication Pilot
• Smartcard Pilot