Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004 Dartmouth PKI Lab • R&D to make PKI a practical component of a campus network • Dual objectives: – Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). – Improve the current state of the art. • Identify security issues in current products. • Develop solutions to the problems. • Sponsored by the Mellon Foundation, Intenet2/AT&T, NSF, DHS, Cisco, HP Labs, IBM Research PKI Implementation • Commercial CA Software (Sun/iPlanet) • Sun 250 server • Single Online CA Server – Hardware Key Storage – Dedicated Firewall – Publishes CRLs and provides OCSP LDAP Directory • Maintained from Institutional Systems – SIS, HR, Sponsored Guests • Automated Addition and Deletion • CA Publishes Certificates and CRLs to LDAP User Enrollment • Key Generation by Web Browser – Internet Explorer and Netscape/Mozilla • Cross platform – Software Key and Certificate Storage • LDAP authorization, self-service Production Applications • Web Services Authentication – – – – – Student Information System Library Journals Business School Portal Software Downloads Course Management System (Blackboard) • SSL for IMAP Servers • VPN Authentication Pilot Applications • • • • Shibboleth Authentication Hardware Key Storage (USB Tokens) Secure Mail and List Server Document Signatures – Acrobat, Office, XML (NIH) • Wireless Network Authentication • Application and OS Sign-on with Tokens • Grids PKI Deployment Timeline • • • • • • • Planning late 2001 Staffing Jan - April 2002 HW/SW Acquisition began Feb 2002 CA Installation began June 2002 Test CA available Sept 2002 Production CA available Jan 2003 First Applications – Library Jun 2003, Banner Aug 2003 Certificates Issued • On April 15, 2004 – – – – – 1542 Certificates Issued 749 Unique Individuals 542 Students (10%) 207 Faculty and Staff (8%) 68 Servers, Network Devices and CMS Admin Devices with Certificates • Web Server Certificates (18) – – – – – Sponsored Research System (SRS) Bio-Informatics Eng. Course evaluation system Letters of Evaluation On-line (LEO) Computing Service Internal Devices with Certificates • • • • Mail Servers (8) Sympa List Server (S/MIME) VPN Concentrators (2) Grids (2) – fMRI, Physics • Directory Servers (5) – LDAP, Active Directory Rollout Activities • Integrated user documentation on web, software downloads • Support staff training and early adopters • Add PKI functionality in System Updates • Offer PKI as first authentication option • Kerberos authentication error messages suggest PKI alternative • PKI Configuration and SW on Disk images, for public computers and new purchases Research Projects • Guest Authentication to Wireless Network • Open Source CA software – Installation, Packaging, Features • Secure Hardware Applications – TPM and IBM 4758 – Enforcer - Secure Linux Kernel • (available at http://enforcer.sourceforge.net) For More Information • Dartmouth Support Web: www.dartmouth.edu/~pki • Dartmouth PKI Lab: www.dartmouth.edu/~pkilab • PKI Outreach web: www.dartmouth.edu/~deploypki Robert.J.Brentrup@dartmouth.edu