Dartmouth PKI Update
Robert Brentrup
Internet2 Member Meeting
April 21, 2004
Dartmouth PKI Lab
• R&D to make PKI a practical component of a
campus network
• Dual objectives:
– Deploy existing PKI technology to improve network
applications (both at Dartmouth and elsewhere).
– Improve the current state of the art.
• Identify security issues in current products.
• Develop solutions to the problems.
• Sponsored by the Mellon Foundation,
Intenet2/AT&T, NSF, DHS, Cisco, HP Labs, IBM
Research
PKI Implementation
• Commercial CA Software (Sun/iPlanet)
• Sun 250 server
• Single Online CA Server
– Hardware Key Storage
– Dedicated Firewall
– Publishes CRLs and provides OCSP
LDAP Directory
• Maintained from Institutional Systems
– SIS, HR, Sponsored Guests
• Automated Addition and Deletion
• CA Publishes Certificates and CRLs to
LDAP
User Enrollment
• Key Generation by Web Browser
– Internet Explorer and Netscape/Mozilla
• Cross platform
– Software Key and Certificate Storage
• LDAP authorization, self-service
Production Applications
• Web Services Authentication
–
–
–
–
–
Student Information System
Library Journals
Business School Portal
Software Downloads
Course Management System (Blackboard)
• SSL for IMAP Servers
• VPN Authentication
Pilot Applications
•
•
•
•
Shibboleth Authentication
Hardware Key Storage (USB Tokens)
Secure Mail and List Server
Document Signatures
– Acrobat, Office, XML (NIH)
• Wireless Network Authentication
• Application and OS Sign-on with Tokens
• Grids
PKI Deployment Timeline
•
•
•
•
•
•
•
Planning late 2001
Staffing Jan - April 2002
HW/SW Acquisition began Feb 2002
CA Installation began June 2002
Test CA available Sept 2002
Production CA available Jan 2003
First Applications
– Library Jun 2003, Banner Aug 2003
Certificates Issued
• On April 15, 2004
–
–
–
–
–
1542 Certificates Issued
749 Unique Individuals
542 Students (10%)
207 Faculty and Staff (8%)
68 Servers, Network Devices and CMS Admin
Devices with Certificates
• Web Server Certificates (18)
–
–
–
–
–
Sponsored Research System (SRS)
Bio-Informatics
Eng. Course evaluation system
Letters of Evaluation On-line (LEO)
Computing Service Internal
Devices with Certificates
•
•
•
•
Mail Servers (8)
Sympa List Server (S/MIME)
VPN Concentrators (2)
Grids (2)
– fMRI, Physics
• Directory Servers (5)
– LDAP, Active Directory
Rollout Activities
• Integrated user documentation on web, software
downloads
• Support staff training and early adopters
• Add PKI functionality in System Updates
• Offer PKI as first authentication option
• Kerberos authentication error messages suggest
PKI alternative
• PKI Configuration and SW on Disk images, for
public computers and new purchases
Research Projects
• Guest Authentication to Wireless Network
• Open Source CA software
– Installation, Packaging, Features
• Secure Hardware Applications
– TPM and IBM 4758
– Enforcer - Secure Linux Kernel
• (available at http://enforcer.sourceforge.net)
For More Information
• Dartmouth Support Web:
www.dartmouth.edu/~pki
• Dartmouth PKI Lab:
www.dartmouth.edu/~pkilab
• PKI Outreach web:
www.dartmouth.edu/~deploypki
Robert.J.Brentrup@dartmouth.edu