Higher Education PKI Initiatives

Similar documents
DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

HSPD-12 : The Role of Federal PKI

FPKIPA CPWG Antecedent, In-Person Task Group

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Establishing Trust Across International Communities

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

How does industry drive forward. SAFE-BioPharma Association

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

US Federal PKI Bridge. Ram Banerjee VP Vertical Markets

CERTIFICATE POLICY CIGNA PKI Certificates

Government PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission

Apple Inc. Certification Authority Certification Practice Statement

Extending Services with Federated Identity Management

Internet2 Overview, Services and Activities. Fall 2007 Council Briefings October 7, 2007

Apple Inc. Certification Authority Certification Practice Statement

SWITCHpki Service Launch The SWITCHpki Team

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Technical Trust Policy

PKI and FICAM Overview and Outlook

An Introduction to DirectTrust

X.509 Certificate Policy. For The Federal Bridge Certification Authority (FBCA)

Leveraging the InCommon Federation to access the NSF TeraGrid

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

Northrop Grumman Enterprise Public Key Infrastructure Certificate Policy

Transglobal Secure Collaboration Program Secure v.1 Technical Specification. Prepared by: TSCP Secure v.

Federated Access. Identity & Privacy Protection

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

ING Public Key Infrastructure Technical Certificate Policy

Connected Health Principles

REPORT OF THE INDEPENDENT ACCOUNTANT

Getting to Grips with Public Key Infrastructure (PKI)

National Identity Exchange Federation. Terminology Reference. Version 1.0

University of Cincinnati Federated Identity Strategy

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Version 3.4 December 01,

AeroMACS Public Key Infrastructure (PKI) Users Overview

Helping Meet the OMB Directive

A standard for High-Assurance Identity for Healthcare and Pharmaceutical e-transactions

FiXs - Federated and Secure Identity Management in Operation

Certification Authority

Report: EDUCAUSE NIH PKI Interoperability Pilot Project

California State Updates. Presenter: David A. Minch, President & COO, HealthShare Bay Area

Lockheed Martin Enterprise Public Key Infrastructure Certificate Policy (CP)

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

A Market Solution to Online Identity Trust. Trust Frameworks 101: An Introduction

Strategies for the Implementation of PIV I Secure Identity Credentials

(60 min) California State Updates

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Bugzilla ID: Bugzilla Summary:

SAFE-BioPharma RAS Privacy Policy

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Do I Really Need Another Account? External Identities for Campus Applications

Leveraging HSPD-12 to Meet E-authentication E

Singapore s National Digital Identity (NDI):

ASEAN e-authentication Workshop Balwinder Sahota

U.S. E-Authentication Interoperability Lab Engineer

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

Interagency Advisory Board Meeting Agenda, August 25, 2009

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Virginia Commonwealth University School of Medicine Information Security Standard

SSL/TSL EV Certificates

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Leveraging the LincPass in USDA

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

ECA Trusted Agent Handbook

Intra-ASEAN Secure Transactions Framework. Pitinan Kooarmornpatana Director of IT Infrastructure Office of ETDA Jun 2015

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Issues in Assessing Commercial Certification Service Trust

Development Authority of the North Country Governance Policies

Managing Trust in e-health with Federated Identity Management

A Pilot Implementation of DIRECT Messaging and Provider Directory Services in the Palomar Health District

The Benefits of EPCS Beyond Compliance August 15, 2016

Scaling Interoperable Trust through a Trustmark Marketplace

United States Department of Defense External Certification Authority X.509 Certificate Policy

UNCONTROLLED IF PRINTED

SLCS and VASH Service Interoperability of Shibboleth and glite

Cyber Partnership Blueprint: An Outline

Electronic Signature Policy

Operational Research Consultants, Inc. (ORC) Access Certificates For Electronic Services (ACES) Certificate Practice Statement Summary. Version 3.3.

+1 (801)

Identity Management (IdM) A US Perspective (Scott Rea Dartmouth College) Contents. Defining Identity Management (IdM)

SAML-Based SSO Solution

eid Applications Cross Border Authentication

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

SSL Certificates Certificate Policy (CP)

Interagency Advisory Board Meeting Agenda, July 28, 2010

AAI in EGI Current status

SAML-Based SSO Solution

Volvo Group Certificate Practice Statement

Who s Protecting Your Keys? August 2018

The SafeNet Security System Version 3 Overview

PKI is Alive and Well: The Symantec Managed PKI Service

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Direct, DirectTrust, and FHIR: A Value Proposition

Federated Authentication for E-Infrastructures

X.509 Certificate Policy for the New Zealand Government PKI RSA Individual - Software Certificates (Medium Assurance)

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Transcription:

Higher Education PKI Initiatives (Scott Rea) Securing the ecampus - Hanover NH July 28, 2009

Overview What are the drivers for PKI in Higher Education? Stronger authentication to resources and services of an institution Better protection of digital assets from disclosure, theft, tampering, and destruction More efficient workflow in distributed environments Greater ability to collaborate and reliably communicate with colleagues and peers Greater access (and more efficient access) to external resources Facilitation of funding opportunities Compliance 2

PKI - Public Key Infrastructure Security is a chain; it's only as strong as the weakest link. The security of any system is based on many links and in a PKI they're not all cryptographic. People are involved PKI requires co-ordination across the following 3 areas: Technology (T) Policy & Procedures (P) Relationships & Liability (L) 3

LOA: Levels of Assurance Not all IdPs are created equal Policies adhered to vary in detail and strength (P) Strength of private keys (T) Protection of private keys (PL) Controls around private key operations (TPL) Separation of duties (PL) Trustworthiness of Operators (L) Auditability (TP) Authentication of end entities (TPL) Frequency of revocation updates (TP) 4

PKI Options PKI Choices for Higher Education Outsourced everything Outsourced managed services, internal RAs Internal operations: Community root Campus root Community Policy Campus Policy CA software: commercial vender open source RYO 5

Institution Creating Silos of Trust Dept-1 Dept-1 Dept-1 USHER CA CA CA 6

USHER : US Higher Education Root Trusted Root for US Higher Education Internet2 funded initiative Only signs subordinate CA certificates Bootstraps institutional PKIs by providing policy infrastructure and a CA The USHER root CA and infrastructure created at Dartmouth College, now hosted with InCommon infrastructure at Internet2 Facilitates inter-institutional trust between participating schools Different levels of assurance will be supported (just 1 rudimentary currently) 7

USHER Project The USHER Project will create and maintain four new Certificate Authority (CA) systems for Internet2 The four CA systems to be created are: USHER Foundation CA (Now called CA1) USHER Basic CA* USHER Medium CA* USHER High CA* *Not officially named yet The USHERs will be used to provide institutions of higher education PKI trust anchors with a common policy The USHER CAs may also be potentially cross-certified with the HEBCA to allow interoperation outside the USHER community 8

USHER Policy Authority The USHER PA establishes policy for and oversees operation of the USHER initiatives. USHER PA activities include approve and certify the Certificate Policy (CP) and Certification Practices Statement (CPS) for the USHER set policy for accepting applications for CA issuance under USHER CAs represent the USHER in establishing cross-certification with other PKI bridges e.g. HEBCA set policy governing operation of the USHER CAs oversee the USHER Operational Authority keep the USHER Membership informed of its decisions and activities. 9

USHER Project -Progress Policy Authority formed Prototype USHER operational on the Prototype HEBCA infrastructure Production USHER CP produced Production USHER CPS produced Production USHER Foundation CA created (2/23/06) at Dartmouth College and distributed USHER Foundation being embedded in applications (e.g. Lionshare) USHER Foundation run from InCommon infrastructure from 2007 Community contract documentation sufficiently baked USHER Campus root available for current InCommon Members 10

Institution Creating Silos of Trust Dept-1 Dept-1 Dept-1 USHER CA CA CA 11

HEBCA : Higher Education Bridge Certificate Authority Bridge Certificate Authority for US Higher Education Modeled on FBCA Provides cross-certification between the subscribing institution and the HEBCA root CA Flexible policy implementations through the mapping process The HEBCA root CA and infrastructure hosted at Dartmouth College Facilitates inter-institutional trust between participating schools Facilitates inter-federation trust between US Higher Education community and external entities 12

HEBCA What is the value presented by this initiative? HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted interinstitutionally and not just intra-institutionally Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension Single credential accepted globally Potential for stronger authentication and possibly authorization of participants in grid based applications Applicable for institutions whose policies can not be covered by community efforts e.g. USHER 13

Institution Solving Silos of Trust FBCA Dept-1 Dept-1 Dept-1 HEBCA CAUDIT PKI USHER CA CA CA 14

HEBCA A Brief History HEBCA started life as pilot project to validate PKI bridge-2- bridge transactions Modeled on the successful FBCA, but representing higher education Hosted at MitreTek, beginning 2001 with involvement from several HE institutions Dartmouth College, University of Wisconsin, University of California Berkley, University of Alabama, etc. EDUCAUSE provided sponsorship to instantiate the infrastructure for real Dartmouth College chosen as operating authority in May 2004 15

HEBCA Project - Progress What s been done so far? Operational Authority (OA) contractor engaged (Dartmouth PKI Lab) MOA with commercial vendor for infrastructure hardware (Sun) MOA with commercial vendor for CA software and licenses (RSA) Policy Authority formed Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA) Prototype Registry of Directories (RoD) deployed at Dartmouth Production HEBCA CP produced Production HEBCA CPS produced Preliminary Policy Mapping completed with FBCA Test HEBCA CA deployed and cross-certified with the Prototype FBCA Test HEBCA RoD deployed Infrastructure has passed interoperability testing with FBCA 16

HEBCA Project Next Steps What are the next steps? HEBCA to be hosted by commercial CA Provide long term viability Provides an operating platform that leverages economies of scale to keep operational costs down Allows for operation in accordance with defined policies such that meaningful cross-certifications can occur at desired LOA Facilitates reduced audit expenses 17

HEBCA A Case Study E-Sign Law 2000 makes digital signatures equivalent to wet ink signatures Digitally signed documents enable paperless workflow, reducing costs, increasing speed and efficiency Digitally signed documents: eliminate the need to handle, copy, ship and store paper documents facilitate a higher conversion rate from customers at online portals reduce the amount of manual input or reprocessing, (reduces errors) 18

HEBCA A Case Study Trust in digitally signed documents depends on a number of elements: the set of policies defining how the digital certificate used to verify the signature was issued; how that digital certificate is managed; and how well the identity of the subject of that certificate was vetted Trusting certificates issued from a CA one is familiar with is straight forward, but how does the average user trust certificates from a CA they have no relationship with? Being able to trust digital identities from multiple disparate sources is essential to implementing an effective paperless document workflow 19

HEBCA A Case Study HEBCA provides an efficient way for participating organizations to establish trust of any identities issued by other participants HEBCA uses technological and policy-based processes to assert the level of assurance that community members can place in a given identity certificate. As each participant joins HEBCA, their identity credentialing processes are reviewed and an assurance value is assigned to their certificates on a scale recognized within the community. Instead of each member establishing bilateral trust agreements, and reviewing the policies and procedures of each of all the other participants, they can simply trust the validity of the identity which HEBCA has vetted and asserted across its entire system HEBCA s participation in the 4BF enables a far greater community of trust for its participants beyond just higher education 20

HEBCA A Case Study NIH-EDUCAUSE PKI Interoperability Project Higher education researchers use certificates issued by their own schools to sign and submit grant applications to NIH NIH accepted and validated the applications and provided a signed receipt back to the schools The schools were able to validate and trust the receipt signed with the NIH certificate NIH was able to begin auto-processing of the grant applications without manual data entry and the potential errors that process introduces 21

22

HEBCA A Case Study NIH-EDUCAUSE PKI Interoperability Project Trust facilitated through HEBCA and FBCA in the same way 4BF now provides Digital signatures provide exponential increase in the speed of transaction Process saves costs through not having to handle, copy, ship, or store paper The project was awarded an E-Gov Pioneer Award by the federal government 23

CA-2 CA-1 Proposed Inter-federations HE BR CA-2 CA-3 CA-n FBCA NIH HE JP CA-1 AusCert CAUDIT PKI Cross-cert Cross-certs DST ACES C-4 Dartmouth HEBCA Texas Cross-certs IGTF Wisconsin UVA CertiPath SAFE Univ-N USHER Other Bridges CA-1 CA-2 CA-3 CA-4 24

The Four Bridges Forum (4BF) The 4BF is an existing infrastructure that facilitates trusted electronic business across major federal agencies, pharmaceutical and healthcare companies, aerospace and defense contractors and colleges and universities The 4BF is a federation of PKI identity providers It was formed by the nation s leading federated identity trust hubs Each 4BF trust hub asserts the identity of participants across the entire federation. 25

Who is the 4BF Federal PKI Architecture (Federal Bridge), serving the major Federal agencies CertiPath, serving the aerospace and defense industry SAFE-BioPharma Association, serving the biopharmaceutical and healthcare industries HEBCA, serving the higher education sector in the United States 26

How Does The 4BF Work? Each 4BF trust hub comprises multiple organizations using comparable policies and procedures to authenticate the identities of its participants Each authenticated identity is protected using public key cryptographic technology Once authenticated, the identity is uniquely linked to a digital certificate, permitting digital signatures The digital certificates from 4BF members are honored across the 4BF federation 27

The Benefits of the 4BF The identity can be trusted across its originating hub and all other hubs with which it is linked. This allows for trusted interoperability between separate and disparate systems. The identity can be used to authenticate individuals to access a variety of resources and to conduct other important business transactions. The digital certificates bearing the identity can be used for digital signatures that can be trusted across the federation. The digital certificates can also be used to facilitate confidential messages between 2 previously unconnected parties with the federation. 28

Summary There are multiple PKI initiatives within US higher education that cater to different communities of interest USHER is an Internet2 initiative that allows interoperability amongst its HE members based on adoption of a common policies HEBCA is an EDUCAUSE initiative that allows interoperability amongst it HE members based on policies that are mapped to various Levels of Assurance The 4BF is also based on policy mapping, but allows the HE community to interoperate with communities of interest outside HE e.g. Federal government, pharmaceutical industry, aerospace and defense industry USHER is a member of HEBCA, HEBCA is a member of 4BF 29

CA-2 CA-1 Proposed Inter-federations HE BR CA-2 CA-3 CA-n FBCA NIH HE JP CA-1 AusCert CAUDIT PKI Cross-cert Cross-certs DST ACES C-4 Dartmouth HEBCA Texas Cross-certs IGTF Wisconsin UVA CertiPath SAFE Univ-N USHER Other Bridges CA-1 CA-2 CA-3 CA-4 30

HEBCA Website: For More Information http://hebca.dartmouth.edu/ 4BF Website: http://www.the4bf.com/ Scott Rea - Scott.Rea@dartmouth.edu 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback