http://det.bi.ehu.es/git
PKIX BASED CERTIFICATION
INFRASTRUCTURE
IMPLEMENTATION ADAPTED TO
NON PERSONAL END
ENTITIES
Jacob E., Liberal F., Unzilla J.
{jtpjatae, jtplimaf, [email protected]
Department of Electronics and Telecommunications
Faculty of Engineering
University of the Basque Country
Bilbao (Spain)
SUMMARY
 INTRODUCTION
 MAIN GOALS
 SYSTEM ARCHITECTURE
 WAY OF OPERATION
 IMPLEMENTATION
 STATUS OF THE PROJECT
 FUTURE WORK
2
Introduction
Need to set trust agents => PKI: certification
services
Background:
Oriented to end users => www
Inflexibility, interface-processing dependence
Lack of interoperability
Results => PKIs have been replaced by
other systems: ssh, PGP, “home made” SSL
Proposed system
PKIX
Automate standard interfaces
Specific application scope
3
Main Goals
Develop a fully-functional PKI system
Speed up procedures
Guarantee scalability/interoperability
Make services more flexible
Ease user’s access
Provide mechanisms for new services
4
General Architecture
CRLs & CERTIFICATES REPOSITORY
END ENTITY (EE)
 REGISTER EEs
 AUTHENTICATE
 FORWARD REQUESTS
 REGISTER RAs
RA
RA
RA
 OPERATIONS WITH CERTs
CA
5
Way of operation: Registration I
ID
Administrative
Data
Password
RA
COMMANDS
RA
OPERATOR
ANSWERS
ACKs
NEW
USER
CERT.
TYPES
6
Way of operation: Registration I.a
[[email protected] /root]# iradop –f raOperator.pem ra1.ipkix.com
iradop V1.0 iPKIX
2001 (C) Fidel Liberal Malaina [email protected]
OP-> adduser
ACK
OP-# username Fidel Liberal Malaina
ACK
OP-# Fidel Liberal Malaina
ACK
OP-# C/Portal de Vitoria 30 1º izda
ACK
.......
ACK
OP-# admindataend
ACK
OP-# certtype 1
CERTINFO_COUNTRYNAME_MODE
OP-# CERTINFO_COUNTRYNAME_MODE ES
CERTINFO_STATEORPROVINCENAME_MODE
OP-# CERTINFO_STATEORPROVINCENAME_MODE Álava
CERTINFO_LOCALITYNAME_MODE
OP-# CERTINFO_LOCALITYNAME_MODE Vitoria
CERTINFO_ORGANIZATIONALUNITNAME_MODE
OP-# CERTINFO_ORGANIZATIONALUNITNAME_MODE Certificados
CERTINFO_COMMONNAME_MODE
OP-# CERTINFO_COMMONNAME_MODE Fidel Liberal Malaina
CERTINFO_RFC822NAME_MODE
OP-# CERTINFO_RFC822NAME_MODE [email protected]
.......
SENDERKID KJSDFNAKJ23HKASDASDFLJ
PASSWORD ASINL345V54561FASV014F
OP-# COMMIT
ACK
OP->
7
Way of Operation: Registration II
GENERAL FUNCTIONS (CERTIFICATES MANAGEMENT)
OPERATIONS
WITH
CERTIFICATES
CHECK
CERTIFICATES
SECURE
CONNECTIONS
MANAGEMENT
DOWNLOAD
CERTIFICATES
End User
ID
CMP
PASS
Registration
Authority
8
Way of Operation: Registration II.a
Entidad
Registro
ID
CMP
PASS
ADMINISTRATIVE
DATA
9
Way of Operation: Registration II.b
Registration
Authority
ID
RA
CA
CMP
P
ID
PASS
PREREQUESTS
CMP
CMP
S
ID
CMP
SEND
TO CA
10
Way of Operation: Registration III
Certification
Authority
ID
CMP
SEND BACK
TO RA
CMP
STORE IN
REPOSITORY
AUTHORIZED
RAs
RA
CERTIFICATES
REPOSITORY
CA
11
Implementation
Linux O.S.
Daemon servers in C language
Pthreads (Posix threads)
MySQL DBMS
OpenLDAP
cryptlib © cryptographic library
12
Implementation: RA
SERVING
THREADS
REQUESTS
PKIX ACCESS
OCSP
CMP
CONTROL
SERVING
THREADS
13
Implementation: RA II
#DEBUG1: Debug thread created
#DEBUG1: Creating CMPSpareServer 0, line 166
#DEBUG3: Adding node to general list
DEBUG
LOG
#DEBUG3: Adding node to idle list
#DEBUG3: Number of CMP threads created: 1
#DEBUG3: Number of CMP threads idle: 1
#DEBUG3: Adding node to general list
#DEBUG3: Adding node to idle list
#DEBUG3: Number of CMP threads created: 2
#DEBUG3: Number of CMP threads idle: 2
#DEBUG1: Creating CMPSpareServer 1, line 166
#DEBUG1: Creating OCSPSpareServer 0
#DEBUG3: Adding node to general list
#DEBUG3: Adding node to idle list
#DEBUG3: Number of OCSP threads created: 1
#DEBUG3: Number of OCSP threads idle: 1
#DEBUG1: Creating OCSPSpareServer 1
#DEBUG3: Adding node to general list
#DEBUG3: Adding node to idle list
#DEBUG3: Number of OCSP threads created: 2
14
Implementation: CA
AUTOMATED
OPERATION!!
15
Status of the project
10.000 C code lines
Functional system integrating RA and CA in one
RA server, operator and administrator clients and
Java© front-ends
cryptlib © library
Advantages:
Ease of use due to standarized interfaces
(cryptSetAttribute(), CRYPT_CERTIFICATE, CRYPT_SESSION...)
Development period short
Disadvantages:
Very high-level interface :
Development period longer for specific projects
Lack of low-level documentation=> ~reverse engineering,
bootstrapping.
Network support
MySQL support
16
Future work
Adapt PSE access modules to hardware devices, such as
smartcards, crypto-tokens…
Integration with other certifications systems like PGP.
Inclusion of attribute certificates.
Development of Windows© family client libraries.
Integration of certificate services.
A real application?
17
Descargar

A PKIX BASED CERTIFICATION INFRA