a s i a p a c i f i c n e t w o r k i n f o r m a t i o n c e n t r e apnic open policy meeting sig:...
TRANSCRIPT
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC Open Policy Meeting APNIC Open Policy Meeting SIG: Whois DatabaseSIG: Whois Database
October 2000October 2000APNIC Certificate AuthorityAPNIC Certificate Authority
Status ReportStatus Report
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA ProjectAPNIC CA Project
Part 1Part 1 APNIC CA projectAPNIC CA project Benefits and costsBenefits and costs Project plansProject plans Future developmentsFuture developments ReferencesReferences
Part 2 Part 2 (if requested)(if requested)
Cryptography and PKI OverviewCryptography and PKI Overview
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - Why?APNIC CA - Why?
In response toIn response to Membership concern for greater securityMembership concern for greater security
Confidential info exchange with APNICConfidential info exchange with APNIC Is my database transaction secure?Is my database transaction secure?Whose prefixes do you accept?Whose prefixes do you accept?
Internet community interest in security, PKI, Internet community interest in security, PKI, digital certificatesdigital certificates
e.g. rps-authe.g. rps-auth IETF working group: PKIXIETF working group: PKIX
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - OverviewAPNIC CA - Overview
Certificate issued to APNIC memberCertificate issued to APNIC member Corresponds to Corresponds to MembershipMembership of APNIC of APNIC Provides uniform mechanism for all security Provides uniform mechanism for all security
needsneeds::Encryption and signature of email with APNICEncryption and signature of email with APNICAuthentication of access to APNIC web siteAuthentication of access to APNIC web siteSecure maintainer mechanism for APNIC databaseSecure maintainer mechanism for APNIC databaseFuture authorisation mechanism for Internet Future authorisation mechanism for Internet
resourcesresourcesAuthentication of resource custodianshipAuthentication of resource custodianship
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - Benefits/CostsAPNIC CA - Benefits/Costs
BenefitsBenefits Uniform industry-standard mechanism for “single Uniform industry-standard mechanism for “single
password” security, authentication and authorisationpassword” security, authentication and authorisation Strong public key cryptography, end-to-endStrong public key cryptography, end-to-end
CostsCosts Server and client softwareServer and client software Change to current proceduresChange to current procedures New policiesNew policies Establishment: software purchase and/or developmentEstablishment: software purchase and/or development
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - RoadmapAPNIC CA - Roadmap
20 Apr, 2000 30 Jun, 2001
1/5 1/6 1/7 1/8 1/9 1/10 1/11 1/12 1/1 1/2 1/3 1/4 1/5 1/6
Certificate Management System
Authenticated CorrespondanceAuthorised access to website programs
and resources
PKI AAAwithin
Whois Database
CA Selectionand Deployment
PKI Workflow Integration
PKI Whois Integration
Single sign-onfor Membership
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Scoping project Oct 1999 - Jan 2000
Phase 1 Apr – Nov 2000
Phase 2 Jan – Jun 2001
APNIC CA - TimelineAPNIC CA - Timeline
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - Scoping ProjectAPNIC CA - Scoping Project
October 1999 - January 2000October 1999 - January 2000ObjectivesObjectives
Analyse impact of introducing PKIAnalyse impact of introducing PKI Provide focus for discussionsProvide focus for discussions Raise awareness of PKI in generalRaise awareness of PKI in general
ConclusionsConclusions Significant benefits for members’ securitySignificant benefits for members’ security Growing standards support for PKIGrowing standards support for PKI See: See: http://www.apnic.net/cahttp://www.apnic.net/ca
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Requirements Document
April – May
Programming and Testing May – Sep
Initial deployment Sep - Nov
APNIC CA – Phase 1 TimelineAPNIC CA – Phase 1 Timeline
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA – Phase 1APNIC CA – Phase 1
April – November 2000April – November 2000DeliverablesDeliverables
Selection of CA softwareSelection of CA software Procedures for issuance and revocation of Procedures for issuance and revocation of
Identity certificates to membersIdentity certificates to members Policies for use of APNIC CertificatesPolicies for use of APNIC Certificates Issue trial certificates at APNIC Meeting Issue trial certificates at APNIC Meeting
October 2000October 2000 Risk AnalysisRisk Analysis
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
CA SoftwareCA Software
CA Architecture based on OpenCACA Architecture based on OpenCA OpenCA uses OpenSSL for PKI APIOpenCA uses OpenSSL for PKI API Apache-SSL with OpenSSLApache-SSL with OpenSSL APNIC developed client certificate layerAPNIC developed client certificate layer Supported Clients:Supported Clients:
Netscape 4.x Navigator and MessengerNetscape 4.x Navigator and MessengerMicrosoft [4|5].x Internet ExplorerMicrosoft [4|5].x Internet ExplorerMicrosoft 5.x Outlook and Outlook ExpressMicrosoft 5.x Outlook and Outlook ExpressAny client using OpenSSL 0.9.[5|6] toolkitAny client using OpenSSL 0.9.[5|6] toolkit
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Certificate Issuance WorkflowCertificate Issuance Workflow
Offline Identity Confirmation
Online CertificateRequest
APNIC Member
RA Verifies and Signs
request
CA signs requestcreating certificate
RA makes certificate available for download
and notifies member
Member downloads certificateinto browser or mail client
APNICAPNICMemberMember
APNICAPNICCertificateCertificateAuthorityAuthority
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
CA ArchitectureCA Architecture
DMZDMZ Internal NetworkInternal Network OfflineOffline
Low trustLow trust Medium trustMedium trust High trustHigh trust
Member’sMember’sBrowserBrowser
RegistrationRegistrationAuthorityAuthority
CertificateCertificateAuthorityAuthority
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Certificate Policy Statement (CPS)Certificate Policy Statement (CPS)
Draft CPS available for download at:Draft CPS available for download at: http://www.http://www.apnicapnic.net/ca.net/ca
Member feedback welcomeMember feedback welcome Once completed CPS will be handed to Executive Once completed CPS will be handed to Executive
Council for final approvalCouncil for final approval Future certificates will be issued under this CPSFuture certificates will be issued under this CPS NOTE: Certificates issued this week as part of NOTE: Certificates issued this week as part of
pilot testing are NOT issued under this CPSpilot testing are NOT issued under this CPS
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA – Phase 2APNIC CA – Phase 2
January – June 2001January – June 2001DeliverablesDeliverables
Browser and deployment issues analysisBrowser and deployment issues analysis Certificates used for website access controlCertificates used for website access control Prototype X509 certificates in whois databasePrototype X509 certificates in whois database Strong encryption for member correspondenceStrong encryption for member correspondence Trial issuance of Attribute Certificates with Trial issuance of Attribute Certificates with
resource allocationresource allocation
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - FutureAPNIC CA - Future
Generalised CA functionGeneralised CA function APNIC Certificates may be used for general APNIC Certificates may be used for general
purposespurposes Requires tight policy and quality framework for Requires tight policy and quality framework for
APNIC certificates to be trustedAPNIC certificates to be trusted
Hierarchical certificationHierarchical certification APNIC Members may use their certificates to APNIC Members may use their certificates to
certify their own members or customerscertify their own members or customers May be applicable for ISPs and NIRsMay be applicable for ISPs and NIRs
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - FutureAPNIC CA - Future
Public Key CertificatesPublic Key Certificates X.509 certificate linking a Public Key to an X.509 certificate linking a Public Key to an
identity, issued by CAidentity, issued by CA
Attribute CertificatesAttribute Certificates X.509 certificate linking Attributes to an identity, X.509 certificate linking Attributes to an identity,
issued by CA or other authorityissued by CA or other authority Provides Provides authorisationauthorisation, rather than , rather than
authentication,authentication, information information Not yet widely deployed or supportedNot yet widely deployed or supported
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - ConsultationAPNIC CA - Consultation
Mailing list open after Apricot2000Mailing list open after Apricot2000 [email protected]@lists.apnic.net http://www.apnic.net/wilma-bin/wilma/pki-wghttp://www.apnic.net/wilma-bin/wilma/pki-wg
Further developmentsFurther developments See: See: http://www.apnic.net/cahttp://www.apnic.net/ca
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC CA - DocumentsAPNIC CA - Documents
IETF PKIX drafts:IETF PKIX drafts:
draft-ietf-pkix-roadmap-04.txtdraft-ietf-pkix-roadmap-04.txt““Internet X.509 Public Key Infrastructure PKIX RoadmapInternet X.509 Public Key Infrastructure PKIX Roadmap””
draft-clynn-bgp-x509-auth-01.txtdraft-clynn-bgp-x509-auth-01.txt““X.509 Extensions for Authorization of IP Addresses AS X.509 Extensions for Authorization of IP Addresses AS
Numbers, and Routers within an AS”Numbers, and Routers within an AS”
draft-ietf-pkix-ac509prof-01.txtdraft-ietf-pkix-ac509prof-01.txt““An Internet Attribute Certificate Profile for Authorization”An Internet Attribute Certificate Profile for Authorization”
http://www.ietf.org/html.charters/pkix-charter.htmlhttp://www.ietf.org/html.charters/pkix-charter.html
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Questions?Questions?
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
APNIC Open Policy Meeting APNIC Open Policy Meeting October 2000October 2000
Part 2Part 2
PKI OverviewPKI Overview
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Cryptography - TermsCryptography - Terms
Public key cryptographyPublic key cryptography Cryptography technique using different keys for Cryptography technique using different keys for
encoding and decoding messagesencoding and decoding messages
KeypairKeypair Private key and public key, generated together, Private key and public key, generated together,
used in public key cryptographyused in public key cryptography
Encryption/DecryptionEncryption/Decryption To encode/decode a message using a public or To encode/decode a message using a public or
private keyprivate key
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Decrypt
Message
Transmit
EncryptedMessage
Public Key CryptographyPublic Key Cryptography- Encryption- Encryption
Encrypt
EncryptedMessageMessage
Keypair
Retrieve Public Key
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Decrypt
Message
Transmit
“Signed”Message
Public Key Cryptography Public Key Cryptography - Encryption- Encryption
Encrypt
“Signed”MessageMessage
Keypair
Retrieve Public Key
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Public Key Cryptography Public Key Cryptography - Digital Signature- Digital Signature
Assemble
SignedMessage
Digest
Hash
SignatureEncrypt
Message
Keypair
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Public Key Cryptography Public Key Cryptography - Digital Signature- Digital Signature
Signature
Message
Digest
Valid?
SignedMessage
DigestDecrypt
Retrieve Public Key
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
PKI - TerminologyPKI - Terminology
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI) Administrative structure for support of public Administrative structure for support of public
key cryptographykey cryptography
Public Key Certificate (Digital Certificate)Public Key Certificate (Digital Certificate) Document linking a Public Key to an identity, Document linking a Public Key to an identity,
signed by a CA, defined by X.509signed by a CA, defined by X.509
Certificate Authority (CA)Certificate Authority (CA) Trusted authority which issues digital Trusted authority which issues digital
certificatescertificates
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Digital CertificatesDigital Certificates
A digital certificate contains:A digital certificate contains: Identity detailsIdentity details
eg Personal ID, email address, web site URLeg Personal ID, email address, web site URL
Public key of identityPublic key of identity Issuer (Certification Authority)Issuer (Certification Authority) Validity periodValidity period AttributesAttributes
The certificate is The certificate is signedsigned by the CA by the CA
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Digital Certificate - ExampleDigital Certificate - Example
Certificate ::= SEQUENCE {Certificate ::= SEQUENCE {
tbsCertificate tbsCertificate TBSCertificate,TBSCertificate,
signatureAlgorithm signatureAlgorithm AlgorithmIdentifier,AlgorithmIdentifier,
signature signature BIT STRINGBIT STRING
}}
TBSCertificate ::= SEQUENCE {TBSCertificate ::= SEQUENCE {
version version [0] [0] EXPLICIT Version DEFAULT v1,EXPLICIT Version DEFAULT v1,
serialNumber serialNumber CertificateSerialNumber,CertificateSerialNumber,
signature signature AlgorithmIdentifier,AlgorithmIdentifier,
issuer issuer Name,Name,
validity validity Validity,Validity,
subject subject Name,Name,
subjectPublicKeyInfo subjectPublicKeyInfo SubjectPublicKeyInfo,SubjectPublicKeyInfo,
issuerUniqueID issuerUniqueID [1] [1] IMPLICIT UniqueIdentifier OPTIONAL,IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID subjectUniqueID [2] [2] IMPLICIT UniqueIdentifier OPTIONAL,IMPLICIT UniqueIdentifier OPTIONAL,
extensions extensions [3] [3] EXPLICIT Extensions OPTIONALEXPLICIT Extensions OPTIONAL
}}
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E
Digital Certificate - LifecycleDigital Certificate - Lifecycle
Key Pair Generated
Certificate Issued
Certificate valid and in use Private Key
compromised
Certificate Expires
Recertify
Certificate Revoked
Keypair Expired