PKIX BASED CERTIFICATION INFRASTRUCTURE

IMPLEMENTATION ADAPTED TO NON PERSONAL END

ENTITIES

Jacob E., Liberal F., Unzilla J.{jtpjatae, jtplimaf, jtpungaj}@bi.ehu.es

Department of Electronics and TelecommunicationsFaculty of Engineering

University of the Basque CountryBilbao (Spain)

http://det.bi.ehu.es/git

2

SUMMARY

INTRODUCTION

MAIN GOALS

IMPLEMENTATION

STATUS OF THE PROJECT

SYSTEM ARCHITECTURE

WAY OF OPERATION

FUTURE WORK

3

IntroductionNeed to set trust agents => PKI: certification servicesBackground:

Oriented to end users => www Inflexibility, interface-processing dependence Lack of interoperability

Results => PKIs have been replaced by other systems: ssh, PGP, “home made” SSL Proposed system

PKIX Automate standard interfaces Specific application scope

4

Main Goals

Speed up proceduresGuarantee scalability/interoperabilityMake services more flexibleEase user’s accessProvide mechanisms for new services

Develop a fully-functional PKI system

5

General Architecture

CR

Ls

AN

D C

ER

TIF

ICA

TE

S R

EP

OS

ITO

RY

CA

other CA

RA

PKI USERS

PKI MANAGEMENT

ENTITIES

OPERATIONAL AND MANAGEMENT TRANSACTIONS

MANAGEMENT TRANSACTIONS

PUBLISH CERTS AND CRLs

MANAGEMENT TRANSACTIONS

RA

END ENTITY (EE)

RA RARA RA RARA

CACA

CR

Ls

& C

ER

TIF

ICA

TE

S R

EP

OS

ITO

RY

CR

Ls

& C

ER

TIF

ICA

TE

S R

EP

OS

ITO

RY

END ENTITY (EE)END ENTITY (EE)

REGISTER EEs AUTHENTICATE FORWARD REQUESTS

REGISTER RAs

OPERATIONS WITH CERTs

6

COMMANDS

ANSWERS

ACKs

AdministrativeData

Way of operation: Registration I

RAOPERATOR

RA

CERT.TYPES

PasswordID

NEWUSER

7

[root@afrodita /root]# iradop –f raOperator.pem ra1.ipkix.com iradop V1.0 iPKIX 2001 (C) Fidel Liberal Malaina jtlimaf@aintel.bi.ehu.es OP-> adduser

ACK OP-# username Fidel Liberal Malaina

ACK OP-# Fidel Liberal Malaina

ACK OP-# C/Portal de Vitoria 30 1º izda

ACK .......

ACK OP-# admindataend

ACK OP-# certtype 1

CERTINFO_COUNTRYNAME_MODE OP-# CERTINFO_COUNTRYNAME_MODE ES

CERTINFO_STATEORPROVINCENAME_MODE OP-# CERTINFO_STATEORPROVINCENAME_MODE Álava

CERTINFO_LOCALITYNAME_MODE OP-# CERTINFO_LOCALITYNAME_MODE Vitoria

CERTINFO_ORGANIZATIONALUNITNAME_MODE OP-# CERTINFO_ORGANIZATIONALUNITNAME_MODE Certificados

CERTINFO_COMMONNAME_MODE OP-# CERTINFO_COMMONNAME_MODE Fidel Liberal Malaina

CERTINFO_RFC822NAME_MODE OP-# CERTINFO_RFC822NAME_MODE jtalimaf@aintel.bi.ehu.es

....... SENDERKID KJSDFNAKJ23HKASDASDFLJ PASSWORD ASINL345V54561FASV014F

OP-# COMMIT ACK

OP->

Way of operation: Registration I.a

8

Way of Operation: Registration II

End UserEnd User

APPLICATIONS WITH

PKIX SUPPORT

CRYPTO

SUPPORT

ADAPTATION LAYER

OPERATIONS WITH

CERTIFICATES

CHECK CERTIFICATES

SECURE CONNECTIONS MANAGEMENT

DOWNLOAD CERTIFICATES

OPERATIONS WITH

CERTIFICATES

GENERAL FUNCTIONS (CERTIFICATES MANAGEMENT)

IDID CMPCMP PASSPASS

RegistrationAuthority

RegistrationAuthority

9

Entidad Registro

Entidad Registro IDID CMPCMP PASSPASSIDID PASSPASS

ADMINISTRATIVEDATA

ADMINISTRATIVEDATA

Way of Operation: Registration II.a

10

RegistrationAuthority

RegistrationAuthority IDID CMPCMP PASSPASSIDID CMPCMP

PRE-REQUESTS

PRE-REQUESTS

IDID CMPCMPCMPCMP

PP

SENDTO CA

SSIDID CMPCMP

RA

CA

Way of Operation: Registration II.b

11

CertificationAuthority

CertificationAuthority IDID CMPCMP

AUTHORIZEDRAs

AUTHORIZEDRAs

CERTIFICATESCERTIFICATES

CMP

SEND BACK TO RA

STORE INREPOSITORY

RA

CAREPOSITORY

Way of Operation: Registration III

12

Implementation

Linux O.S. Daemon servers in C languagePthreads (Posix threads)

MySQL DBMS

cryptlib © cryptographic library

OpenLDAP

13

P K I X a c c e s s

M a n a g e m e n tP r o t o c o l s

( C M P )

C O N T R O L M O D U L E

R E Q U E S T S T A T E S

R E G I S T R Y A D M I N I S T R A T I O N

R E G I S T R Y

A D M I N I S T R A T O R M O D U L E

A L M A C E N A M I E N T O

Y A C C E S O A L P S E

O p e r a t o r I n t e r f a c e

R e q u e s t s t o C A

R e q u e s t q u e r i e s

P K I X A C C E S S

i r a d

M Ó D U L O O P E R A D O R

A d m i n i s t r a t o r I n t e r f a c e

A d m i n i s . D a t a

Q u e r i e s F u n c t i o n s

A c c e s s C o n t r o l

d e a c c e s o

PK IX ACCESS OCSP

CONTROL

CMP

SERVING THREADS

SERVING THREADSREQUESTS

Implementation: RA

14

irad.log

SSL ADMIN. CONNECTION

DEBUGLOG

#DEBUG1: Debug thread created

#DEBUG1: Creating CMPSpareServer 0, line 166

#DEBUG3: Adding node to general list

#DEBUG3: Adding node to idle list

#DEBUG3: Number of CMP threads created: 1

#DEBUG3: Number of CMP threads idle: 1

#DEBUG3: Adding node to general list

#DEBUG3: Adding node to idle list

#DEBUG3: Number of CMP threads created: 2

#DEBUG3: Number of CMP threads idle: 2

#DEBUG1: Creating CMPSpareServer 1, line 166

#DEBUG1: Creating OCSPSpareServer 0

#DEBUG3: Adding node to general list

#DEBUG3: Adding node to idle list

#DEBUG3: Number of OCSP threads created: 1

#DEBUG3: Number of OCSP threads idle: 1

#DEBUG1: Creating OCSPSpareServer 1

#DEBUG3: Adding node to general list

#DEBUG3: Adding node to idle list

#DEBUG3: Number of OCSP threads created: 2

Implementation: RA II

15

Implementation: CA

“ R A s ” S E R V E R

C E R T I F I C A T E S T A T E

R E G I S T R Y

O P E R A T O R M O D U L E

P E R I O D I C A L L Y C R L s S U B M I S I O N

P S E A C C E S S A N D

S T O R A G E

R E Q U E S T S F R O M R A s

i c a d

P U B L I S H C R L s

A D M I N . M O D U L E

O P E R A T O R I N T E R F A C E

I N T E R F A Z A D M I N I S T R A D O R

C E R T I F I C A T O R AUTOMATED OPERATION!!

16

Status of the project10.000 C code linesFunctional system integrating RA and CA in oneRA server, operator and administrator clients and Java© front-endscryptlib © library

Advantages:Ease of use due to standarized interfaces (cryptSetAttribute(), CRYPT_CERTIFICATE, CRYPT_SESSION...)Development period short

Disadvantages:Very high-level interface :

Development period longer for specific projectsLack of low-level documentation=> ~reverse engineering, bootstrapping.

Network support MySQL support

17

Future work

Adapt PSE access modules to hardware devices, such as smartcards, crypto-tokens…Integration with other certifications systems like PGP.Inclusion of attribute certificates.Development of Windows© family client libraries.Integration of certificate services.A real application?