certification authority mieic – segurança de sistemas informáticos joão brito – ei07052 joão...
TRANSCRIPT
![Page 1: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/1.jpg)
Certification AuthorityMIEIC – Segurança de Sistemas Informáticos
João Brito – ei07052João Coelho – ei07118
![Page 2: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/2.jpg)
Contents
• Theorethical introduction
• State of art
• Tecnologies review
• Use case scenarios
![Page 3: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/3.jpg)
Problem
• How to deploy a Certificate Authority for University of Porto?
• How to provide trusted digital certificates?
• How to mantain a CRL?
![Page 4: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/4.jpg)
Theoretical Introduction
![Page 5: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/5.jpg)
What is a CA?
![Page 6: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/6.jpg)
Goals
• Ensure:
• Information integrity
• User authentication
• Non-repudiation of electronic data
![Page 7: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/7.jpg)
State of art
Technologies • OpenCA• Apache• PHP• Perl
• PHPki• Apache• PHP
• EJBCA• Java Aplication Server (JBoss)• Apache Ant (required to install)
![Page 8: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/8.jpg)
SolutionDeployment of a CA based on EJBCA architecture.
![Page 9: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/9.jpg)
Functionalities
• Administration
• CA creation and activation;
• Manage entities;
• Profile management;
• Public Area
• Certificate aquisition;
• Certificate revokation
check;
![Page 10: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/10.jpg)
Deployment• EJBCA deployment• Apache Ant – configure and install EJBCA• JBoss Aplication Server – Application server that will
provide the CA service
• Administrators should install the SuperAdmin certificate to access the following URL:
• https://localhost:8443/ejbca/adminweb
![Page 11: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/11.jpg)
User configuration• User information to certify: • Name• Address• Phone number• Email
• User details must be verified with user personal documents• Citizen card• Email/SMS secret key
![Page 12: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/12.jpg)
Certificates
• Browser certificates• Authenticate users on faculty’s services.
![Page 13: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/13.jpg)
• SSL/SSH Certification
Certificates
![Page 14: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/14.jpg)
Other applications
• Certificate Signing Requests
• User uploads his public keys;
• CA retrieves certificate;
Base64 encoding
PEM format
Specific software needed
• OpenSSL
![Page 15: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/15.jpg)
Certificate applications
• Signing information is not a functionality of this application.
• Document signing has to be done at client side.
• Examples:• Import certificate to thunderbird• Use with openssh
![Page 16: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/16.jpg)
Signature Validation
• User list certifitates
• Entering certificate
properties:
• Issuer DN
• Certificate serial
number
![Page 17: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/17.jpg)
Key expiration
• Certificate’s validity date should not go beyound graduation year.
• Key generation could be performed by CICA’s.
• An aternative is submission of a new key gernerated by the user and the CA should return a new digital certificate.
![Page 18: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/18.jpg)
Revoke Lists
• The list update rate is defined by the system
administrator.
• Should be frequently updated.
• Can be obtained by anyone on public EJBCA webpage
![Page 19: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/19.jpg)
Considerations
• Must be provided:
• Webpage documentation for the user:• Certificate creation guides• Certificate revokation guides
• Certification documentation:• Step-by-step user guide for common certification
software• For example openpgp, openssl, etc.
![Page 20: Certification Authority MIEIC – Segurança de Sistemas Informáticos João Brito – ei07052 João Coelho – ei07118](https://reader035.vdocuments.us/reader035/viewer/2022070323/56649dc55503460f94ab8d38/html5/thumbnails/20.jpg)
Thank you!
Questions?