UPKI ―Inter-University Authentication and Authorization Platform for Japanese Cyber-Science Infrastructure

Yasuo OKABEAcademic Center for Computing and Media St

udies,Kyoto University

okabe@i.kyoto-u.ac.jp

Tohoku UniversityInformation

Synergy Center

Hokkaido UniversityInformation Initiative

Center

University of Tokyo

Information Technology Center

Nagoya UniversityInformation

Technology Center

Kyoto UniversityAcademic Center for

Computing and Media Studies

Osaka UniversityCybermedia Center

Kyushu UniversityComputing and

Communications Center

Sapporo

Sendai

TokyoKyoto

Osaka

Fukuoka

Information Infrastructure Centersin the Seven Universities in JAPAN

Nagoya

National Institute of Informatics

(NII)

Brief history of the federation among the Centers

1968～ 69Established as supercomputer centers for nation-wide service

1981Connected by commercial X.25 service

1986Dedicated interuniversity X.25 network service was started by NACSIS (predecessor of NII)Federated Identity Management (～ 2004)

• Unified ID• Online subscription to

secondary centers

1988JAIN (Japan Academic Inter-university Network) project started

• IP over X.251992

SINET, the academic Internet backbone service was started by NACSIS

2002Operation of SuperSINET was started

2003NAREGI (National Research Grid Initiative) project started

Fundamental Resources for Academic and Research Activities

Education and Training / Encouraging Young Talent

NAREGI (National Research Grid Initiative)

NII-REO (Repository of ElectronicJournals and Online Publications

NII: Toward Cyber-Science InfrastructureNII: Toward Cyber-Science Infrastructure 　　Next-generation Academic Information Infrastructure for

Interuniversity Collaboration

UPKI: Authentication and Authorization Platform

Cyber-Science Infrastructure

● ★

★

★★★

★★

☆

SINET/SuperSINET

National Academic Internet Backbone

北海道大学

東北大学

東京大学ＮＩＩ

名古屋大学

京都大学

大阪大学

九州大学

GeNii (Global Environment forNetworked Intellectual Information)C

orp

ora

tion

with

In

du

stry

Inte

rnatio

nal

Colla

bora

tion

UPKI: concept

Authentication and Authorization platform for Cyber-Science Infrastructure in JapanTargets various applications

SSO of Web servicesNetwork service• wireless LAN roaming, VPN, public IP

phone/Web terminals

Grid computing

Utilization PKI

UPKI: project memberNII SINET Headquarter Authentication and Authorization Working Group

Yasuo Okabe, Kyoto University (chair)Noboru Sonehara, NII (vice chair)Yoshiaki Takai, Hokkaido UniversityHideaki Sone, Tohoku UniversityHiroyuki Sato, University of TokyoYasushi Hirano, Nagoya UniversityShinji Shimojo, Osaka UniversityTakahiro Suzuki, Kyushu UniversitySatoshi Matsuoka, Tokyo Institute of TechnologySetsuya Kawabata, KEK

ＣＡＲＡ

repository

registrar

CampusPublic

WirelessAP

Certif.Prof. A

Pub key

Certf.

user（ Prof. A）

Policy mapping

Hokkaido Univ.

register

Authentication for campus wireless LAN

PKI

Campus LAN

authenticatio

authorization

（ private key）PKI token

Bridge CA

CA

Mutual auth

ＮＩＩ

Prof. A is visiting

other univ.

Roaming service

Mutual auth

UPKI: requirementsScalability

up to 800 universities in Japan• Centralized system will never work• Federated ID management is indispensable

Security against so many cyber attacks and increasing physical

attacksPrivacy

Compliant to the law of privacy protection in Japan• Enforced since April 2005.

MobilityBoth students and professors may visit other universities

CostNational Universities has become an independent agency since 2004.

UPKI: basic ideaDeployment of Grid/PKI middleware for national academic AA infrastructure

Management of faculty members, administrative staffs and studentsVirtual Organizations (VO) like committees, research groups or academic societies should be supported

Targets all ofEducational activities like E-learningAdministrative works like exchange of credits among universitiesResearch activities like Grid computingOther networking services like WLAN roaming

　 and a single infrastructure is by all applicationsAA based on Federated Identity Management is the key

PKI solves some authentication issues, but not allPKI itself has many problems in deployment

NAREGINational Research Grid Initiative

http://www.naregi.org/collaboration projects among industry, academic sector and the government.

NAREGI Grid Middleware stackhttp://www.naregi.org/concept/index_e.html#05

NAREGI CA

A full-fledged CA (Certificate Authority) Software for PKIOriginally developed for Grid computing, but can be used for general purposeFree open source software Version 1.0.1 is available at the download sitehttp://www.naregi.org/download/

Comparison among CA softwares

Producut name Issue of Certif.

CRL period

ical

LDAP HSM Multiple CA

Profile management

HWtoken

Operator

Logging

NAREGI CA

file, bulk, WEB,LCMP

○ ○ ○ ○ ○ ○ ○ ○

OpenSSL file × × × ○ × × × ×

MicrosoftCertificateServer

WEB, LDAP ○ △(Active

Directory only)

△(Domain Controller onlu)

× △(Domain

Controller only)

○ × △(Event logging

)

商用認証局Entrust Authority

CMP, bulk, LDAP,WEB,

SCEP

○ ○ ○ × ○ ○ ○ ○

○： available、 ×： not available、△： some restriction

Case studyThe Consortium of Universities in Kyoto

http://www.consortium.or.jp/Consortium of 50 universities in Kyoto

3 national, 2 prefectural, 2 municipal, 43 privateMost of them are in the center area of Kyoto City

ActivitiesShared lecture rooms near JR Kyoto Shinkansen station.

• Class for ordinary students, evening classes and classes for graduated adults

• Open Web terminals, WLAN servicesExchange of credits among universities

in very conventional manner

How academic AAI will help them?

UPKI: issues

How various services can be provided on a single AA infrastructure

Web servicesGrid computingNetwork services

Existing worksGridShib: Shibolleth for non-web-based applicationsEduRoam campus wireless roaming service architectureEGEE multi-VO support and delegation via MyProxyE-authentication by the U.S. governmentGPKI, LGPKI and JPKI for Japanese e-government

How we learn from and how we can collaborate with?

Summary

UPKI national academic authentication and authorization infrastructure project has just started.

Conducted by NII and the information infrastructure centers in 7 universitiesAs a basis of CSI (Cyber Science Infrastructure), the next generation of SINET/SuperSINET

Actually, federated identity management is unavoidable even in a (big) university

And political issues also existWe have started later, so we have get same advantageInternational federation/collaboration is a very important issue.