X509 Web Authentication

1
X509 Web Authentication

• From the perspective of security or An
  Introduction to Certificates.

2
For the Impatient

• Strategic Direction
• User Certificates are good.
• We should use them.
• Should all Fermilab staff users know about
  certificates?
• Yes!
• What needs to be done?
• User education
• Improve browser support

3
Authentication

• Identification of user
• Kerberos is Fermilabs chosen authentication
  service
• Certificates provide authentication services for
  Grid and Web
• Authorization is permission to access and utilize
  a resource after authentication

4
X.509

• Standard for Public Key Certificates
• CCITT Recommendation X.509
• Coupled with X500 Naming Conventions
• Part of Public Key Infrastructure (PKI)
• Uses Asymmetric Encryption
• Digital signatures
• Expiration and Revocation Lists

5
Components of a Certificate

• Distinguished Names of Issuer and Subject
• /DCorg/DCdoegrids/OUPeople/CNFrank J. Nagy
  442270
• /DCorg/DCDOEGrids/OUCertificate
  Authorities/CNDOEGrids CA 1
• Serial Number
• Validity Interval (start and end dates)
• Extensions
• E-mail address, Subject type, Policy Information,
  etc.
• Public key of the Subject
• Signature to make tamper-evident

6
Public Key Encryption

• Alice has published her public key and Bill has a
  copy.
• Alice encrypts message with her private key, Bill
  (or anyone) can decrypt message with her public
  key
• This message can be a digital signature that
  identifies the rest of the message as from Alice
• Bill encrypts message with Alices public key but
  only Alice can decrypt with her private key.
• Computationally Intensive, often used to securely
  exchange Symmetric key for use in the remainder
  of the communication session

7
Digital Signature

• Use to sign messages
• Identify sender
• Make message tamper-evident
• Take hash function or checksum of message text
• Encrypt the hash with private key and send with
  message
• Receiver decrypts signature with public key and
  compares to his hash of message text

8
Certificate Authority

• Certificates are issued by a Certificate
  Authority (CA)
• Trust Chains
• Root Certificates Update is sometimes seen when
  doing Windows Update is getting new CA
  certificates that establish this trust chain for
  well known root CAs
• Publish Certificate Revocation List (CRL)
• Serial numbers of revoked certificates

9
Trust Chain and Root CA
...
10
Issue Who to Trust?

• Fermilab Kerberized-CA
• tied to our infrastructure,
• KCA uidfred is uidfred in CNAS, etc.
• DOEGrid CA
• Many Fermi people have certs
• Is DOEGrid's John Doe our John Doe?
• Other Grid CA's
• Commercial CA's?

11
Fermilab Kerberos CA (KCA)

• Get a certificate based on having a Kerberos
  principal
• With a Kerberos ticket, KCA issues a certificate
  to the user valid for the maximum lifetime (7
  days) of the Kerberos ticket
• Use kinit followed by kx509 under Linux then
  typically import certificate into browser-- or
  dokx509
• Use Get-Cert.bat under Windows which
  automatically loads certificate into browser

12
Typical KCA Certificate Uses

• Nessus scanner
• Import into browser to access some Fermilab Web
  sites
• Use to access Grid resources
• Not generally useful for signing E-mail due to
  limited lifetime of the certificate

13
DOEGrids CA

• Can issue personal or host/service certificates
  good for 1 year.
• Home site is ttp//ww.doegrids.org for
  instructions and other information
• Request via their Web site
• ttps//pki1.doegrids.org/
• As Fermilab employee or visitor use FNAL as the
  affiliation on the request form
• Keep your private key secret! Keep it offline!

14
Certificates and the Web

• Web servers send a server certificate to your
  browser to establish secure communications
• Secure Sockets Layer (SSL)
• https instead of http in the URL
• Remember those Root CA Certificates
• Brower is authenticating the server in this case
• Note SSL only secures internet link, not data
  resident at E-commerce site!

15
Certificates and the Web

• Personal certificate (or KCA certificate) can be
  loaded into browser and used to authenticate the
  user for access to some sites.
• Some Fermilab Web sites use KCA certificates in
  this manner
• Gate pass requests
• Network blocking pages
• Plone sites

16
Host/Service Certificates

• Fermilab system administrators can get host or
  service certificates from DOEGrids for Grid
  resources or Web servers.
• ttp//computing.fnal.gov/security/pki/Get-DOEGrids
  -Cert.html
• You will need OpenSSH utility (see above web
  page)
• Get KCA CA Certificates to authenticate KCA user
  certificates
• ttp//omputing.fnal.gov/security/pki/index.html

17
Configuring Webservers

• Apache setup is well known http//www.fnal.gov/d
  ocs/products/apache/SSLNotes.html
• IIS no current installations
• Other applications often proxied
• Zope/Plone
• Oracle Application Server

18
Proxying Mechanics

• Application listens on localhost, (not
  reachable from outside of machine)
• Apache server receives requests, and sends them
  on to the application
• User certificate information (issuer, client id
  info) sent via headers or parameters

19
Configuring Browsers

• Web Documentation avaliable onhttp//computing.fna
  l.gov/security/
• How to get a personal certificate from the
  DOEGrids CA
• How to get a Fermilab KCA certificate
• Browsers don't deal well with multiple
  certificates
• Perhaps hire consultant(s) to develop better
  certificate management plugins for popular
  browsers?

20
References

• Planning for PKI
• By Russ Housley and Tim Polk, pub by Wiley
• What is a Digital Signature?
• http//www.youdzone.com/signature.html
• OpenSSL Certificate Cookbook
• http//www.pseudonym.org/ssl/ssl_cook.html
• The PKI Page (lots of links)
• http//www.pki-page.org/
• The NIST PKI Program
• http//csrc.nist.gov/pki/