Project Status Report for the



Download 152.32 Kb.
Page5/9
Date16.07.2017
Size152.32 Kb.
#23461
1   2   3   4   5   6   7   8   9

2.4Outreach


The team has worked on a number of activities to disseminate and share current work, and we are engaged as co-workers on a number of national projects. Dartmouth continues to participate in the Internet2 HEPKI TAG, PAG, S/MIME groups and Shibboleth pilot project. Mr. Brentrup is co-chair of the S/MIME group which worked with a number of institutions to explore using S/MIME. Some of them are developing local PKI installations.

The group has published as much information as possible on the PKI lab web site http://www.dartmouth.edu/~pkilab/, and the work above is documented there. The site makes available:



  • end user documentation,

  • notes for support staff,

  • notes for application developers,

  • research reports, and

  • papers and slide presentations

    There are also links to other useful sites and many PKI vendors.





Members of the lab are participating with the Chandler project, specifically regarding security. A Chandler team member, their acting head of security development, visited Dartmouth 17 March 2003 to discuss security issues, implications for trusted operations between peers, and suggested possible technologies to employ. We are continuing our advisory role directly and through CSG.

2.4.1Papers and Presentations


PKI Lab members made presentations at the Educause and Internet2 conferences. We presented refereed papers in highly competitive security conferences, and published in the archival proceedings. Prof. Smith chaired the 1st Annual PKI Research Conference; Dartmouth hosts the archival web site at http://www.cs.dartmouth.edu/~pki02/. Prof. Smith also served on the program committee for the 2nd conference to be held in April 2003; he also is guest-editing a special issue of the ACM Transactions on Information and System Security on PKI.

Invited talks:


  • J. Marchesini. “Keyjacking: Risks of the Current Client-side Infrastructure.” 2nd Annual PKI Research Workshop. Gaithersburg. April 2003.

  • A. Iliev. “Privacy-Enhanced Credential Services.” 2nd Annual PKI Research Workshop. Gaithersburg. April 2003.

  • M. Zhao. “Work-in-Progress: Efficient Security for BGP Route Announcements.” 2nd Annual PKI Research Workshop. Gaithersburg. April 2003.

  • S.W. Smith. “Work-in-Progress: The Happy Fun Anonymizer (still legal in 46 states).” 2nd Annual PKI Research Workshop. Gaithersburg. April 2003.

  • S.W. Smith. “Effective PKI Requires Effective HCI.” ACM/CHI2003 Workshop on HCI and Security Systems. Fort Lauderdale, April 2003.

  • S.W. Smith. “Before Palladium: Building and Using Secure Coprocessors in the Real World.” Princeton University, Computer Engineering. March 2003.

  • R. Brentrup. “Dartmouth PKI Lab.” Fed-Ed Meeting. December 2002.

  • J. Marchesini. “Virtual Hierarchies: An Architecture for Building and Maintaining Efficient and Resilient Trust Chains.” NORDSEC, Stockholm. November 2002.

  • S.W. Smith. “Outbound Authentication for Programmable Secure Coprocessors.” European Symposium on Research in Computer Security. Zurich. October 2002.

  • R. Brentrup. “Developing and Deploying a PKI for Academia.” Educause. Atlanta. October 2002.

  • K. Kain. “Digital Signatures and Electronic Documents: A Cautionary Tale.” IFIP Conference on Communications and Multimedia Security. Slovenia. September 2002.

  • E. Ye. “Trusted Paths for Browsers.” USENIX Security, San Francisco. August 2002.

  • R. Brentrup. “Dartmouth College PKI Lab Update.” Net@EDU PKI Summit - Snowmass, Colorado. August 2002.

  • S.W. Smith. “Toward End-to-End Trust.” Sun Microsystems, Burlington MA, May 2002.

  • S.W. Smith. “Work-in-Progress: Way Up North.” 1st Annual PKI Research Workshop, Gaithersburg. April 2002.

  • A. Iliev. “Prototyping an Armored Data Vault: Rights Management on Big Brother's Computer.” PET2002, San Francisco. April 2002.

  • S.W. Smith. “Missing Pieces in End-to-End Trust.” George Mason University, Fairfax. March 2002.

  • S.W. Smith. “Information Security.” National Institute of Justice. Arlington, VA. February 2002.

Refereed Papers:


  • J. Marchesini, S.W. Smith, M. Zhao. “Keyjacking: Risks of the Current Client-side Infrastructure.” Proceedings of the 2nd Annual PKI Research Workshop. NIST, April 2003 (to appear).

  • A. Iliev, S.W. Smith. “Privacy-Enhanced Credential Services.” Proceedings of the 2nd Annual PKI Research Workshop. NIST, April 2003 (to appear).

  • J. Marchesini, S.W. Smith. “Virtual Hierarchies: An Architecture for Building and Maintaining Efficient and Resilient Trust Chains.” Proceedings of the 7th Nordic Workshop on Secure IT Systems---NORDSEC 2002. Karlstad University Studies. November 2002.

  • S.W. Smith. “Outbound Authentication for Programmable Secure Coprocessors.” Computer Security---ESORICS 2002. Springer-Verlag LNCS 2502. Pp. 72-89. October 2002.

  • K. Kain, S.W. Smith, R. Asokan. “Digital Signatures and Electronic Documents: A Cautionary Tale.” Advanced Communications and Multimedia Security. Kluwer Academic Publishers. Pp. 293-307. September 2002.

  • E. Ye, S.W. Smith. “Trusted Paths for Browsers.” Proceedings of the 11th USENIX Security Symposium. August 2002.

  • A. Iliev, S.W. Smith. “Prototyping an Armored Data Vault: Rights Management on Big Brother's Computer.” Privacy-Enhancing Technology 2002. Springer-Verlag LNCS 2482. April 2002.

Columns and departments:


  • S.W. Smith. “Fairy Dust, Secrets and the Real World.” IEEE Security and Privacy. 1:89-93. Jan/Feb 2003.

  • S.W. Smith. “Humans in the Loop: Human-computer interaction and Security” IEEE Security and Privacy. May/June 2003 (to appear).

  • R. Brentrup. “Public Key Cryptography Demystified.” Syllabus. May 1, 2003.

  • J. Boettcher, R. Brentrup, J. Douglass. “Digital Certificates: Coming of Age” Educause Review. Jan/Feb 2003.

Technical reports and theses:


  • Y. Ali, Master's thesis. Flexible and Scalable Public Key Security for SSH. 2003. (A revised, abridged version appears as Computer Science Technical Report TR2003-441, Dartmouth College.)

  • D.M. Nicol, S.W. Smith, M. Zhao. Efficient Security for BGP Route Announcements. Computer Science Technical Report TR2003-440. Dartmouth College. February 2003.

  • M. Barreno, senior honors thesis. The Future of Cryptography under Quantum Computers. 2002.

  • E. Ye, Master's thesis. Building Trusted Paths for Web Browsers. 2002.

  • S. Agrawal, Master's thesis. Integrating Fair-Use with Shibboleth.

  • K. Kain, Master's thesis. Risks of Electronic Documents and Digital Signatures.

  • Dan Kang, senior honors thesis. Authenticating Humans via Untrusted Clients.

  • S. Nazareth, Master's thesis. Using SDSI-SPKI for Distributed Attribute Release Policies in Shibboleth.

  • Mindy Pereira, senior honors thesis. A Hardened S/MIME Gateway: Usability and Trust.

  • Paul Seligman, senior honors thesis. Using Machine Learning to Detect and Suppress Fraud in JSTOR.

  • Gabriel Vanrenen, senior honors thesis. Keypair Revocation in Distributed Systems.

2.4.2External Partners


In March 2003 the deployment team started regular meetings with a PKI project team at the University of Wisconsin-Madison using video conferencing. We are also identifying partners from other schools with whom we can collaborate to deploy similar infrastructure and applications at their institutions. We visited Cornell to meet with members of their technical staff about Dartmouth’s experience with PKI and to provide a general presentation. Visits to the University of Wisconsin, Yale, Brown, Stanford, Columbia, and Princeton are either planned or under consideration.

JSTOR pilot


During the summer of 2002, Dartmouth participated in the CREN/JSTOR pilot and was able to make use of the JSTOR system through PKI client certificate authentication. The PKI Lab obtained a CREN signed certificate for Dartmouth College and chaired the group of five institutions participating in the JSTOR access pilot.

At Dartmouth, Library staff enrolled in the PKI and used their personal certificates to obtain access to the JSTOR system. The Lab developed some step by step instructions which the participants successfully used to enroll in the PKI and use their keys to access the JSTOR system. This project was demonstrated at the Educause session from the GIT network.


HEBCA


The team has been active with the Educause Net@Edu group, which led to Dartmouth’s involvement in the HEBCA BID. Dartmouth leads the Business development sub-group and is deeply involved in the Operations planning. As part of the NIH-HEBCA signature pilot, the team worked out the procedures for cross-certifying the Sun CA with the bridge and contributed to the “cookbook” being developed for other schools to follow.

On 31 January 2002 under the auspices of EDUCAUSE, the National Institutes of Health (NIH), and the Federal Public Key Infrastructure (PKI) Steering Committee, a Higher Education Bridge Certificate Authority was successfully cross-certified with the FBCA and three schools test-submitted NIH proposals <http://www.educause.edu/news/2002/01/hebca.html>: the University of Alabama at Birmingham, the University of Wisconsin–Madison, and Dartmouth College. This project showed the viability of using campus-based PKI credentials to digitally sign grant applications using a test-mode HEBCA cross-certified with the FBCA. University participants cross-certified with the HEBCA. Electronic signatures on grant applications submitted via e-mail to NIH from the different universities were verified at NIH. This project proved quite successful and has paved the way for a broader set of applications requiring interoperable PKI environments. This project was awarded an “E-Gov Best-of-the-Best” award in 2002, and was widely discussed in the federal PKI Steering Committee, the federal CIO Council, MAGIC, and other bodies planning for middleware futures. The FBCA plans to support continued development of bridge aware applications.


Our work with the JSTOR pilot and the Shibboleth pilot have further demonstrated the need for Inter-institutional PKI. There is a need for shared trust anchors to enable these types of projects. The HEBCA may become the center of many of these projects.

In the summer of 2002 EDUCAUSE created a group charged with building a production HEBCA <http://www.educause.edu/hebca/>. Dubbed the HEBCA Board of Instantiation and Development the group consists of invited technical and administrative IT professionals from Dartmouth, Duke, EDUCAUSE/I2, U Colorado, Penn, U Texas System, U California System, U Virginia, and U Wisconsin. The BID issued an RFI to move the creation of an operational production HEBCA. Submitting a response, Dartmouth recused itself from the BID during RFI deliberations, and was selected by the BID to work with the EDUCAUSE board and management to create a HEBCA. EDUCAUSE has informally committed to provide $100K to $200K per year for three years, and we are seeking funding from other sources such as NSF and I3P for the balance of the $500K per year for the three years Dartmouth will need to bootstrap the HEBCA here.


Shibboleth Pilot


The PKI Lab and the Dartmouth Library submitted a proposal to be included in the Shibboleth project pilot group which was accepted in August 2002. The Library was interested in participating because of interest by the Digital Library Federation and because they have been customers of the vendors also participating in the Shibboleth pilot. Dartmouth worked with the v0.7 release and provided some feedback on setup problems. We successfully installed the v0.8 version of Shibboleth and connected to the Internet2 test target. Dartmouth paired with EBSCO to test services, but this has been on hold pending the release of v1.0. EBSCO could only run v0.7 and Dartmouth could only run v0.8. The incompatibilities are to be fixed in the new release. In March 2003, the PKI Lab set up a Handle Server that accepts authentication using X.509 PKI certificates. A subgroup of Shibboleth users interested in client-side PKI formed to explore this area. In May 2003, the Lab published a guide for PKI enabling a Shibboleth Handle Server. This documentation will be included in the next system release. The Lab also provided input for a dual PKI and LDAP authentication module developed by Wisconsin. These developments are now being shared with the entire group of Shibboleth pilot participants (originally 12 schools and 6 vendors).


Internet2 S/MIME Group

In February 2002 Internet2 recruited a group of 15 schools interested in working on S/MIME email. The group was co-chaired by Jim Jokl at UVa and Bob Brentrup at Dartmouth. This group held a series of conference calls from February until October 2002 to explore the infrastructure needed for S/MIME installations. The group pulled together documentation on available S/MIME enabled clients and conducted some compatibility, and the participants shared information on sources of certificates and Certificate Authority systems. The group met in person at the I2 Spring meeting and developed ideas for S/MIME enabled applications. It posted information on the HEPKI web site. The S/MIME group suspended operations due the need for further progress on local CA installations and lack of available time by many participants. This group will probably be restarted in Summer 2003.


HEPKI TAG


The HEPKI TAG group has met periodically by phone conference since May 2000 with Dartmouth’s PKI Lab as an active participant. The group discusses technical issues related to PKI deployments and applications. Some of the topics have included: Open Source CA software, Interactions with directories, Client customization issues, Validity periods, Technical issues in cross-certification and Inter-institutional test beds. Documents produced by the group and minutes of the calls are posted on the HEPKI web site.

Download 152.32 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9




The database is protected by copyright ©ininet.org 2024
send message

    Main page