SlideShare uma empresa Scribd logo

Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

Ives Laaf
Ives Laaf

This slides show a more complex rollout real world scenario in combination of usb-based crypto keys used in parallel under linux and windows and cross-browser on windows too! Good thing is - no passwords must be stored on any of the authentication systems - no passwords can be stolen! ;-) Slides just give an overview over the overall architecture but was really working - see pictures on last slides - where the same certificate from the usb key is shown under linux and windows - still neat. Somehow not much seems to have changed since 2004 if one looks around - could still be applied in todays environments - the basics and it's still not wide spread nowadays. Note: Slides are historical versions from 2004, so not all shown hardware, protocols and/or drivers/software may be available or recommended for usage anymore. Today I would prefere OpenXPKI which forked of OpenCA and is an fully independent version by now close to 1.0 release this or next year! Check it out!

Tecnologia
1 de 12
Baixar para ler offline
Fraunhofer-Institut für Digitale Medientechnologie IDMT IDMT VPN Remote Access Ives Steglich Munich, 12. Oct 2004
Seite 2 Overview Current Situation and Architecture Goals and Requirements for Improvement Proposed Soft- and Hardware Proposed Architecture How does the USB-Token work? Usageprocess Conclusions
Seite 3 Current Situation and Network Architecture Architecture Remote User CISCO VPN Client Firewall and VPN Gateway CISCO PIX Steps to establish an connection 1. VPN Tunnel initialization authenticated by shared secret 2. Access to internal Network authenticated by XAUTH trough tacacs+ Internet Internal LAN Remote User VPN Tunnel Firewall and VPN-Gateway Tacacs+ Server
Seite 4 Goals and Requirements for new Solution Main Goals 1. remove the shared secret for remote users 2. keep the available infrastructure 3. use smartcards 4. be open for other usages 5. integration into the local LDAP 6. use open source whenever possible Requirements from Goals and Architecture - introduce certificates and administration - setup an in-house pki - pki must speak SCEP - smartcards must be operable with linux and windows
Seite 5 Proposed Soft- and Hardware Software for PKI OpenCA Reasons: - understands SCEP - can publish certs in LDAP - open source - good cooperation with development team Hardware for Smartcards Aladdin eToken Pro Reasons: - works with Microsoft Crypto API - PKCS#11 library for linux available (but hard to get, not offically distributed) - enables OpenCA administration from Linux and Windows (Mozilla, IE)
Seite 6 Proposed Architecture Remote User OpenCA-Setup One Server with RA, PUB and SCEP Interfaces One Server with the CA (offline) Access to RA-Interface certificatebased stored at Smartcards PIX-Setup Remote Users Authentication with RSA Certs Client Setup VPN-Gateway identification with Certs Own Authentication with RSA Certs Internet Internal LAN Firewall and VPN-Gateway In-house PKI VPN Tunnel Tacacs+ Server RA/SCEP/PUB Interfaces Offline CA
Seite 7 How does the USB-Token work? General - uses proprietary format from Aladdin - therefore needs specific drivers - not PKCS#15 compatible (but can be used parallel if space is left on token PKCS#15 doesn’t works with Microsoft Crypto API) Linux - based on PC/SC-Lite - works with Mozilla through PKCS#11 - doesn’t work right now with OpenSSL engine - hotplugable Windows - works with Mozilla through PKCS#11 - works with Microsoft Crypto API - hotplugable PKCS#11 PC/SC Lite Mozilla Aladdin RTE OpenSSL ? Linux Linux USB-Hotplugsystem Windows CSP PKCS#11 MozillaIE VPN Client Aladdin RTE Windows USB-Subsystem
Seite 8 Usageprocess Token Initialization - has to be done at Linux - key generation with Linux+Windows - certificate Iistallation with Linux+Windows - only one Login for User and Admin possible Process - Two Options: - batch-orientied serverside-key-generation (p12 files import through Mozilla or Win-System) - token-based-key-generation (through users themselves) - Administration: - requests initiated through users - granted at RA through ‘Groupleaders’ - certs issued through CA-Operator
Seite 9 Conclusions • Authentication for Remote-VPN-Access • Option to skip one step during VPN-Login • Transparent usage with Linux and Windows • Encrypt, Decrypt and Sign E-Mails • Authentication for webbased services (PKI-Access and Administration) • Dezentralized Management • LDAP Storage and Access to Certificates • Still not perfect • Overview about smartcards providing PKCS#11 libs: http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/ tested_products/index.php
Seite 10 Usage Examples
Seite 11
Seite 12 Thanks for your attention! Questions?

Recomendados

SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...
SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...
SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...Ives Laaf
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net toolsMuhammad Moinur Rahman
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureAlexandra N. Martinez
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?Worteks
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Confluent Platform Security Components
Confluent Platform Security ComponentsConfluent Platform Security Components
Confluent Platform Security Componentsconfluent
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
F5 BigIP LTM Initial, Build, Install and Licensing.
F5 BigIP LTM Initial, Build, Install and Licensing.F5 BigIP LTM Initial, Build, Install and Licensing.
F5 BigIP LTM Initial, Build, Install and Licensing.Kapil Sabharwal
 

Recomendados

SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...
SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...
SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / Ope...Ives Laaf
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net toolsMuhammad Moinur Rahman
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureAlexandra N. Martinez
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?Worteks
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Confluent Platform Security Components
Confluent Platform Security ComponentsConfluent Platform Security Components
Confluent Platform Security Componentsconfluent
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
F5 BigIP LTM Initial, Build, Install and Licensing.
F5 BigIP LTM Initial, Build, Install and Licensing.F5 BigIP LTM Initial, Build, Install and Licensing.
F5 BigIP LTM Initial, Build, Install and Licensing.Kapil Sabharwal
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...PROIDEA
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfssuserf0e32f
 
VPN
VPNVPN
VPNSwarup Kumar Mall
 
Vp ns
Vp nsVp ns
Vp nsSwarup Kumar Mall
 
NCS: NEtwork Control System Hands-on Labs
NCS: NEtwork Control System Hands-on Labs NCS: NEtwork Control System Hands-on Labs
NCS: NEtwork Control System Hands-on Labs Cisco Canada
 
[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTC[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTCGiacomo Vacca
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryDocker, Inc.
 
Hack the System_Fluence workshop 2
Hack the System_Fluence workshop 2Hack the System_Fluence workshop 2
Hack the System_Fluence workshop 2Vanessa Lošić
 
The next step from Microsoft - Vnext (Srdjan Poznic)
The next step from Microsoft - Vnext (Srdjan Poznic)The next step from Microsoft - Vnext (Srdjan Poznic)
The next step from Microsoft - Vnext (Srdjan Poznic)Geekstone
 
Hackerworkshop exercises
Hackerworkshop exercisesHackerworkshop exercises
Hackerworkshop exercisesHenrik Kramshøj
 
Docker and IBM Integration Bus
Docker and IBM Integration BusDocker and IBM Integration Bus
Docker and IBM Integration BusGeza Geleji
 
RemoteAdmin.pptx
RemoteAdmin.pptxRemoteAdmin.pptx
RemoteAdmin.pptxhoangdinhhanh88
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Feedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureFeedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureANEO
 
Making Networking Apps Scream on Windows with DPDK
Making Networking Apps Scream on Windows with DPDKMaking Networking Apps Scream on Windows with DPDK
Making Networking Apps Scream on Windows with DPDKMichelle Holley
 
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANLdgoodell
 
Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Shyamsundar Das
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxSamsung Open Source Group
 
Eclipse Kura Shoot a-pi
Eclipse Kura Shoot a-piEclipse Kura Shoot a-pi
Eclipse Kura Shoot a-piEclipse Kura
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Mais conteúdo relacionado

Semelhante a Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...PROIDEA
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfssuserf0e32f
 
NCS: NEtwork Control System Hands-on Labs
NCS: NEtwork Control System Hands-on Labs NCS: NEtwork Control System Hands-on Labs
NCS: NEtwork Control System Hands-on Labs Cisco Canada
 
[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTC[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTCGiacomo Vacca
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryDocker, Inc.
 
Hack the System_Fluence workshop 2
Hack the System_Fluence workshop 2Hack the System_Fluence workshop 2
Hack the System_Fluence workshop 2Vanessa Lošić
 
The next step from Microsoft - Vnext (Srdjan Poznic)
The next step from Microsoft - Vnext (Srdjan Poznic)The next step from Microsoft - Vnext (Srdjan Poznic)
The next step from Microsoft - Vnext (Srdjan Poznic)Geekstone
 
Docker and IBM Integration Bus
Docker and IBM Integration BusDocker and IBM Integration Bus
Docker and IBM Integration BusGeza Geleji
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Feedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureFeedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureANEO
 
Making Networking Apps Scream on Windows with DPDK
Making Networking Apps Scream on Windows with DPDKMaking Networking Apps Scream on Windows with DPDK
Making Networking Apps Scream on Windows with DPDKMichelle Holley
 
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANLdgoodell
 
Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Shyamsundar Das
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxSamsung Open Source Group
 
Eclipse Kura Shoot a-pi
Eclipse Kura Shoot a-piEclipse Kura Shoot a-pi
Eclipse Kura Shoot a-piEclipse Kura
 

Semelhante a Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI (20)

JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdf
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
NCS: NEtwork Control System Hands-on Labs
NCS: NEtwork Control System Hands-on Labs NCS: NEtwork Control System Hands-on Labs
NCS: NEtwork Control System Hands-on Labs
 
[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTC[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTC
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and Notary
 
Hack the System_Fluence workshop 2
Hack the System_Fluence workshop 2Hack the System_Fluence workshop 2
Hack the System_Fluence workshop 2
 
The next step from Microsoft - Vnext (Srdjan Poznic)
The next step from Microsoft - Vnext (Srdjan Poznic)The next step from Microsoft - Vnext (Srdjan Poznic)
The next step from Microsoft - Vnext (Srdjan Poznic)
 
Hackerworkshop exercises
Hackerworkshop exercisesHackerworkshop exercises
Hackerworkshop exercises
 
Docker and IBM Integration Bus
Docker and IBM Integration BusDocker and IBM Integration Bus
Docker and IBM Integration Bus
 
RemoteAdmin.pptx
RemoteAdmin.pptxRemoteAdmin.pptx
RemoteAdmin.pptx
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Feedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureFeedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows Azure
 
Making Networking Apps Scream on Windows with DPDK
Making Networking Apps Scream on Windows with DPDKMaking Networking Apps Scream on Windows with DPDK
Making Networking Apps Scream on Windows with DPDK
 
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL
 
Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
 
Eclipse Kura Shoot a-pi
Eclipse Kura Shoot a-piEclipse Kura Shoot a-pi
Eclipse Kura Shoot a-pi
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

  • 1. Fraunhofer-Institut für Digitale Medientechnologie IDMT IDMT VPN Remote Access Ives Steglich Munich, 12. Oct 2004
  • 2. Seite 2 Overview Current Situation and Architecture Goals and Requirements for Improvement Proposed Soft- and Hardware Proposed Architecture How does the USB-Token work? Usageprocess Conclusions
  • 3. Seite 3 Current Situation and Network Architecture Architecture Remote User CISCO VPN Client Firewall and VPN Gateway CISCO PIX Steps to establish an connection 1. VPN Tunnel initialization authenticated by shared secret 2. Access to internal Network authenticated by XAUTH trough tacacs+ Internet Internal LAN Remote User VPN Tunnel Firewall and VPN-Gateway Tacacs+ Server
  • 4. Seite 4 Goals and Requirements for new Solution Main Goals 1. remove the shared secret for remote users 2. keep the available infrastructure 3. use smartcards 4. be open for other usages 5. integration into the local LDAP 6. use open source whenever possible Requirements from Goals and Architecture - introduce certificates and administration - setup an in-house pki - pki must speak SCEP - smartcards must be operable with linux and windows
  • 5. Seite 5 Proposed Soft- and Hardware Software for PKI OpenCA Reasons: - understands SCEP - can publish certs in LDAP - open source - good cooperation with development team Hardware for Smartcards Aladdin eToken Pro Reasons: - works with Microsoft Crypto API - PKCS#11 library for linux available (but hard to get, not offically distributed) - enables OpenCA administration from Linux and Windows (Mozilla, IE)
  • 6. Seite 6 Proposed Architecture Remote User OpenCA-Setup One Server with RA, PUB and SCEP Interfaces One Server with the CA (offline) Access to RA-Interface certificatebased stored at Smartcards PIX-Setup Remote Users Authentication with RSA Certs Client Setup VPN-Gateway identification with Certs Own Authentication with RSA Certs Internet Internal LAN Firewall and VPN-Gateway In-house PKI VPN Tunnel Tacacs+ Server RA/SCEP/PUB Interfaces Offline CA
  • 7. Seite 7 How does the USB-Token work? General - uses proprietary format from Aladdin - therefore needs specific drivers - not PKCS#15 compatible (but can be used parallel if space is left on token PKCS#15 doesn’t works with Microsoft Crypto API) Linux - based on PC/SC-Lite - works with Mozilla through PKCS#11 - doesn’t work right now with OpenSSL engine - hotplugable Windows - works with Mozilla through PKCS#11 - works with Microsoft Crypto API - hotplugable PKCS#11 PC/SC Lite Mozilla Aladdin RTE OpenSSL ? Linux Linux USB-Hotplugsystem Windows CSP PKCS#11 MozillaIE VPN Client Aladdin RTE Windows USB-Subsystem
  • 8. Seite 8 Usageprocess Token Initialization - has to be done at Linux - key generation with Linux+Windows - certificate Iistallation with Linux+Windows - only one Login for User and Admin possible Process - Two Options: - batch-orientied serverside-key-generation (p12 files import through Mozilla or Win-System) - token-based-key-generation (through users themselves) - Administration: - requests initiated through users - granted at RA through ‘Groupleaders’ - certs issued through CA-Operator
  • 9. Seite 9 Conclusions • Authentication for Remote-VPN-Access • Option to skip one step during VPN-Login • Transparent usage with Linux and Windows • Encrypt, Decrypt and Sign E-Mails • Authentication for webbased services (PKI-Access and Administration) • Dezentralized Management • LDAP Storage and Access to Certificates • Still not perfect • Overview about smartcards providing PKCS#11 libs: http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/ tested_products/index.php
  • 12. Seite 12 Thanks for your attention! Questions?