1. PKI (EDB/PKI) (Single Sign On; SSO) (PKI) ( ) Private PKI, Free Software ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokush

Size: px

Start display at page:

Download "1. PKI (EDB/PKI) (Single Sign On; SSO) (PKI) ( ) Private PKI, Free Software ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokush"

くにひとながだき
5 years ago
Views:

1 PKI LAN EDB/PKI and Campus Wireless LAN Authentication EDB/PKI Id: itrc20th tex,v /10/02 04:32:50 alex Exp alex

2 1. PKI (EDB/PKI) (Single Sign On; SSO) (PKI) ( ) Private PKI, Free Software ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 2

3 1.1 (EDB) EDB: ( ) ( ) () ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 3

4 1.2 EDB EDB ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 4

5 1.3 EDB XML( ) / RDB 2 EDB DNS (Domain Name System) (EDB/DNS) ( ( ) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 5

6 2. EDB/PKI EDB CA (Certificate Authority) RA (Registration Authority) X.509 (for ( )) (for ) : OpenSSL (PKI) (EDB/PKI) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 6

7 2.1 EDB/PKI Policy Private PKI ( ) ( ) 1 1 : ( ) : ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 7

8 2.2 X.509 countryname (C) stateorprovincename (ST) localityname (L) organizationname (O) organizationalunit (OU) Message Digest Algorithm Unique Subject CRL Distribution Point X.509v3 JP Tokushima Tokushima City The University of Tokushima EDB 2048 bits 3650 days (10 ) SHA1 with RSA Yes ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 8

9 2.3 ROOT ROOT ( ) commonname (CN) KeyUsage root-ca.db.tokushima-u.ac.jp Verify, Key Cert Sign, CRL Sign (CRL) CRL CRL 30 1 / ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 9

10 2.4 commonname (CN) S + ( : S10729) KeyUsage Encrypt, Verify, Wrap, Derive, Digital Signature, Non-Repudiation, KeyEncipherment ExtendedKeyUsage Client Authentication, Code Signing, Protection commonname (CN) FQDN ( : web.db.tokushima-u.ac.jp) KeyUsage Encrypt, Verify ExtendedKeyUsage Server Authentication ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 10

11 2.5 EDB/PKI ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 11

12 2.6 EDB Web... PKCS#12 (ROOT ) ( ) PEM ( (CA) (RA) ) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 12

13 2.7 (Web) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 13

14 2.8 (Web) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 14

15 2.9 PKI LDAP : ldap.db.tokushima-u.ac.jp:389 DN: uid=commonname,ou=people,dc=tokushima-u,dc=ac,dc=jp uid: commonname usercertificate: X.509 userpassword: SSHA EDB : web.db.tokushima-u.ac.jp: ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 15

16 2.10 EDB (EDB/PKI) (DN) : /C=JP/ST=Tokushima/L=Tokushima City/O=The University of Tokushima/OU=EDB/CN= S10729/ Address=alex@ee.tokushima-u.ac.jp Verify Web LDAP ( ), Kerberos ( ) (CN) : S10729 : SSHA ( PKCS#1 OAEP EDB ; secret-keeper SSHA ) : e-learning,... EDB, EDB/PKI ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 16

17 2.11 EDB/PKI ) : 284 ( : 167 : 117 ) : 138 (: 1000 ) : 29 Web ( e-learning EDB/CMS,...) LAN ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 17

18 2.12 EDB/PKI CA CA CA (e.g. UPKI) (authorization) OCSP (Online Certificate Status Protocol) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 18

19 3. LAN LAN (not WEP) LAN PC EDB/PKI EAP/TLS ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 19

20 3.1 EDB/PKI LAN ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 20

21 3.2 EAP/PEAP MS-CHAPv2 (Challenge-Response) Samba/password ( ) ( ) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 21

22 3.3 LAN (RADIUS) : Intel Xeon 3.2GHz Dual 2 : FreeRADIUS (OS; FreeBSD 5.x) IP:PORT radius1.db.tokushima-u.ac.jp [ ]:1812 radius2.db.tokushima-u.ac.jp [ ]: /16 ( ) EAP/TLS ( ) ( ) EAP/PEAP (MS-CHAPv2) () ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 22

23 3.4 (AP) SSID WEP tokushima-uwlan WPA Enterprise (WPA-EAP) TKIP (Temporal Key Integrity Protocol) (PC) SSID tokushima-uwlan WPA/Enterprise (WPA-EAP) EAP/TLS ( ) ( ) EAP/PEAP (MS-CHAPv2) () ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 23

24 3.5 EAP/TLS ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 24

25 3.6 EAP/PEAP ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 25

3.7 () : 40 : 30 ( ) http://ldap.db.tokushima-u.ac.jp/wireless/area.

26 3.7 () : 40 : 30 ( ) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 26

27 3.8 ( ) (@ ) 4200 ( 700 / ) EAP/TLS ( ) : 1200 ( 30%) EAP/PEAP ( ) : 3000 ( 70%) 56 EAP/TLS ( ) : 22 ( 40%) EAP/PEAP ( ) : 34 ( 60%) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 27

28 3.9 LAN Authorization ( ) AP CN (FreeRADIUS/Ver ) (CN, DN ) ( ) WDS (Wireless Distribution System) (WPA) (TCP ) ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 28

29 4. wired LAN wireless LAN EDB Web Server (LDAP) EDB/DNS (RADIUS) EDB/PKI ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 29 EDB database

30 5. (EDB/PKI) EDB/PKI LAN EDB/PKI LAN ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokushima 30

/02/ /09/ /05/ /02/ CA /11/09 OCSP SubjectAltName /12/02 SECOM Passport for Web SR

/02/ /09/ /05/ /02/ CA /11/09 OCSP SubjectAltName /12/02 SECOM Passport for Web SR for Web SR Certificate Policy Version 2.50 2017 5 23 1.00 2008/02/25 1.10 2008/09/19 1.20 2009/05/13 5 1.30 2012/02/15 5.6 CA 1.40 2012/11/09 OCSP SubjectAltName 2.00 2013/12/02 SECOM Passport for Web