PKI LAN EDB/PKI and Campus Wireless LAN Authentication EDB/PKI http://web.db.tokushima-u.ac.jp/edb-manual/pki.html http://ldap.db.tokushima-u.ac.jp/wireless/ @. E-mail: alex@ee.tokushima-u.ac.jp Id: itrc20th-20061005.tex,v 1.13 2006/10/02 04:32:50 alex Exp alex http://cms.db.tokushima-u.ac.jp/edb/guide/itrc20th-20061005.pdf
1. PKI (EDB/PKI) 2004... (Single Sign On; SSO) (PKI) ( ) Private PKI, Free Software ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 2
1.1 (EDB) EDB: ( ) ( ) () ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 3
1.2 EDB EDB ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 4
1.3 EDB XML( ) / RDB 2 EDB DNS (Domain Name System) (EDB/DNS) ( http://web.db.tokushima-u.ac.jp/assist/dns.html) ( ) ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 5
2. EDB/PKI EDB CA (Certificate Authority) RA (Registration Authority) X.509 (for ( )) (for ) : OpenSSL (PKI) (EDB/PKI) http://web.db.tokushima-u.ac.jp/edb-manual/pki.html ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 6
2.1 EDB/PKI Policy Private PKI ( ) ( ) 1 1 : ( ) : ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 7
2.2 X.509 countryname (C) stateorprovincename (ST) localityname (L) organizationname (O) organizationalunit (OU) Message Digest Algorithm Unique Subject CRL Distribution Point X.509v3 JP Tokushima Tokushima City The University of Tokushima EDB 2048 bits 3650 days (10 ) SHA1 with RSA Yes https://ca.db.tokushima-u.ac.jp/ca/cert.crl ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 8
2.3 ROOT ROOT ( ) commonname (CN) KeyUsage root-ca.db.tokushima-u.ac.jp Verify, Key Cert Sign, CRL Sign (CRL) CRL CRL 30 1 / ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 9
2.4 commonname (CN) S + ( : S10729) KeyUsage Encrypt, Verify, Wrap, Derive, Digital Signature, Non-Repudiation, KeyEncipherment ExtendedKeyUsage Client Authentication, Code Signing, Email Protection commonname (CN) FQDN ( : web.db.tokushima-u.ac.jp) KeyUsage Encrypt, Verify ExtendedKeyUsage Server Authentication ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 10
2.5 EDB/PKI ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 11
2.6 EDB Web... PKCS#12 (ROOT ) ( ) PEM ( (CA) (RA) ) http://web.db.tokushima-u.ac.jp/assist/authentication.html ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 12
2.7 (Web) ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 13
2.8 (Web) ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 14
2.9 PKI LDAP : ldap.db.tokushima-u.ac.jp:389 DN: uid=commonname,ou=people,dc=tokushima-u,dc=ac,dc=jp uid: commonname usercertificate: X.509 userpassword: SSHA EDB : web.db.tokushima-u.ac.jp:443 https://web.db.tokushima-u.ac.jp/pki/ca/root.crt https://web.db.tokushima-u.ac.jp/pki/cn/commonname.crt https://web.db.tokushima-u.ac.jp/pki/cn/fqdn.of.server.crt https://ca.db.tokushima-u.ac.jp/ca/cert.crl ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 15
2.10 EDB (EDB/PKI) (DN) : /C=JP/ST=Tokushima/L=Tokushima City/O=The University of Tokushima/OU=EDB/CN= S10729/emailAddress=alex@ee.tokushima-u.ac.jp Verify Web LDAP ( ), Kerberos ( ) (CN) : S10729 : SSHA ( PKCS#1 OAEP EDB ; secret-keeper SSHA ) : e-learning,... EDB, EDB/PKI ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 16
2.11 EDB/PKI (@ 2006 9 ) : 284 ( : 167 : 117 ) : 138 (: 1000 ) : 29 Web ( e-learning EDB/CMS,...) LAN ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 17
2.12 EDB/PKI CA CA CA (e.g. UPKI) (authorization) OCSP (Online Certificate Status Protocol) ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 18
3. LAN 2005... LAN (not WEP) LAN PC EDB/PKI EAP/TLS http://ldap.db.tokushima-u.ac.jp/wireless/ ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 19
3.1 EDB/PKI LAN ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 20
3.2 EAP/PEAP MS-CHAPv2 (Challenge-Response) Samba/password ( ) ( ) ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 21
3.3 LAN (RADIUS) : Intel Xeon 3.2GHz Dual 2 : FreeRADIUS (OS; FreeBSD 5.x) IP:PORT radius1.db.tokushima-u.ac.jp [150.59.230.97]:1812 radius2.db.tokushima-u.ac.jp [150.59.230.98]:1812 150.59.0.0/16 ( ) EAP/TLS ( ) ( ) EAP/PEAP (MS-CHAPv2) () ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 22
3.4 (AP) SSID WEP tokushima-uwlan WPA Enterprise (WPA-EAP) TKIP (Temporal Key Integrity Protocol) (PC) SSID tokushima-uwlan WPA/Enterprise (WPA-EAP) EAP/TLS ( ) ( ) EAP/PEAP (MS-CHAPv2) () ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 23
3.5 EAP/TLS ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 24
3.6 EAP/PEAP ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 25
3.7 () : 40 : 30 ( ) http://ldap.db.tokushima-u.ac.jp/wireless/area.html ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 26
3.8 ( ) (@ 2006 9 5 ) 4200 ( 700 / ) EAP/TLS ( ) : 1200 ( 30%) EAP/PEAP ( ) : 3000 ( 70%) 56 EAP/TLS ( ) : 22 ( 40%) EAP/PEAP ( ) : 34 ( 60%) ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 27
3.9 LAN Authorization ( ) AP CN (FreeRADIUS/Ver. 1.0.2) (CN, DN ) ( ) WDS (Wireless Distribution System) (WPA) (TCP ) ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 28
4. wired LAN wireless LAN EDB Web Server (LDAP) EDB/DNS (RADIUS) EDB/PKI ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 29 EDB database
5. (EDB/PKI) EDB/PKI LAN EDB/PKI LAN ITRC 20th Meeting (Oct. 5, 2006) T. Oie @ The University of Tokushima 30