Project Plan for an Institution Implementing PKI

 

By Mark Franklin, Dartmouth PKI Lab, last modified 4/19/2004

 

Anyone with responsibility for secure network computing for their institution should understand what PKI can offer and how to deploy it.  This document describes a series of steps, starting with the big picture and linking to documents with the details, to learn about, implement, and deploy PKI on your campus.  It presents your options and helps you decide which to take, explains the benefits and costs of PKI, and provides extensive “how to” material.  Not all this information is in this document; it has many links to more detailed materials in Dartmouth’s PKI Lab’s Outreach web at www.dartmouth.edu/~deploypki.  You may not necessarily need to follow all of the steps below, and you may find you want to do some of them out of order or in parallel.

 

You may want to also read the “PKI Lite Recipe” document at http://stc.cis.brown.edu/~stc/Projects/Security/PKI/PKI-how.html.

 

1        Learn about PKI

PKI is a fairly complex topic, and getting an early overview of some of the theory and technologies behind it will serve you well.  On the other hand, most people learn best while doing, so don’t study PKI too long before you jump in and start using it.

1.1        Read PKI Lab’s EDUCAUSE Review article.

This EDUCAUSE Review article presents a very high level view of the need for PKI in Higher Education and why the time is ripe for widespread adoption of PKI.

1.2        Get a book.

There are a number of good books on PKI theory. Be sure to sample several before you choose one.  Then read the introductory section and skim other sections of interest.  You can refer back to this book as needed when you really need the details.

1.3        See our web at www.dartmouth.edu/~deploypki.

There is a wealth of information available here, including introduction to the elements of PKI and their purposes.

1.4        Look for us at conferences

The PKI Lab is conducting a campaign to encourage the deployment of PKI in Higher Education.  This campaign includes presentations at a number of events.

 

2        Pick your applications

As with any IT technology, PKI should provide real value to real users.  As you evaluate and deploy PKI, you should always focus on the applications it can support and enable.  Learning about applications of PKI is another on-going process, but getting an early overview of possibilities is a good idea.  You should also start to think about which of the applications will provide strong value and return on investment at your campus.

2.1        List of candidates

We have compiled a list of potential PKI applications for higher education with descriptions of each.

 

3        Evaluate applications

There is no substitute for actually running the applications so you can accurately evaluate their value, usability, cost to deploy, robustness, etc.  You or others on your team will need to spend some time configuring and running applications with PKI, conducting proofs of concept and pilot projects, comparing alternatives, and otherwise exercising possible PKI applications on your campus.  These evaluations may be very quick (one can try AOL AIM secured with PKI in a matter of minutes) or may be more involved (setting up for network service authentication requires server configuration).

3.1        Acquire and install application (if not done already)

In many cases, an application you already have can use PKI.  Many email readers have S/MIME built in.  Many browsers support client-side PKI authentication for SSL/TLS.  Advanced versions of Adobe Acrobat and Microsoft’s Office applications can sign documents.  Recent AOL AIM instant messenger client releases for Windows are PKI enabled.  Newer versions of windows allow PKI (smartcard or token) logon.  You may only need to activate the PKI capabilities of an existing application.

 

In other cases, you will need to acquire additional client software or features for server software, configure network appliances (such as VPN concentrators or firewalls), acquire PKI-specific hardware (such as smartcards or tokens), add modules to servers (such as mod_ssl for Apache), etc.

 

The list of applications referenced above has links to information about what software they require and how to install and configure them.

3.2        Acquire test certificates

You may already have certificates suitable for your evaluation.  More likely, you will need to generate some.  These may include both server identity and end user certificates.  In the past, the “chicken and egg” scenario of needing certificates before being able to evaluate PKI has been an inhibitor of PKI deployment - setting up one’s own Certificate Authority is an expensive and time consuming operation to undertake before ever evaluating possible PKI applications.

 

Fortunately, you now have several options where you can easily get free certificates that are suitable for most application evaluations:

 

·       Georgia Tech’s excellent demo CA (http://democa.ns.gatech.edu/) by John Douglass makes generating end user certificates extremely quick and easy.  You can also apply for server identity certificates free of charge.

·       Thawte offers free commercial certificate services (www.thawte.com).  For free personal email certificates, visit https://www.thawte.com/html/COMMUNITY/personal/index.html.  For free SSL server identity certificates, visit https://www.thawte.com/ucgi/gothawte.cgi?a=w35250040567014000.

·       Ascertia (www.ascertia.com) offers another commercial trial service (http://www.ascertia.com/onlineCA/issuer/default.aspx) .

3.3        Configure and test application

Bear in mind that PKI is relatively new to many applications, and there are still rough edges.  Usability and interoperability aren’t always what they should be, but generally configuring the applications isn’t rocket science.  It is important for the user community to put these features through their paces, report problems to applications suppliers, and demand improvements.  While many commercial products provide strong PKI support, don’t assume that open source software won’t.  In fact, Mozilla (and by extension, Thunderbird and Firebird) and Apache provide some of the best PKI application support available.

 

4        Plan, get buy-in from management, determine staffing/funding etc.

PKI is best approached by an institution as a long-term investment in IT middleware.  Short term ROI is not a strength of PKI; it is in the long run as the benefits snowball that PKI really shines.  Of course, you still want to start where the need is greatest and where you will make the most rapid progress for the least effort.  Choose your first steps carefully.

4.1        Educate management (risks & benefits)

PKI is not something IT staff can implement in a vacuum.  Management support is critical to ensure that PKI receives support long enough to reach the point of greater return than investment.  Establishing an institution-wide PKI is like making an institution-wide directory.  It takes careful planning, coordination of multiple constituencies and service organizations, good design, significant resources, and persistence.

 

Be sure your management understands not only the costs and requirements of PKI but also the benefits in the form of extra capabilities for users, avoidance of costly security incidents, and long-term efficiency gains for both IT staff and the entire user population.

 

See a <presentation outlining the business case for PKI link (NACUBO presentation not done yet)>.

 

See <case studies for other higher education institutions that have deployed PKI link (to net@EDU materials not published just yet)>.

4.2        Pay attention to policies

PKI is not just technology.  Equally important to a PKI deployment are the policies and procedures you establish for issuing certificates (e.g. How do you identify that certificate recipients really are who they seem to be?), revoking certificates (e.g. How often do you post revocations to CRLs? Under what circumstances do certificates get revoked, and what mechanisms ensure they do?), escrowing certificates, educating users, PKI enabling applications, etc.  Depending on the situation, some of your decisions may have legal ramifications, so consulting your legal department may be in order.  Before you object that one would be crazy to implement PKI if it involves lawyers, consider the fact that lawyers will definitely be involved if you have a HIPAA violation due to stray email or if you have a security incident where a password database was stolen and some unknown number of social security numbers may have been leaked.

4.3        Use good project management

As with any non-trivial IT project, planning and organization will go a long way, but remember to balance this with being agile enough to adapt as you learn more about requirements and as new opportunities arise.

 

5        Decide outsource or in-house Certificate Authority

There are many options for deploying Certificate Authorities (CAs).  Schools have succeeded with all of these.

 

Commercial companies offer out-sourced CA services.  For a price, they will handle all of the logistics of issuing and managing certificates plus a portion of the Registration Authority (RA: validating identities before issuing certificates) responsibilities.  Outsourcing has the benefit that most commercial vendors have their root certificates installed in the common browser trusted root stores.  This eliminates the need to distribute self-signed trusted root certificates for validation by user applications of in-house CA issued certificates.  Commercial CA services tend to have pre-established CA and RA processes and policies which can save a school from having to establish their own.  On the other hand, this can be a problem and/or incur extra expense if the pre-established processes and policies don’t match the school’s needs.

 

Institutions wishing to operate their own CA service in-house have multiple possible paths.  One dimension of choice is where they get the CA software.  Both commercial packages and open source implementations are available.  Or they can start with an open source crypto library and implement their own CA (OpenSSL is usually the choice in this case).   Another dimension of choice is whether the CA root certificate is self-signed or signed by a commercial or other inter-institutional CA (such as the former CREN CA or the future USHER {US Higher Education Root} CA).  Running an in-house CA avoids the outsourcing charges, but incurs the overhead of setting up and operating the CA and possibly also incurs the cost of the CA software and maybe hardware to store the CAs private key securely.

 

6        Implement CA

This task will vary widely depending on your CA strategy.  If you choose to outsource CA services or to license commercial CA software, then you should get extensive assistance from your vendor.  Some open source CAs come with documentation about how to set up a CA, but you’re more on your own with these.

 

You will need to define your certificate profile(s) and your certificate practices.  See RFC 2459 for the gory details about certificate profiles.  An excellent starting point for your own certificate profiles and practices is the PKI Lite information produced by the Higher Education PKI Technical Advisory Group (HEPKI-TAG) group:

PKI Lite end entity profile

PKI Lite CA profile

PKI Lite policy and practices

 

7        Implement applications

This will be a series of deployments and upgrades to applications like the ones any IT shop is constantly undertaking and should be managed accordingly.  See helpful “how to” information specific to the PKI aspects of particular applications.


Dartmouth decided to implement PKI authentication first as an alternative to existing authentication mechanisms.  This allowed us to phase in PKI gradually so users could migrate when they were ready and in relatively small numbers at any given point in time.

 

8        Educate

Education is an important part of any PKI deployment.  Depending on the audience, the amount of time an attention you can get may be limited (for some reason, people don’t seen to want to spend a lot of time on security), so pick your message wisely.  Here are some thoughts on various constituencies.

8.1        Management

Get management on board beforehand.  As with any security technology, you are likely to get backlash from users who don’t appreciate the finer points of the tradeoffs between security and convenience.  Also, the costs and prioritization issues of deploying PKI may generate pushback from system administrators and others in your IT staff.  Having management understanding what you are doing and its value should help ensure your projects don’t get derailed by these issues.

8.2        System administrators and developers

These are the folks who will actually implement and maintain PKI, and they clearly need a detailed working knowledge of the technical side of PKI.  They too should learn about PKI per section 1.  They do not need in-depth knowledge of the cryptography behind PKI.

8.3        Support staff

Your support staff needs an introduction to PKI and hands-on experience using it the way your end users will use it.  They should also meet the developers and administrators and know who to contact when users get stuck.  Dartmouth found that a 1 hour hands-on training session is enough to get the support staff up to speed.

8.4        Users

Some sites find it useful to conduct user training sessions.  Others rely on web documentation alone.  Don’t try to educate your users about the technical details of PKI.  Instead focus only on the essentials they need to know in order to get going and on a few safe computing practices so they will manage their credentials responsibly.  Remember that for most users this topic is about as interesting as how to use the combination lock on their locker – they want to know only as much as they need in order to accomplish their goal (getting into the application or opening their locker).  See Dartmouth’s PKI user web for an example of user education materials.  Dartmouth chose not to provide training sessions for end users, and to date have self-service enrolled over 300 students and two hundred staff for PKI credentials with almost no support calls.

 

9        Deploy

Many different strategies are possible here.  Dartmouth opted to start with PKI authentication for widely used applications but with PKI as an optional alternative to already established authentication mechanisms.  Over time, we will phase out the older mechanisms in favor of PKI.  This is just one example - the possibilities are nearly limitless since PKI is a very flexible and adaptable technology.

 

10    Measure results, refine, implement more applications, and so on

As you know, maintaining applications is an on-going process, and there is always room for refinement.  PKI is the same.  Don’t try to solve all problems at once with your initial deployment.  Instead pick an achievable starting point and add to it incrementally, building on what works well and fixing what doesn’t.