Advertisement

CA-in-a-Box

  • Mark Franklin
  • Kevin Mitcham
  • Sean Smith
  • Joshua Stabiner
  • Omen Wild
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3545)

Abstract

An enterprise (such as an institute of higher education) wishing to deploy a PKI must choose between several options, all expensive and awkward. It might outsource certification to a third-party company; it might purchase CA software and appliances from a third-party company; it might try to build and maintain its own CA. In the latter two options, the enterprise faces the additional challenge of showing sufficiently safe practices to have its CA certified or cross-certified, for broader inter-operability.

This paper presents our research and development effort to address this problem. We use OpenCA to provide the basic functionality; we package it on a Linux installation on a bootable CD; we use the 1.1b TCG trusted platform module (standard on many desktop and laptop machines) to hold the private key; we also use the TPM to add assurance that the key can only be used when the system is correctly configured as the CA. This tool enables an enterprise to operate a CA possessing a degree of physical security and the ability to attest proper configuration to a remote certifier simply by booting a CD in a commodity machine. The code (and CD image) are all open-source, and will be available for free.

Keywords

Trusted Platform Module Cryptographic Operation Trust Computing Group Registration Authority Trust Computing Platform 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Covell, C., Bell, M.: OpenCA Guides for 0.9.2+, http://www.openca.org/openca/docs/online/
  2. 2.
    Douglass, J.: The Papyrus Project, Version 4 (2005), http://www.cren.net/crenca/crencapages/papyrus.html
  3. 3.
    Higher Education Bridge Certification Authority, http://www.educause.edu/hebca/
  4. 4.
    Hohnstadt, C.: XCA (2003), http://xca.sourceforge.net/
  5. 5.
    Chandra, P., Viega, J., Messier, M.: Network Security with OpenSSL. O’Reilly & Associates, Sebastopol (2002)Google Scholar
  6. 6.
    Knoppix linux, http://www.knoppix.net/
  7. 7.
    Marchesini, J., Smith, S.W., Wild, O., Barsamian, A., Stabiner, J.: Open-Source Applications of TCPA Hardware. In: 20th Annual Computer Security Applications Conference. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  8. 8.
    OpenCA PKI Development Project, http://www.openca.org/openca/
  9. 9.
    OpenSSL: the Open Source toolkit for SSL/TLS, http://www.openssl.org/
  10. 10.
    Personal communicationGoogle Scholar
  11. 11.
    pyCA–X.509 CA (2003), http://www.pyca.de/
  12. 12.
    Ribbeck, B.R.: The PKI Working Group End User Deployment Matrix (2004), https://webspace.uth.tmc.edu/bribbeck/public/PKIWMATRIX.html
  13. 13.
    Trusted Computing Platform Alliance. Main Specification, Version 1.1b (February 2002), http://www.trustedcomputinggroup.org
  14. 14.
    Yi, S., Kravets, R.: MOCA:Mobile Certificate Authority for Wireless Ad Hoc Networks. In: 2nd Annual PKI Research Workshop (2002)Google Scholar
  15. 15.
    Zhou, L., Schneider, F.B., Van Renesse, R.: COCA: A Secure Distributed Online Certification Authority. ACM Transactions on Computer Systems 20(4), 329–368 (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Mark Franklin
    • 1
  • Kevin Mitcham
    • 1
  • Sean Smith
    • 1
  • Joshua Stabiner
    • 1
  • Omen Wild
    • 1
  1. 1.Dartmouth PKI Lab and Department of Computer Science, Dartmouth CollegeHanoverUSA

Personalised recommendations