04/18/23 1

UPKI projectupdate

Yasuo OkabeAcademic Center for Computing and Media Studies

Kyoto University

04/18/23 2

UPKI ― Inter-University Authentication

and Authorization Platform for CSI Conducted by NII and the information infrastructure

centers in 7 universities• Supported by Ministry of Education, Science and Technology

Campus AAI Campus AAI Campus AAI

UPKI common specification

UPKI

A 大アクセスポイント

B 大の教授 B 大職員

A 大学 B 大学 C 大学

C 大電子コンテンツ

B 大アクセスポイント

Wireles LAN roaming

C 大事務システム

04/18/23 NII International Workshop on Cyber Science Infrastructure

3

UPKI: concept

Targets various applications• SSO of Web services• E-mail Digital Signature/Encryption by S/MIME• Network Services

• wireless LAN roaming and VPN

• Grid computing Utilization of PKI

• “U” stands University/Universal/Ubiquitous• Deployment of Grid/PKI middleware for national

academic AA infrastructure

04/18/23 4

Planned Schedule of UPKI

Developing, deploying and fostering new applications

UPKI common Specification

Applications

UPKIInitiative

２００６ FY ２００７ FY ２００８ FY

founded ・ Gathering common interests and opinions, and feedback, ・ Interoperability check, knowledge transfer, publicity, tutorial works, …

Campus PKI specification Model designOutsource model

Campus PKI CP/CPS template

Outsource model

２００９ FY and later

CAsoftware

Development ofCA software package

Distribution and support for deployment ofCA software package

Insource model, multi-university cooperative model

Insource model, multi-university cooperative model

Wireless LAN roaming

Single Sign On to Web Services

S/MIME

・ Deployment of campus PKI at each university・ Connecting universities・ Federation of applications　　　　　　　　　　　 etc.

04/18/23 5

Ongoing Subprojects Designing Common CP/CPS, Profiles, … Development and Deployment of “NAREGI-CA”

Certificate Authority Middleware PKI based Applications

• InterUniversity Web SSO• SAML2.0/Shibboleth + PKI

• Wireless LAN Roaming• 802.1X, EduRoam compatible (www.eduroam.jp)• VPN

• Secure E-mail Service via S/MIME• Supercomputing Grid

etc.

04/18/23 6

UPKI three layer ArchitectureUPKI three layer Architecture

EEEE

A Univ.NAREGI CA

EEEE

B Univ.NAREGI CA

Grid PKI

Grid Computing

ProxyProxyProxy EEProxyProxyProxy EE

学内用学内用

A Univ.CA

EE学内用学内用

B Univ.CA

EE

CampusPKI

Auth, Sign, Encrpt. Auth, Sign, Encrpt.

Student,Faculty

Server, Super Computer

Student,Faculty

Server, Super Computer

Webｻ ｰ ﾊ ﾞWebｻ ｰ ﾊ ﾞ

NIIPub CA

Web Srv.Webｻ ｰ ﾊ ﾞWebｻ ｰ ﾊ ﾞ S/ MIMES/ MIME

OtherPub CA

S/ MIMEWeb Srv.

OpenDomainPKI

S/ MIMES/ MIMES/ MIME

Sign, Encrpt.

Future plan

Shibboleth/SAML

04/18/23 7

Subprojects by NII

UPKI common CP/CPS【WP1】 Public server certificate【WP2】 Inter-University W-LAN roaming【WP3】 SSO for Digital Library Service by NII and

other universities via Shibboleth/SAML【WP4】

Development of CA middleware【WP5】 Deployment of S/MIME e-mail

signature/encryption architecture【WP6】

04/18/23 8

Operation Models of CA

Insource

Univ

RA IA

Univ. providerFull outsource

RA IA

IA outsourceUniv provider

IARA

CP/CPS

04/18/23 9

NAREGINational Research Grid Initiative http://www.naregi.org/ collaboration projects among industry, academic sector and the

government.

04/18/23 10

NAREGI Grid Middleware stack

http://www.naregi.org/concept/index_e.html#05

04/18/23 11

Nationwide Academic Grid Networksover SuperSINET (experimental)

AIST(Tsukuba)

Kyushu I. Tech.

NAREGIGrid networkKyushu U.

I. Molecular Sci.(Okazaki)

Tokyo I. Tech.

Osaka U.

NIINAREGI

coreNAREGI NII

ClusterNAREGI IMSCluster

Doshisha SD

8-centerGrid Computing WG

network

Hokkaido U.

Tohoku U.

U. Tokyo

Nagoya U.

Doshisha U.

Kyoto U.

Kyushu U.

04/18/23 12

NAREGI Certification Service

CA SoftwareCA Software(NAREGI-CA)(NAREGI-CA)

PolicyPolicy ManagementManagement

(NAREGI-PMA)(NAREGI-PMA)

OperationOperation(NII GOC CA)(NII GOC CA)

- CP/CPS- CP/CPS-Satisfy APGridSatisfy APGrid minimum requirementminimum requirement

- CA/RA- CA/RA- UI (Character, Web)- UI (Character, Web)

- Operation of CAOperation of CA- Authorized by the APGridAuthorized by the APGrid PMA Production Level CAPMA Production Level CA

04/18/23 13

NAREGI-CA A full-fledged CA (Certificate Authority) Software

for PKI Originally developed for Grid computing, but can

be used for general purpose Free open source software

Ver2.0 (May.10.2006) Ver2.0 (May.10.2006) is available at http://www.naregi.org/download/

Research collaboration Research collaboration • Audit of CA :AIST, JapanAudit of CA :AIST, Japan• PMA for international cooperation : APGRIDPMA for international cooperation : APGRID

User SitesUser Sites• NAREGI, AIST, Several UniversitiesNAREGI, AIST, Several Universities

04/18/23 14

Comparison among CA softwares

Product name Issue of Certif.

CRL periodi

cal

LDAP HSM Multiple CA

Profile management

HWtoken

Operator

Logging

NAREGI CA file, bulk, WEB,

LCMP

○ ○ ○ ○ ○ ○ ○ ○

OpenSSL file × × × ○ × × × ×

Microsoft

Certificate

Server

WEB, LDAP ○ △(Active

Directory only)

△(Domain Controller onlu)

× △(Domain

Controller only)

○ × △(Event

logging)

Entrust Authority

CMP, bulk, LDAP,WEB,

SCEP

○ ○ ○ × ○ ○ ○ ○

○： available、 ×： not available、△： some restriction

04/18/23 15

License ID management• Transfer authentication responsibility to Local RA

Grid operation extensions• Assistance of Grid-mapfile creation

Dual interfaces for certificate request• Web & command line enrollment

CA/RA architecture• Independent Registration Authority (RA) Server• Practical CP/CPS Template

NAREGI-CA Software Features

04/18/23 16

NAREGI-CA Architecture

RA (Registration Authority)

CA(CertificateAuthority)

Local RA(Site Administrator)

End User &Host Administrator

Site Administrator

①Get License ID

②Authorize to pass License ID

④Pass License ID& Public Key

⑦Get Certificate

⑤Send CSR

⑥Issue Certificate

③Generate a Key Pair

⑧Get Grid Map file

04/18/23 17

CA Administrator

CA RA

RA Administrator

TARO SUZUKITARO SUZUKI 08/07

IC Card

Enhanced procedure to issue certificate

User

CA Administrator

RA Administrator

RA Operator

User

License IDIdentify

Issue Certificate

RACA

Apply

Apply

License ID

IdentifyAuthorize

Issue Certificate

Application Server (web)

Management Server (web)

Delegate

Challenge PINChallenge PIN

Challenge PINChallenge PIN

Challenge PINChallenge PIN

License ID

04/18/23 18

CampusCA

Issue Certificate

Campus PKI Grid PKI

NAREGI CA

Super Computer

Super Computer

Grid System

Super Computer

Issue Certificate

Request Certificate(Use IC Card as credential)

LDAP

NAREGI RA

TARO SUZUKITARO SUZUKI 08/07

IC Card

Certificate for Grid System

Access

User

Campus-Grid PKI Federation

04/18/23 19

UPKI Initiative Founded in 16 Aug 2006 Sponsored by NII AAI TWG Mission

• Gathering interests and opinions of not only universities but also industries

https://upki-portal.nii.ac.jp/

AAI TWG UPKI Initiative

Univ

Tech. College

J. College

Common specification

join

Research Institute

Hokkaido UTohoku UU. TokyoNagoya U

Kyoto U Osaka UKyushu U

KEK Tokyo Tech

NII

NII CSI Headquarter

Opinions and comments

etc.

04/18/23 NII International Workshop on Cyber Science Infrastructure

20

Summary UPKI national academic authentication and

authorization infrastructure project has started.• Conducted by NII and the information infrastructure

centers in the 7 universities• As a basic platform of Cyber Science Infrastructure

We have started later, so we have get some advantages

International federation/collaboration is a very important issue.

04/18/23 21

APAN Middleware Working GroupAPAN (Asia-Pacific Advanced Networking) 20th APAN (Taipei, Aug. 2005)

• National Authentication and Authorization Infrastructure and NREN (proposed session)

21st APAN (Tokyo, Jan. 2006)• Middleware Workshop (full day)• Middleware Working Group is approved for a period of

two years 22nd APAN (Singapore, today)

• Grid Middleware Workshop 23rd APAN (Manila, Jan. 2007)

• Grid Middleware Workshop 24th APAN (Xian, Aug. 2007)

• Middleware Workshop