introduction to upki project in japan

2007/9/4 TF-EMC2 Meeting Prague

Introduction to UPKI projectin JAPAN

Yasuo OkabeAcademic Center for Computing and Media Studies

Kyoto University


Statistics of Higher Education Institutions in Japan

#inst. #student #faculty #staff #people

University 726 2,865,051 161,690 179,521 3,206,262

national 87 627,850 60,937 56,470 745,257

public 86 124,910 11,426 11,940 148,276

private 553 2,112,291 89,327 111,111 2,312,729

Junior College 488 219,355 11,960 6,635 237,950

national 10 1,643 244 140 2,027

public 42 14,347 1,209 361 15,917

private 436 203,365 10,507 6,134 220,006

Tech. College 63 59,160 4,469 2,903 66,532

national 55 52,210 3,952 2,713 58,875

public 5 4,594 363 154 5,111

private 3 2,356 154 36 2,546

Total 1,277 3,143,566 178,119 189,059 3,510,744

by Ministry of Education and Science, 2005FY


Tohoku UniversityInformation

Synergy Center

Hokkaido UniversityInformation Initiative

Center

University of Tokyo

Information Technology Center

Nagoya UniversityInformation

Technology Center

Kyoto UniversityAcademic Center for

Computing and Media Studies

Osaka UniversityCybermedia Center

Kyushu UniversityComputing and

Communications Center

Sapporo

Sendai

TokyoKyoto

Osaka

Fukuoka

Information Infrastructure Centersin the Seven Universities in JAPAN

Nagoya

National Institute of Informatics

(NII)


Brief history of federation among the Centers 1965 ～ 70

• 7 centers stablished as supercomputer centers for nation-wide service

1981• Connected by commercial X.25 serv

ice 1986

• NACSIS (predecessor of NII) established

• N-1 Network project• Dedicated interuniversity X.25 netw

ork service• Federated Identity Management ( ～

2004)• Unified ID• Online subscription to secondary ce

nters 1988

• JAIN (Japan Academic Inter-university Network) project started

1992• SINET, the academic Internet backb

one service was started by NACSIS

1998-2003• Reorganized as Information Infrastr

ucture centers• Merger of education centers for co

mputer literacy 2000

• NII (National Institute of Informatics) establised

2002• Operation of SuperSINET was start

ed 2003

• NAREGI (National Research Grid Initiative) project started

• Grid Computing Research Group 2005

• AuthN/AuthZ Reseach Group• UPKI project planned

2006• UPKI project has officially launched


Fundamental Resources for Academic and Research Activities

Education and Training / Encouraging Young Talent

NAREGI (National Research Grid Initiative)

NII-REO (Repository of ElectronicJournals and Online Publications

NII: Toward Cyber-Science InfrastructureNII: Toward Cyber-Science Infrastructure 　　Next-generation Academic Information Infrastructure for

Interuniversity Collaboration

UPKI: Authentication and Authorization Platform

Cyber-Science Infrastructure

● ★

★

★★★

★★

☆

SINET/SuperSINET

National Academic Internet Backbone

北海道大学

東北大学

東京大学ＮＩＩ

名古屋大学

京都大学

大阪大学

九州大学

GeNii (Global Environment forNetworked Intellectual Information)C

orp

ora

tion

with

In

du

stry

Inte

rnatio

nal

Colla

bora

tion


UPKI ― Inter-University Authentication

and Authorization Platform for CSI Conducted by NII and the information infrastructure

centers in 7 universities• Supported by Ministry of Education, Science and Technology

Campus AAI Campus AAI Campus AAI

UPKI common specification

UPKI

A 大アクセスポイント

B 大の教授 B 大職員

A 大学 B 大学 C 大学

C 大電子コンテンツ

B 大アクセスポイント

Wireles LAN roaming

C 大事務システム


UPKI ― Inter-University Authentication

and Authorization Platform for CSI Motivation

(for NII)• As a “glue” between SINET high-speed backbone and supercom

puting grid (by NAREGI) or contents services by NII

(for universities)• Promoting installation of campus AuthNZ infrastructure

• Eliminating various costs by solidarity

• Federated identity management is unavoidable even in a (big) university

• Many political and cultural issues exist


UPKI: project member

NII SINET Headquarter Authentication and Authorization Working Group Yasuo Okabe, Kyoto University (chair) Noboru Sonehara, NII (vice chair) Yoshiaki Takai, Hokkaido University Hideaki Sone, Tohoku University Hiroyuki Sato, University of Tokyo Yasushi Hirano, Nagoya University Ken-ichi Baba, Osaka University Takahiro Suzuki, Kyushu University Katsuyoshi Iida, Tokyo Institute of Technology Fukuko Yuasa, KEK (Institute of High Energy Physics)


UPKI: concept

Targets various applications• SSO of Web services• E-mail Digital Signature/Encryption by S/MIME• Network Services

• wireless LAN roaming and VPN

• Grid computing Utilization of PKI

• “U” stands University/Universal/Ubiquitous• Deployment of Grid/PKI middleware for national

academic AA infrastructure


UPKI three layer ArchitectureUPKI three layer Architecture

EEEE

A Univ.NAREGI CA

EEEE

B Univ.NAREGI CA

Grid PKI

Grid Computing

ProxyProxyProxy EEProxyProxyProxy EE

äwì‡ópäwì‡óp

A Univ.CA

EEäwì‡ópäwì‡óp

B Univ.CA

EE

CampusPKI

Auth, Sign, Encrpt. Auth, Sign, Encrpt.

Student,Faculty

Server, Super Computer

Student,Faculty

Server, Super Computer

Webª∞ fiWebª∞ fi

NIIPub CA

Web Srv.Webª∞ fiWebª∞ fi S/MIMES/MIME

OtherPub CA

S/MIMEWeb Srv.

OpenDomainPKI

S/MIMES/MIMES/MIME

Sign, Encrpt.

Future plan

Sibboleth/SAML


Subprojects by NII

UPKI common CP/CPS 【 WP1 】 Public server certificate 【 WP2 】 Inter-University W-LAN roaming 【 WP3 】 SSO for Digital Library Service by NII and

other universities via Shibboleth/SAML【 WP4 】

Development of CA middleware 【 WP5 】 Deployment of S/MIME e-mail

signature/encryption architecture 【 WP6 】


UPKI Common Specifications Campus PKI procurement guidelines Campus PKI CP/CPS templates

Campus PKI model Two outsource models and one insource model

Developed and Published for outsource model https://upki-portal.nii.ac.jp/upkispecific/specific Only available in JAPANESE!

【 WP1 】 UPKI Common 　Specifications

CampusCP/CPStemplates

2006 2007 2009 -

-Deployment of campus PKI at each universities-Connecting universities- Federation of applications

2008

CampusPKISpec.

Outsource model Insource modelMulti-university cooperative model

Outsource model Insource modelMulti-university cooperative model

-To promote Campus To promote Campus PKI deploymentPKI deployment-To reduce costTo reduce cost-To keep multi-universityTo keep multi-university cooperativitycooperativity

https://upki-portal.nii.ac.jp/upkispecific/specific


Insource

Univ

RA IA

Univ. providerFull outsource

RA IA

IA outsourceUniv provider

IARA

CP/CPS

Operation Models of CA


【 WP2 】 Public server certificate project

Challenges• Optimization of RA operation for High-Ed• Customization of local operation in each institution• Automization of RA operation by using Campus PKI certs as a c

redential (in the future) Expected outcomes

• Best practice of local operation optimized for High-Ed • Tips for server certificate installation (for niche implementation)• Tips for local operations improvement in institutions• Demand of stimulation for S/MIME (using for Local Operators)


Root CA(SC-Root1)

SECOM Trust Systems

Open Domain CA

Subscriber

Web Server

RA operator

IA

Local Operator

High-Ed Institution

CSRCertificate

Installation

Bulk requestBulk recipience

Registration &

Issuance

Subscriber IdentitySubscriber Acceptance

Server ownership

Organization identityDomain ownership

Local operator acceptance

NII

Offline

Online

Cert chain

Schemes for Registration and Issuance


【 WP4 】 Shibboleth Architecture

IdP

SPUserResource

AuthnAuthority

AttributeAuthority

AssertionConsumer

Service

AccessControler

AuthN

Request for resoucesAccess control

SSOService

Artifact Resolution

Service

AttributeRequest

AttributeExchange

AuthZ decision

Actual access

AttributeRepository

ARP

AAP

12*WAYF (Where Are You From) Services are omitted

TA R O SUZUKI TA R O SUZUKI 08/ 07

IC Card


Certificate UsersHost Administrators RA Administrator CA Operator

Application for bulk license ID

Issuance of bulk license ID

①Preparation

License ID request

Receive request,Inspection

②License ID request

Certificate request

③Issuance request④Revoke request⑤Reissuance request

Receive request,Issuance/Revoke

certificate

Retrieve data forcreating map file

Make data forcreating map file

⑥Retrieve data for creating map file

NAREGI CAUser site

Account Registration Request

Account Registration

【 WP5 】 NII GOC CA operation


CampusCA

Issue Certificate

Campus PKI Grid PKI

NAREGI CA

Super Computer

Super Computer

Grid System

Super Computer

Issue Certificate

Request Certificate(Use IC Card as credential)

LDAP

NAREGI RA

TA R O SUZUKI TA R O SUZUKI 08/ 07

IC Card

Certificate for Grid System

Access

User

Campus-Grid PKI Federation


UPKI Initiative Founded in 16 Aug 2006 Sponsored by NII AAI TWG Mission

• Gathering interests and opinions of not only universities but also industries

https://upki-portal.nii.ac.jp/

AAI TWG UPKI Initiative

Univ

Tech. College

J. College

Common specification

join

Research Institute

Hokkaido UTohoku UU. TokyoNagoya U

Kyoto U Osaka UKyushu U

KEK Tokyo Tech

NII

NII CSI Headquarter

Opinions and comments

etc.


Summary UPKI national academic authentication and

authorization infrastructure project has started.• Conducted by NII and the information infrastructure

centers in the 7 universities• As a basic platform of Cyber Science Infrastructure

We have started later, so we have get some advantages

International federation/collaboration is a very important issue.


APAN Middleware Working GroupAPAN (Asia-Pacific Advanced Networking) 20th APAN (Taipei, Aug. 2005)

• National Authentication and Authorization Infrastructure and NREN (proposed session)

21st APAN (Tokyo, Jan. 2006)• Middleware Workshop (full day)• Middleware Working Group is approved

22nd APAN (Singapore, July 2006)• Grid Middleware Workshop

23rd APAN (Manila, Jan. 2007) • Grid Middleware Workshop

24th APAN (Xian, Aug. 2007)• Middleware Workshop

25th APAN (Hawaii, Jan. 2008)• Middleware Workshop (proposed)

introduction to upki project in japan

Documents

ministry of education

project membernii sinet

research activitieseducation

supercomputer centers

centers1965707 centers

supercomputing grid

sinet highspeed backbone

nii vice chairyoshiaki