1 / 25

The Brazilian Grid Certification Authority (BrGrid CA)

The Brazilian Grid Certification Authority (BrGrid CA). Vinod Rebello Universidade Federal Fluminense TAGPMA Face-to-Face Meeting Rio de Janeiro, Brazil, 27-29.03.2006. Presentation Outline. Introduction Repository Name Spaces Certificate and CRL profiles BrGrid CA Structure

willow-burton
Download Presentation

The Brazilian Grid Certification Authority (BrGrid CA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Brazilian Grid Certification Authority (BrGrid CA) Vinod Rebello Universidade Federal Fluminense TAGPMA Face-to-Face Meeting Rio de Janeiro, Brazil, 27-29.03.2006

  2. Presentation Outline • Introduction • Repository • Name Spaces • Certificate and CRL profiles • BrGrid CA Structure • End Entity Identification and Verification Process • Certificate Issuance • Security controls • Audit/Archive procedures • Compromise procedures • Disaster recovery • What’s next and future plans TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  3. BrGrid CA Overview • Traditional X.509 Public Key Certification Authority which issues long-term credentials. • CP/CPS follows the IETF’s RFC 3647 • Version 0.5, OID 1.3.6.1.4.1.24839.2.1.10.1.1.0.5 • Fully compliant with the IGTF Classic CA Profile, maintained by EUgridPMA. • Will issue X509 v3 certificates to support Brazilian academic R&D activities in eScience and Grid Computing. • CA key size 2048 bits RSA mod. Initial 5 year lifetime. • EE key size 1024 bits, certificates valid for one year. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  4. BrGrid CA Operations • Universidade Federal Fluminense (UFF), Niterói, Brazil • Instituto de Computação • Smart Grid Computing Laboratory • Vinod Rebello (CA Manager) • Daniela Vianna • Jacques da Silva • Carlos Cunha (Technical support) • Rafael Pereira (Technical support) • Web repository: http://brgrid-ca.ic.uff.br/ • Email: brgrid-ca@ic.uff.br TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  5. Secure Online Repository The BrGrid CA will operate a high availability secure online repository that contains: the BrGrid CA’s root certificate and any previous one necessary; information to validate the integrity of the root certificate; all certificates issued by the BrGrid CA; URLs to text, DER and PEM formatted versions of the Certificate Revocation List (http://brgrid-ca.ic.uff.br/crl); the current and all previous versions of approved CP/CPS documents; a contact email address for inquires and fault and incident reporting; a postal contact address; as well as any other information deemed relevant to the BrGrid CA service. As an accredited CA member of the TAGPMA, the BrGrid CA grants the IGTF and its PMAs the right of unlimited redistribution of this information. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  6. Name Space The certificate subject names obey the X.501 standard. Subject names start with the fixed component to which a variable component is appended to make it unique. /C=BR/O=BrGridCA/O=organization/OU=organizational-unit/CN=subject-name /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=John Smith /C=BR/O=BrGridCA/O=organization/OU=org-unit/CN=host/host-dns-name /C=BR/O=BrGridCA/O=UFRJ/OU=IF/CN=host/ce.if.ufrj.br /C=BR/O=BrGridCA/O=organization/OU=org-unit/CN=service/host-dns-name /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=ldap/ca.ic.uff.br Are there benefits from using acronyms in the DN? TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  7. Certificate Profiles - CA Basic Constraints: critical, ca: true Subject Key Identifier: unique identifier of the subject key (composed of the 160-bit SHA-1 hash of the value of the certified public key). Authority Key Identifier: unique identifier of the issuing CA (composed of the 160-bit SHA-1 hash of the value of the public key of the BrGrid CA) Key Usage: critical, digitalSignature, nonRepudiation, keyCertSign, cRL Sign Extended Key Usage: timeStamping Netscape Cert Type: SSL Certificate Authority, Email Certificate Authority, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Certificate policy Identifier: The OID of the BrGrid CA CP/CPS TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  8. Certificate Profiles - Personal Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: CA keyid Key Usage: critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Extended Key Usage: clientAuth, emailProtection, codeSigning, timeStamping Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Subject alternative name: User E-mail address Issuer alternative name: BrGrid CA E-mail address Certificate policy Identifier: The OID of the BrGrid CA CP/CPS TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  9. Certificate Profiles - Host/Service Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: CA keyid Key Usage: critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Extended Key Usage: serverAuth, clientAuth, emailProtection, codeSigning, timeStamping Netscape Cert Type: SSL Server, SSL Client, S/MIME, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Subject alternative name: Server DNS FQDN host name Issuer alternative name: BrGrid CA E-mail address Certificate policy Identifier: The OID of the BrGrid CA CP/CPS TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  10. CRL Profile The BrGrid CA creates and publishes X.509 version 2 Certificate Revocation Lists. The BrGrid CA shall issue complete CRLs for all certificates issued by it independently of the reason for the revocation. The CRL extensions that are included: the Authority Key Identifier (equal to the issuer's key identifier); and the CRL Number (a monotonically increasing sequence number). The CRL Reason Code and the Invalidity Date will also be included as a CRL entry extension. The CRL shall have a lifetime of at most 30 days. The CRL will include the date by which the next CRL should be issued. The BrGrid CA must publish in repository a new CRL at least 7 days before expiration or immediately after a revocation issued, whichever comes first. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  11. BrGrid CA and RAs BrGrid CA CA Manager, CA Operators, CA tech support, CA Auditor Offline dedicated signing machine and secure online repository CA operations, registering RAs and maintaining BrGrid CA management software BrGrid CA RAs (RAs of the BrGrid CA) RA manager appointed by his/her organization and RA Local Representatives chosen by RA Manager Vetting (identification, authorization and entitlement) and issuing Certificate Signing Requests CSR operations carried out through its specific RA SSL protected web interface of CA management software running on the BrGrid CA web server (requires bi-directional authentication) or (as a backup) through digitally signed e-mail. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  12. Organization Identification If an organization or unit intends to requests a number of certificates, it is encouraged to setup a BrGrid CA RA For first time requests, the CA (when request is to become an RA) or the RA (in the case of a certificate request from end entity) must ascertain: whether or not that the organization or organizational unit exists; is entitled to request BrGrid certificates; and obtain competent information on who is entitled to sign documents on behalf of that institution. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  13. Verification of Affiliation • The current relationship between the subscriber and the organization or unit mentioned in the subject name must be proved through: • a legally acceptable document; • an organization identity card; or • an official organization document stamped and signed by an official representative of that organization. • The request may optionally be authorized through the digital signature of an official representative of the organization in possession of a valid BrGrid CA issued certificate. • In special cases, an organization can provide the RA with access to official databases to verify the relationship. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  14. Identity Validation (1) Individuals are authenticated through the presentation of a valid identity document officially recognized under Brazilian Law. The individual should present himself in person to a BrGrid CA RA for their identity to be verified. At that moment, the individual must present: Proof of their current relationship with the organization(s) to be specified in the DN; Identity document with photograph; and A photocopy of this documentation to be archived by the RA. But Brazil is the size of Europe… TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  15. Identity Validation (2) In exceptional cases, for example due to a subscriber’s geographical remote location, this presentation may be held by video conference. In this situation, an authenticated photocopy of all identity documentation together with the subscriber’snotarized signature must be sent by mail/courier to the RA manager (or the CA Manager in the case of setting up an RA) prior to the meeting. Note that “authenticated” and “notarized” refer to verifications made by a legally appointed (under Brazilian Law) notary public. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  16. Host/Service Verification For host or service certificates, the requests must be signed with a BrGrid CA issued personal certificate corresponding to the system administrator or person responsible of the resource. The RA corresponding to the organisation mentioned in the certificate request distinguish name will verify whether the requester has the right to request a certificate for the intended host or service; and the FQDN appears in the DNS. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  17. Certificate Issuance • Upon successful authentication, an electronic copy of the requesting party's identification documents and the certification request shall be sent to the BrGrid CA via its management software or digitally signed e-mail. • A CA operator shall transfer the CSR manually to the offline signing computer (i.e. not connected to any network) running only the services necessary for the CA operations. • The certificate will be created and signed with the operator’s personally encrypted private key of BrGrid CA and then transferred back manually to the BrGrid CA repository. • End Entities must acknowledge acceptance of certificates. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  18. Current Status The Br Grid CA is not operational. The CA management software is currently under development, evaluation and test. The repository is related to the management software development and thus only contains test data. Additional resources are being acquired for a CA environment containing a signing machine, CA Web server and repository, backup service, safe(s) and other security equipment (requires evaluation). Security issues also related to pending supercomputer installation at IC-UFF. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  19. Security Controls The BrGrid CA equipment is housed within the post graduation laboratory of IC-UFF. Located inside a federal building, access to the grounds and premises are controlled (and protected) by security guards and cameras. IC-UFF maintains an access control system to the laboratory. All accesses to the CA web server are limited to BrGrid CA personnel and system administrators of IC-UFF. Analyzed daily for breaches in system security. The BrGrid CA signing machine is offline at all times and secured in a safe when not in use together with: Personal encrypted copies of the CA’s private key kept on removable storage media; CA audit data stored on read-only DVD or CD; and backup copies and snapshot of CA system kept on DVD or CD. The safe itself is housed in a lock room where access is logged and restricted to authorized personnel. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  20. Audit/Archive Procedures Events such as certificate lifecycle operations, access attempts and requests to RAs and the CA will be logged. The audit log files shall be processed and archived once a month, or after a security breach is suspected or known. Audit data on the BrGrid CA web server will be analyzed daily for potential breaches of system security automatically. While in the system, the audit logs are protected by the file system security mechanisms and shall only be accessible to the BrGrid CA Manager, Auditor and system administrators. When processed, the archives are copied to a read only off-line medium (to prevent modification) in an encrypted form and stored in a safe place. Only an external auditor and CA personnel will have access to this archive. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  21. Compromise Procedure (1) If the private key of the BrGrid CA is compromised (or suspected of being) the CA Manager must: Make every reasonable effort to notify subscribers and RAs; Terminate the issuing and distributing of certificates and CRLs; Generate a new CA key pair and certificate, and publish the certificate in the repository; Revoke all certificates signed that have been previously signed by the compromised key; Publish the new CRL on the BrGrid CA repository; Notify relevant security contacts; and Notify all relying parties and cross-certifying CAs, of which the CA is aware, as widely as possible. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  22. Compromise Procedure (2) If the keys of an end entity are lost or compromised, the appropriate RA must be informed immediately in order to start the certificate revocation process. If an RA Manager’s private key is compromised or suspected to be compromised, the RA Manager must inform the CA and request revocation. Web interface will be available for trouble and incident reporting by relying parties. CA Manager will receive notification via cell phone. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  23. Disaster Recovery (1) In order to resume operations as soon as possible after corruption, the following precautions shall be performed: all CA software shall be backed-up on a removable medium after a new release or modifications to any of its components have been installed; all data files of the offline CA shall be backed-up on a removable medium after each change, before the session is closed. In case of corruption, the CA systems are either repaired or rebuilt from the last good backup. The BrGrid CA operates a secondary web server/repository. If all but one of the encrypted copies of the private key been destroyed or lost and none of the keys were comprised, CA operations shall be re-established without need to revoke issued certificates. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  24. Disaster Recovery (2) All critical CA data necessary for the successful operation of the BrGrid CA will be stored securely at an off-site location. In the case of a major disaster, where critical CA information is completely lost, the CA will suspend operations as in the case of CA private key compromise. TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

  25. What’s Next and Future Plans Implementation and extensive testing of CA management software Installation of new CA infrastructure Training of CA and RA personnel (quality of service) Test procedures and develop an Operations Manual Objective: fully operational and ready for “complete” accreditation by the next F2F TAGPMA meeting in July 2006. RNP’s Hardware Security Module Still at the prototype stage, when HSM will be available is unclear. Certification acceptability and cost? TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006

More Related