220 likes | 235 Views
Detailed examination of the security infrastructure, operations, and self-audit procedures of CNIC Grid CA and SDG CA. Includes certificate details, staff information, physical access protocols, and workflow for issuing certificates.
E N D
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong (kevin@cnic.ac.cn) Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F Meeting @ ASGC March 08, 2010
Overview • CNIC Grid CA/SDG CA • Self Audit • Conclusion
CNIC Grid CA • CNIC is an institute of CAS • CNIC Grid CA • The security infrastructure of CNIC Grid • Root CA • CNIC Grid CA Repository • http://ca.grid.cn/ • CP/CPS • Introduction • Manual • CA Certificate • 20 years validity --- 2006-2-27 2026-2-27 • Only issues sub-CA certificate and CA servers and operators certificates
SDG CA • Scientific Data Grid (SDG) • Scientific Data Grid (SDG) is an application grid based on scientific data resources sharing and collaboration. • SDG CA • the SDG security infrastructure • The subordinate CA of CNIC Grid CA • SDG CA Repository CP/CPS • http://ca.sdg.grid.cn/ • CP/CPS • Introduction • Manual • SDG CA Certificate • 20 years validity --- 2006-2-27 2016-2-27 • Type of certificates • Person • Host • Service Approved by APGridPMA in July 2006
CNIC Grid/SDG CA staff operators Kai Nan Kevin Dong Yihua Zheng Yueda Wang Huabiao Li Kevin Dong All staff Administrator: Kevin Dong
Hardware • CA server • DELL GX620 P4 CPU 3.20GHz,Red Hat Linux AS4 • Offline, no connection to any other network • UPS is supplied • RA server • DELL GX620 P4 CPU 3.20GHz, Red Hat Linux AS4 • connected to the Internet • Only the necessary ports for RA operation are opened. Other ports are filtered by the firewall. • UPS is supplied • Web server (repository) • The same machine as RA Server • connected to the Internet • Same as RA Server • UPS is supplied
Sofeware • OpenCA • CertUtitily Tool • Generate CSR
Physical Access • CA room • Located in the CNIC machine room. • Limited person can enter. • Security Officer • CA Operators • Other CNIC administrators • Doors equipped with fingerprint recognition system. • Monitored by the CCTV • Physical access • The CA operator is not allowed to access the CA machines alone and need to do so with the other CA operator. • If the CA operator needs to access the CA machines alone, he must notify the fact to the user administrator by Emails before and after entering the room. • All events about the access to the machines must be recorded in the paper sheets prepared in the room. The events include the names of CA operators, date and time of entering/leaving the room, and the purpose of the access to the machine. • The filled sheets will be kept in the dedicated safe box.
Workflow of Issuing Certificates 1. Generate keypair and CSR locally and upload the CSR to RA or Fill the form and generate CSR automatically and send to RA(web page) RA User 2. Identified by in-person interview or official document 12. Send successful issuing mail and CRIN mail User Admin. 4. Approve the CSR 5. Copy the CSR to USB disk 6. Give the USB key to other CA operator 10. Copy the certificate to RA server 11. Publish the certificate 3. Instruct CA operators to accept the request 7. Copy the CSR to CA server 8. Issue the certificate with proper validity 9. Copy the certificate to USB key CA server CA Operator RA server
Current status of SDG CA Number of issued certificates by Mar. 07, 2010
Current status of SDG CA Current Status (by Mar. 07, 2010)
Current status of CNIC Grid CA Number of issued certificates by Mar. 07, 2010
Current status of CNIC Grid CA • Current Status (by Mar. 07, 2010)
Self Audit • SDG CA • CP/CPS 1.8->1.9 • CRL Profile 1.3->1.4 • CNIC Grid CA • CP/CPS 1.4->1.5 • CRL Profile 1.2->1.3 • AuditingSpreadsheet.xls • IGTF classic profile: IGTF-AP-classic-4-2 • Special thanks to Yoshio
Summary • Marks • A: 66 • B: 3 • C: 2 • D: 0
RA - (4) • RA should ensure that the requester is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate. • In section 4.3.1, the role to ensure the FQDN will be defined in CP/CPS. • B
RA - (6) • The CA or RA should have documented evidence on retaining the same identity over time. • It is obvious that the DN is unique for a person because the email or FQDN is included. Now it is defined in section 3.2.3 • C
CA - (16) • The on-line CA architecture must provide for a log of issued certificates and revocations. The log should be tamper-protected. • The logs are available and archived. We will make logs tamper-protected. • C
CA - (27),(32) • The authority must publish CRLs, and these CRLs should be compliant with RFC5280. • In section 2 and section 4.9.8, "the repository of certificates and CRLs are available at http://ca.sdg.grid.cn/" though RFC 5280 is not explicitly defined in CP/CPS. The RFC 5280 will be defined in the CP/CPS. • B
CA - (45) • Identity validation records must be kept at least as long as there are valid certificates based on such a validation. • The identity validation records are kept at least as long as there are valid certificates based on such a validation. But it is not mentioned in CP/CPS. We will add in section 5.4.3. • B
Conclusion • Positive • Update of CP/CPS and CRL profile • Done • Release soon