380 likes | 766 Views
Presentation on HKU Grid CA Mr. Frankie F. T. Cheung HPC Team Computer Centre The University of Hong Kong E-mail: ftcheung@hku.hk Agenda (HKU Grid CA) 0. Introduction 1. CP/CPS 2. CA System 3. CA private key 4. CA certificate 5. Certificate Revocation 6. Certificate Revocation List
E N D
Presentation on HKU Grid CA Mr. Frankie F. T. Cheung HPC Team Computer Centre The University of Hong Kong E-mail: ftcheung@hku.hk
Agenda (HKU Grid CA) 0. Introduction 1. CP/CPS 2. CA System 3. CA private key 4. CA certificate 5. Certificate Revocation 6. Certificate Revocation List 7. End entity certificates and keys 8. Records Archival 9. Audits 10. Publication & Repository 11. Privacy and confidentiality 12. Comprise and Disaster Recovery
0. Introduction • What is HKU? • Oldest university in Hong Kong • Comprehensive university with 10 faculties • 12,300 undergraduate & 9,900 postgraduate students • What is HKU Computer Centre? • A centralized IT service department to facilitate the use of the latest information technology in HKU teaching, learning, research and administration. • To aim to provide the best quality IT service in Hong Kong as well as in the global perspective.
0. Introduction • Why we want to host a CA ? • HKU is the member of Grid organizations: • The member of China National Grid (CNGrid) • The member of PRAGMA Grid • The member of EGEE TWGrid • The need from local researchers to use Grid resources • Researchers from multi-discipline (Chemistry, Physics, Geo-science, Engineering) demand Grid resources • No IGTF CA system in Hong Kong region • They are reluctant to apply user certificate from other region’s CA
0. Introduction • CP/CPS is revised by 13 February 2009 • Hardware delivery at early March 2009 • Software (OS, OpenCA etc) setup at late March 2009 • Put in production at 8 April 2009 • Generate CA private key • Issue CA certificate • Issue a user certificate • Issue a host certificate • Online web repository ready http://ca.grid.hku.hk
1. CP/CPS • CP/CPS was drafted at 24 Dec 2008 • It was reviewed by IGCA and CNIC • It was revised by 13 February • CP OID: 1.3.6.1.4.1.30850.2.2.40000.2.1.1.0 [CP/CPS 1.2] • CPS OID: 1.3.6.1.4.1.30850.2.2.40000.2.2.1.0 [CP/CPS 1.2] • It was structured as defined in RFC 3647 [CP/CPS 1.1]
1. CP/CPS • Policy Administration [CP/CPS 9.12] • Policy is developed and maintained by HKU GRID Policy Management Authority (HKU GRID PMA) at HKU Computer Centre • All major changes related to policy, technology or security must be approved by APGrid PMA before signing any certificates under the new CP/CPS. • Minor changes related to editorial problems can be made without approved by APGrid PMA. • New OID will be assigned to major changes and will not be assigned to minor changes. • All versions are available at online repository (http://ca.grid.hku.hk => “Publications”)
1. CP/CPS • Organization of HKU Grid PMA [CP/CPS 5.2]
1. CP/CPS • Staff in HKU Grid PMA • CA Managers: • Dr. P. T. Ho (hpt@cc.hku.hk) • Mr. W. K. Kwan (kwk@cc.hku.hk) • CA Operators: • Mr. Frankie Cheung (frankie@cc.hku.hk) • Mr. Gripen Kwok (gripen@cc.hku.hk) • RA Operator: • Mr. W. K. Kwan (kwk@cc.hku.hk)
2. CA System • The CA systems are 2 dedicated machines • One offline signing server (Offline CA server) • One online web server (Online RA server) • Hardware: 2 x IBM x3650 servers, each with Intel quad-core 2.66GHz CPU, 2GB Ram, 4 x 73 disks in RAID-6
2. CA System • Software: • OS: Fedora v9 • CA software: OpenCA v1.0.2 • OpenSSL: OpenSSL v0.9.8h • Web server: Apache v2.2.9 • Database: MySQL v5.0.51a • Firewall protection: • Campus firewall block all incoming traffic except HTTP/HTTPS • Host firewall block all incoming traffic except HTTP/HTTPS, SSH and SMTP from admin network segment
2. CA System • The CA systems are located at Rack #40 in Room 108 (Computer Server Room), Run Run Shaw Building, The University of Hong Kong [CP/CPS 5.1] • Before reaching the room doors: With 2 closed-circuit security cameras
2. CA System • The CA systems are located at Rack #40 in Room 108 (Computer Server Room), Run Run Shaw Building, The University of Hong Kong [CP/CPS 5.1] • Two level doors: Only HKU Computer Centre system administrators & operators grant access
2. CA System • The CA systems are located at Rack #40 in Room 108 (Computer Server Room), Run Run Shaw Building, The University of Hong Kong [CP/CPS 5.1] • A secure environment where access is controlled • The servers are located at a rack with key-locking, only administrator and operators keep the key
2. CA System • The CA signing server is completely off line. No network cable is connected to this server.[CP/CPS 6.2] • No Hardware Security Module(HSM) is deployed • The CA systems are professionally managed CA operators.
3. CA private key • Encryption algorithm: DES3 • Asymmetric algorithm: RSA • Key size: 2048 bits [CP/CPS 6.1.5] • Protected by a pass-phase of 20 characters [CP/CPS 6.4] • The pass-phase is only known to HKU Grid PMA. • Backup copies of the encrypted private key are kept on offline mediums (4mm tapes) in the locked cabinet of HKU Computer Centre server room, where access is controlled. [CP/CPS 6.2.4] • Backup copies of the private key is encrypted by backup password only known to CA operators. • openssl des3 -salt -k password -e -in keyfile.tar.gz -out keyfile.pencrypted.tar.gz
3. CA private key • The pass-phrase of the encrypted private is kept in a sealed envelope, which is put in another locked cabinet of HKU Computer Centre Staff room, for which only the HKU Grid PMA have key to access. [CP/CPS 6.2.4] • When there is necessary to generate the new CA certificate(1 year before CA cert expired), a new CA private key and pass-phase will be generated. Then new key will be used for signing purpose. [CP/CPS 5.6] • The overlap of the old and new key must be at least 1 year. The old version private key would be still kept to verify old signatures signed by valid certificate.
4. CA certificate [CP/CPS 5.6, 7.1.2] • Version: 3 (0x2) • Serial Number: b3:7f:1f:87:24:9e:40:87 • Signature Algorithm: sha1WithRSAEncryption • Issuer: CN=HKU Grid CA,DC=GRID,DC=HKU,DC=HK • Validity • Not Before: Apr 8 13:05:28 2009 GMT • Not After : Apr 3 13:05:28 2029 GMT • Subject: CN=HKU Grid CA,DC=GRID,DC=HKU,DC=HK • Subject Public Key Info: • Public Key Algorithm: rsaEncryption • RSA Public Key: (2048 bit)
4. CA certificate • X509v3 extensions: • X509v3 Basic Constraints: critical, CA:TRUE • X509v3 Subject Key Identifier: • 6B:D2:25:93:24:C4:F2:6F:8A:89:55:4E:D2:5A:55:95:B7:AC:2D:E9 • X509v3 Authority Key Identifier: • keyid:6B:D2:25:93:24:C4:F2:6F:8A:89:55:4E:D2:5A:55:95:B7:AC:2D:E9 • X509v3 Key Usage: critical, Certificate Sign, CRL Sign • X509v3 Subject Alternative Name: • email:hpc@cc.hku.hk • X509v3 Issuer Alternative Name: • email:hpc@cc.hku.hk
5. Certificate Revocation • Can be requested by:[CP/CPS 4.9.2] • The certificate subscriber • HKU Grid CA/RA • Any other entity presenting evidence of circumstances that the criteria described in CP/CPS 4.2.1 violated. • Any entities presenting evidence of the compromise of associated private key. • An end entity must request revocation within one working day after detection [CP/CPS 4.9.1]: • The subscriber's private key is compromised or is suspected to have been compromised. • The subscriber's information in the certificate is suspected to be inaccurate.
5. Certificate Revocation • Procedure for Revocation Request [CP/CPS 4.9.3] : • End entity must use CRIN (Certificate Revocation Identification Number) pin or send revocation request using signed E-mail • CA operator will authenticate the revocation request by CRIN pin or signed E-mail, or even telephone/VTC when necessary • CA operator would revoke the certificate, update CRL and send notification E-mail • HKU Grid CA must react within one working day, to any revocation request received. [CP/CPS 4.9.5]
6. Certificate Revocation List • Lifetime is 30 days [CP/CPS 4.9.7] • Issue CRL [CP/CPS 4.9.7] • Every 23 days (Cron job to check CRL remaining life time, send E-mail to CA operators 10 days before) • Or immediately after a revocation • Available at online repository (http://ca.grid.hku.hk => “Publications”) • http://ca.grid.hku.hk/crl/cacrl.der • Version: x509 v2 [CP/CPS 7.2] • Message digest algorithm: SHA-1 [CP/CPS 7.2]
7. End entity certificates and keys • Key size >=1024 bit [CP/CPS 6.1.5] • Life time :1 year (365 days) [CP/CPS 5.6, 6.3.2] • User certificate must not be shared [CP/CPS 4.5] • Host certificate must be linked to a single network entity. [CP/CPS 4.5] • CA only issue certificates based on cryptographic data generated by the subscriber. [CP/CPS 4.1.2] • The key generation happens at the client side. • Stated as responsibility of subscribers to manage the private key safely to prevent unauthorized uses • End entity passphrase [CP/CPS 4.5] • At least 12 characters (User cert is enforced by OpenCA web interface), and stated as responsibility of subscribers.
7. End entity certificates and keys • Enrollment Process (User Certificate) [CP/CPS 4.1.2] 1.Subscriber fill in user certificate application form and return to RA. 2. Subscriber wait for receiving the E-mail acknowledgement from the RA, then he/she can visit HKU Grid CA website and requests for CSR. A new CSR serial number would be assigned. 3.The subscriber would be arranged to have a face-to-face meeting with the RA and must present photo, work ID, CSR serial number and proof of work during the face-to-face meeting. 4. The RA examines the request according to CP/CPS 3.2
7. End entity certificates and keys • Enrollment Process (User Certificate) [CP/CPS 4.1.2] 5.Once the subscriber is authenticated, the RA would endorse the user certificate application form and approve request. The RA will then pass the signed application form to CA via signed e-mail or fax. 6. Upon receipt of the application form, CA will verify the RA signature in the application form and the CSR serial number. The HKU Grid CA manager may contact the RA if necessary via signed e-mail or telephone. 7. Now the CA operator will issue the certificate and sends an E-mail to the subscriber regarding the way to download the certificate.
7. End entity certificates and keys • Enrollment Process (Host Certificate) [CP/CPS 4.1.2] • Similar to User Certificate enrollment process • In step 1, subscriber who requests for host certificate must have a valid user certificate at HKU Grid CA. • In step 3, subscriber must provide evidence or proof that the host certificate request is authorized by the owner of the FQDN.
7. End entity certificates and keys • Meaningful names [CP/CPS 3.1.2] • Reasonable association to end entity • CN is FQDN for host certificate • Name uniqueness [CP/CPS 3.1.5] • User certificate: CN must be the full name of the subscriber and combined with subscriber’s email id. • Host certificate, the CN must be functional fully qualified domain name.
7. End entity certificates and keys • Identity Validation by RA [CP/CPS 3.2] • HKU member will be identified by inspection of the staff card or student card • Other organizations subscriber must be identified by in person face-to-face interview. Photo-id and valid official documents (including work ID and the proof of work) must be presented at the interview • Subscriber must provide evidence or proof that the host certificate request is authorized by the owner of the FQDN.
7. End entity certificates and keys • x509 format with extension [CP/CPS 7.1] • basicConstraints set to ‘CA: false’ and marked as critical • keyUsage marked as critical • User certificate: subscriber E-mail is included in the SubjectAlternativeName • Host certificate: a FQDN is included as a dnsName in the SubjectAlternativeName • CRLDistributionPoints: URI:http://ca.grid.hku.hk/crl/cacrl.der • Policy Identifier contain an OID and URI: • Policy: 1.3.6.1.4.1.30850.2.2.40000.2.1.1.0 • CPS: http://ca.grid.hku.hk/policy/HKU_gridca_CP-CPS-v1.0.pdf
7. End entity certificates and keys • Certificate Renewal [CP/CPS 4.6] • HKU Grid CA does not permit certificate signing request with the same key as the previous certificate. • Certificate Re-key [CP/CPS 4.7.3] • After a certificate has been revoked, expired or will be expired in one month • If the certificate has been revoked or expired, must follow enrolment process of CP/CPS 4.1.2
7. End entity certificates and keys • Certificate Re-key [CP/CPS 4.7.3] • If the will be expired in one month, the subscriber, need not fill the application form and need not participate in the Face-to-Face meeting with RA until 5 years of initial ID vetting. After 5 years the subscriber of the certificate should follow the enrolment process CP/CPS 4.1.2 again to get a new certificate. • Certificate Modification [CP/CPS 4.8] • HKU Grid CA does not support certificate modification.
8. Records Archival • Records archived [CP/CPS 5.5.1] • Forms, emails, document etc. for certificate request and revoke request • Monthly tape backup includes (media kept in locked cabinet with restrict access) • Signing server and web server backup (including encrypted CA key) • Issued Certificates, revoke request, CRLs • Mail archive, system logs(login/logout/reboot) • Retention period [CP/CPS 5.5.2] • General: minimum 3 years
9. Audits • Compliance Audit: [CP/CPS 8] • Accept external audit, by APGrid PMA • Self-audit of CA/RA and operation annually (April) • Whether the HKU Grid CA certification duties are compliant to this CP/CPS? • Records archived mentioned in CP/CPS can be obtained with 3 years retention period? • Operated as minimum CA requirements specified by the APGrid PMA? • A list of CA and RA personnel is verified at least once per year
10. Publication & Repository • http://ca.grid.hku.hk/ [CP/CPS 2.1] • CA Certificate • The end entity Certificates issued • CRL • Signing policy • Procedures for each type of end entity certificates enrollment • CP/CPS • Contact information • Other information • This web repository is available 24x7 on a best effort basis • Grant APGrid PMA and IGTF unlimited re-distribution
11. Privacy and confidentiality • Privacy [CP/CPS 9.4] • Subscribers supply info in enrollment process and HKU Grid CA would not disclose this information • Position, Telephone • Photo, WorkID, & other valid official documents • Except those specified in the certificate • Name & Email for user certificate • FQDN for host certificate • Organization Name & Organization Unit Name • Confidentiality [CP/CPS 9.3] • Except explicit information specified in the web repository publication, all other information will be treated as confidential.
12. Compromise and Disaster Recovery • If CA private key is compromised [CP/CPS 5.7.1]: • Make all reasonable effort to inform subscribers, RAs and relying parties • Revoke all issued certificates • Terminate distribution services for certificates and CRLs issued using the compromised key. • Generate a new CA key pair and certificate and make the latter available in the public repository. • If Entity Private Key is compromised [CP/CPS 5.7.3]: • If an entity private key is compromised or suspected to be compromised, the entity or its administrator must request a revocation of the certificate
12. Compromise and Disaster Recovery • Hardware, Software, and/or Data Are Corrupted [CP/CPS 5.7.2]: • Hardware: Hardware replacement (Disk with RAID-6 protection with tolerance of double disk failure) • Software/data corrupted: Restored from backup tape • Disaster : • The system must be recovered as soon as possible. • Plan to keep the annual backup tape to the locked cabinet in another building (arrangement in progress), it would speed up system recovery in case serious disaster (fire, flood) in the building.
Special Thank You to: • Yoshio Tanaka (AIST) • Henry Sukumar (IGCA) • Kevin Dong (CNIC CA) • Jinny Chien (ASGC CA) • WaUe Chen (NCHC CA) Question?