FP6−2004−Infrastructures−6-SSA-026409
www.eu-eela.org
E-infrastructure shared between Europe and Latin America
The Brazilian Grid CertificationAuthority (BrGrid CA)
Vinod Rebello
Universidade Federal Fluminense
TAGPMA Face-to-Face Meeting
Rio de Janeiro, Brazil, 27-29.03.2006
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
2
•Introduction
•Repository
•Name Spaces
•Certificate and CRL profiles
•BrGrid CA Structure
•End Entity Identification and Verification Process
•Certificate Issuance
•Security controls
•Audit/Archive procedures
•Compromise procedures
•Disaster recovery
•What’s next and future plans
Presentation Outline
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
3
•Traditional X.509 Public Key Certification Authoritywhich issues long-term credentials.
•CP/CPS follows the IETF’s RFC 3647
–Version 0.5, OID 1.3.6.1.4.1.24839.2.1.10.1.1.0.5
•Fully compliant with the IGTF Classic CA Profile,maintained by EUgridPMA.
–Will issue X509 v3 certificates to support Brazilian academicR&D activities in eScience and Grid Computing.
–CA key size 2048 bits RSA mod. Initial 5 year lifetime.
–EE key size 1024 bits, certificates valid for one year.
BrGrid CA Overview
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
4
•Universidade Federal Fluminense(UFF), Niterói, Brazil
–Instituto de Computação
Smart Grid Computing Laboratory
•Vinod Rebello (CA Manager)
•Daniela Vianna
•Jacques da Silva
•Carlos Cunha (Technical support)
•Rafael Pereira (Technical support)
BrGrid CA Operations
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
5
•The BrGrid CA will operate a high availability secure onlinerepository that contains:
–the BrGrid CA’s root certificate and any previous one necessary;
–information to validate the integrity of the root certificate;
–all certificates issued by the BrGrid CA;
–URLs to text, DER and PEM formatted versions of the CertificateRevocation List (http://brgrid-ca.ic.uff.br/crl);
–the current and all previous versions of approved CP/CPS documents;
–a contact email address for inquires and fault and incident reporting;
–a postal contact address;
–as well as any other information deemed relevant to the BrGrid CAservice.
•As an accredited CA member of the TAGPMA, the BrGrid CAgrants the IGTF and its PMAs the right of unlimited redistributionof this information.
Secure Online Repository
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
6
•The certificate subject names obey the X.501 standard.
•Subject names start with the fixed component towhich a variable component is appended to make itunique.
–/C=BR/O=BrGridCA/O=organization/OU=organizational-unit/CN=subject-name
/C=BR/O=BrGridCA/O=UFF/OU=IC/CN=John Smith
–/C=BR/O=BrGridCA/O=organization/OU=org-unit/CN=host/host-dns-name
/C=BR/O=BrGridCA/O=UFRJ/OU=IF/CN=host/ce.if.ufrj.br
–/C=BR/O=BrGridCA/O=organization/OU=org-unit/CN=service/host-dns-name
/C=BR/O=BrGridCA/O=UFF/OU=IC/CN=ldap/ca.ic.uff.br
•Are there benefits from using acronyms in the DN?
Name Space
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
7
•Basic Constraints: critical, ca: true
•Subject Key Identifier: unique identifier of the subject key(composed of the 160-bit SHA-1 hash of the value of the certifiedpublic key).
•Authority Key Identifier: unique identifier of the issuing CA(composed of the 160-bit SHA-1 hash of the value of the publickey of the BrGrid CA)
•Key Usage: critical, digitalSignature, nonRepudiation,keyCertSign, cRL Sign
•Extended Key Usage: timeStamping
•Netscape Cert Type: SSL Certificate Authority, Email CertificateAuthority, Object Signing
•Netscape Comment: CP/CPS version and CA name
•X509v3 CRL Distribution Points: URI of the CRL
•Certificate policy Identifier: The OID of the BrGrid CA CP/CPS
Certificate Profiles - CA
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
8
•Basic Constraints: critical, ca: false
•Subject Key Identifier: hash
•Authority Key Identifier: CA keyid
•Key Usage: critical, digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment
•Extended Key Usage: clientAuth, emailProtection, codeSigning,timeStamping
•Netscape Cert Type: SSL Client, S/MIME, Object Signing
•Netscape Comment: CP/CPS version and CA name
•X509v3 CRL Distribution Points: URI of the CRL
•Subject alternative name: User E-mail address
•Issuer alternative name: BrGrid CA E-mail address
•Certificate policy Identifier: The OID of the BrGrid CA CP/CPS
Certificate Profiles - Personal
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
9
•Basic Constraints: critical, ca: false
•Subject Key Identifier: hash
•Authority Key Identifier: CA keyid
•Key Usage: critical, digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment
•Extended Key Usage: serverAuth, clientAuth, emailProtection,codeSigning, timeStamping
•Netscape Cert Type: SSL Server, SSL Client, S/MIME, ObjectSigning
•Netscape Comment: CP/CPS version and CA name
•X509v3 CRL Distribution Points: URI of the CRL
•Subject alternative name: Server DNS FQDN host name
•Issuer alternative name: BrGrid CA E-mail address
•Certificate policy Identifier: The OID of the BrGrid CA CP/CPS
Certificate Profiles - Host/Service
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
10
•The BrGrid CA creates and publishes X.509 version 2 CertificateRevocation Lists.
•The BrGrid CA shall issue complete CRLs for all certificatesissued by it independently of the reason for the revocation.
•The CRL extensions that are included:
–the Authority Key Identifier (equal to the issuer's key identifier); and
–the CRL Number (a monotonically increasing sequence number).
•The CRL Reason Code and the Invalidity Date will also beincluded as a CRL entry extension.
•The CRL shall have a lifetime of at most 30 days.
•The CRL will include the date by which the next CRL should beissued.
•The BrGrid CA must publish in repository a new CRL at least 7days before expiration or immediately after a revocation issued,whichever comes first.
CRL Profile
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
11
•BrGrid CA
–CA Manager, CA Operators, CA tech support, CA Auditor
–Offline dedicated signing machine and secure online repository
–CA operations, registering RAs and maintaining BrGrid CAmanagement software
•BrGrid CA RAs (RAs of the BrGrid CA)
–RA manager appointed by his/her organization and RA LocalRepresentatives chosen by RA Manager
–Vetting (identification, authorization and entitlement) andissuing Certificate Signing Requests
–CSR operations carried out through its specific RA SSLprotected web interface of CA management software runningon the BrGrid CA web server (requires bi-directionalauthentication) or (as a backup) through digitally signed e-mail.
BrGrid CA and RAs
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
12
•If an organization or unit intends to requests anumber of certificates, it is encouraged to setup aBrGrid CA RA
•For first time requests, the CA (when request is tobecome an RA) or the RA (in the case of a certificaterequest from end entity) must ascertain:
–whether or not that the organization or organizational unitexists;
–is entitled to request BrGrid certificates; and
–obtain competent information on who is entitled to signdocuments on behalf of that institution.
Organization Identification
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
13
Verification of Affiliation
•The current relationship between the subscriber andthe organization or unit mentioned in the subject namemust be proved through:
–a legally acceptable document;
–an organization identity card; or
–an official organization document stamped and signed by anofficial representative of that organization.
•The request may optionally be authorized through thedigital signature of an official representative of theorganization in possession of a valid BrGrid CA issuedcertificate.
•In special cases, an organization can provide the RAwith access to official databases to verify therelationship.
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
14
•Individuals are authenticated through thepresentation of a valid identity document officiallyrecognized under Brazilian Law.
•The individual should present himself in person to aBrGrid CA RA for their identity to be verified. At thatmoment, the individual must present:
–Proof of their current relationship with the organization(s) to bespecified in the DN;
–Identity document with photograph; and
–A photocopy of this documentation to be archived by the RA.
•But Brazil is the size of Europe…
Identity Validation (1)
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
15
•In exceptional cases, for example due to asubscriber’s geographical remote location, thispresentation may be held by video conference.
•In this situation, an authenticated photocopy of allidentity documentation together with the subscriber’snotarized signature must be sent by mail/courier tothe RA manager (or the CA Manager in the case ofsetting up an RA) prior to the meeting.
•Note that “authenticated” and “notarized” refer toverifications made by a legally appointed (underBrazilian Law) notary public.
Identity Validation (2)
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
16
•For host or service certificates, the requests must besigned with a BrGrid CA issued personal certificatecorresponding to the system administrator or personresponsible of the resource.
•The RA corresponding to the organisation mentionedin the certificate request distinguish name will verifywhether
–the requester has the right to request a certificate for theintended host or service; and
–the FQDN appears in the DNS.
Host/Service Verification
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
17
Certificate Issuance
•Upon successful authentication, an electronic copy ofthe requesting party's identification documents and thecertification request shall be sent to the BrGrid CA viaits management software or digitally signed e-mail.
•A CA operator shall transfer the CSR manually to theoffline signing computer (i.e. not connected to anynetwork) running only the services necessary for theCA operations.
•The certificate will be created and signed with theoperator’s personally encrypted private key of BrGridCA and then transferred back manually to the BrGridCA repository.
•End Entities must acknowledge acceptance ofcertificates.
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
18
•The Br Grid CA is not operational.
•The CA management software is currently underdevelopment, evaluation and test.
•The repository is related to the management softwaredevelopment and thus only contains test data.
•Additional resources are being acquired for a CAenvironment containing a signing machine, CA Webserver and repository, backup service, safe(s) andother security equipment (requires evaluation).
•Security issues also related to pendingsupercomputer installation at IC-UFF.
Current Status
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
19
•The BrGrid CA equipment is housed within the post graduationlaboratory of IC-UFF. Located inside a federal building, accessto the grounds and premises are controlled (and protected) bysecurity guards and cameras.
•IC-UFF maintains an access control system to the laboratory.
–All accesses to the CA web server are limited to BrGrid CA personneland system administrators of IC-UFF.
Analyzed daily for breaches in system security.
–The BrGrid CA signing machine is offline at all times and secured ina safe when not in use together with:
Personal encrypted copies of the CA’s private key kept on removablestorage media;
CA audit data stored on read-only DVD or CD; and
backup copies and snapshot of CA system kept on DVD or CD.
–The safe itself is housed in a lock room where access is logged andrestricted to authorized personnel.
Security Controls
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
20
•Events such as certificate lifecycle operations,access attempts and requests to RAs and the CA willbe logged.
–The audit log files shall be processed and archived once amonth, or after a security breach is suspected or known.
–Audit data on the BrGrid CA web server will be analyzed dailyfor potential breaches of system security automatically.
–While in the system, the audit logs are protected by the filesystem security mechanisms and shall only be accessible tothe BrGrid CA Manager, Auditor and system administrators.
–When processed, the archives are copied to a read only off-line medium (to prevent modification) in an encrypted form andstored in a safe place.
–Only an external auditor and CA personnel will have access tothis archive.
Audit/Archive Procedures
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
21
•If the private key of the BrGrid CA is compromised (orsuspected of being) the CA Manager must:
–Make every reasonable effort to notify subscribers and RAs;
–Terminate the issuing and distributing of certificates and CRLs;
–Generate a new CA key pair and certificate, and publish thecertificate in the repository;
–Revoke all certificates signed that have been previously signedby the compromised key;
–Publish the new CRL on the BrGrid CA repository;
–Notify relevant security contacts; and
–Notify all relying parties and cross-certifying CAs, of which theCA is aware, as widely as possible.
Compromise Procedure (1)
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
22
•If the keys of an end entity are lost or compromised,the appropriate RA must be informed immediately inorder to start the certificate revocation process.
•If an RA Manager’s private key is compromised orsuspected to be compromised, the RA Manager mustinform the CA and request revocation.
•Web interface will be available for trouble andincident reporting by relying parties. CA Manager willreceive notification via cell phone.
Compromise Procedure (2)
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
23
•In order to resume operations as soon as possible aftercorruption, the following precautions shall be performed:
–all CA software shall be backed-up on a removable medium after anew release or modifications to any of its components have beeninstalled;
–all data files of the offline CA shall be backed-up on a removablemedium after each change, before the session is closed.
•In case of corruption, the CA systems are either repaired orrebuilt from the last good backup.
•The BrGrid CA operates a secondary web server/repository.
•If all but one of the encrypted copies of the private key beendestroyed or lost and none of the keys were comprised, CAoperations shall be re-established without need to revoke issuedcertificates.
Disaster Recovery (1)
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
24
•All critical CA data necessary for the successfuloperation of the BrGrid CA will be stored securely atan off-site location.
•In the case of a major disaster, where critical CAinformation is completely lost, the CA will suspendoperations as in the case of CA private keycompromise.
Disaster Recovery (2)
FP6−2004−Infrastructures−6-SSA-026409
E-infrastructure shared between Europe and Latin America
TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006
25
•Implementation and extensive testing of CAmanagement software
•Installation of new CA infrastructure
•Training of CA and RA personnel (quality of service)
•Test procedures and develop an Operations Manual
•Objective: fully operational and ready for “complete”accreditation by the next F2F TAGPMA meeting inJuly 2006.
•RNP’s Hardware Security Module
–Still at the prototype stage, when HSM will be available isunclear.
–Certification acceptability and cost?
What’s Next and Future Plans