H I A S TH I A S T
HIAST GRID CAHIAST GRID CA
21th EUGridPMA meeting21th EUGridPMA meeting
Utrecht, 24-26 January, 2011Utrecht, 24-26 January, 2011
Ghassan SABA Houssam ABEDGhassan SABA Houssam ABED
ghassan.saba@hiast.edu.sy houssam.abed@hiast.edu.sy
Higher Institute for Applied Sciences and Technology
21th EUGridPMA Meeting, Utrecht, 2011
2
Agenda
Introduction
CP/CPS
CA System
CA Private Key
CA Certificate
Certificate Revocation
Certificate Revocation List
End Entity Certificates and Keys
Records Archival
Audits
Publication & Repository
Privacy and Confidentiality
Compromise and Disaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
3
Introduction
Achieved works:
CP/CPS preparation
CP/CPS is revised by:
•Roberto Cecchini from INFN-Italy
•Feyza Eryol & Burcu Ortakaya from TUBITAK ULAKBIM,Turkey
Comments from Fayza and Burcu were implemented
Recent comments from Roberto will be taken into account
Hardware for CA delivery at early June 2010
Software for CA setup at late October 2010
Start testing the CA at 3 January 2011:
•Generate CA private key
•Issue CA certificates
•Issue a user certificates
•Issue a host certificates
CA is planned to be operational by 1 March 2011
•Online web repository ready https://ca.grid.hiast.edu.sy
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
4
Introduction
https://ca.grid.hiast.edu.sy/
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
5
CP/CPS
CP OID: 1.3.6.1.4.1.27601.1.1.0.93 [CP/CPS 7.1.6]
It was structured as defined in RFC 3647 [CP/CPS 1.1]
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
1.3.6.1.4.1. 27601.1.1.0.93
OID
1.3.6.1.4.1
IANA
27601
HIAST
.1
HIAST Grid CA
.1
CP/CPS document
.0
Major Version
.93
Minor Version
21th EUGridPMA Meeting, Utrecht, 2011
6
CP/CPS
Policy Administration [CP/CPS 1.5]
•Policy is developed and maintained by HIAST GRID CAat HIAST Information Technology department
•All major changes related to policy, technology orsecurity must be approved by HIAST GRID CA beforesigning any certificates under the new CP/CPS
•Minor changes related to editorial problems can bemade without approval by HIAST GRID CA
All versions will be available at onlinerepository (https://ca.grid.hiast.edu.sy => “Get CAPolicy”)
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
7
CA System
The CA systems are 2 dedicated machines:
•One offline signing server (Offline CA server)
DELL Optiplex 760 UI
2 Cores, 2GB RAM, 2x250 GB HD
Operating System: CentOS v5.4
Software: OpenCA v1.1.0, OpenSSL V2.0.29, ApacheV2.2.3, MySQL v 5.0.77
Hostname: offlineca
•One online web server (Online CA server):
https://ca.grid.hiast.edu.sy/
DELL Optiplex 760 UI
2 Cores, 2GB RAM, 2x250 GB HD
Operating System: CentOS v5.4
Software: OpenCA v1.1.0, OpenSSL V2.0.29, ApacheV2.2.3, MySQL v 5.0.77
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
8
OpenCA Software
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
9
CA Online System
Firewall protection:
•Placed in HIAST DMZ
•Campus firewall blocks all incoming traffic exceptHTTP/HTTPS/SSH
•Host firewall blocks all incoming traffic exceptHTTP/HTTPS, SSH and SMTP from private managementLAN (TBD)
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
10
CA System
The CA system is located at Computer Server Room,Computation Center Building, HIAST [CP/CPS 5.1]
•Physical Security measures:
–Only CA managers and CA operators can be grantedphysical access to CA machines
–Fire alarm and fire fighting systems are in place
–A secure environment where access is controlled
–IP Surveillance is planned to be in place
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
11
CA System
The CA signing server is completely offline [CP/CPS 6.2]
No Hardware Security Module(HSM) is deployed
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
12
Certificate Types
User Certificate
Host Certificate
Service Certificate
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
13
Name Forms
Issuer (HIAST Grid CA)
“C=SY, O=HIAST, CN=HIAST Grid CA“
User
“C=SY, O=HIAST Grid, OU=organizationName, CN=commonName“
•commonName must be the Forename and the Surname of the subject
•organizationName is the organization name of the subject.
Host
“C=SY, O=HIAST Grid, OU=organizationName, CN=commonName“
•commonName must be the DNS FQDN of the host preceded by‘host/’
•organizationName is the name of the organization owning thehost.
Service
“C=SY, O=HIAST Grid, OU=organizationName, CN=commonName“,
•commonName must be the DNS FQDN of the server preceded by‘serviceName/’ where serviceName must uniquely identify theservice
•organizationName is the name of the organization owning theservice.
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
14
CA Private Key
Asymmetric algorithm: RSA
Key size: 8192 bits [CP/CPS 6.1.5]
Protected by a pass-phase of 16 characters [CP/CPS 6.4]
The pass-phase is only known to CA operators
HIAST Grid CA private key is kept, encrypted, inmultiple copies and in different locations, on CD-ROMs[CP/CPS 6.2.4]
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
15
CA Private Key
In case the private key of the HIAST Grid CA is (orsuspected to be) compromised , the CA shall [CP/CPS5.7.3]:
•notify subscribers
•terminate issuing certificates and CRLs
•generate a new CA key pair
•revoke all certificates signed using the compromised key
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
16
CA Certificate [CP/CPS 7.1.2,7.1.3]
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256RSA
Issuer: C=SY, O=HIAST, CN=HIAST Grid CA
Validity
•Not Before: Jan 22 2011
•Not After : Jan 22 2021
Subject: C=SY, O=HIAST, CN=HIAST Grid CA
Subject Public Key Info:
•Public Key Algorithm: rsaEncryption
•RSA Public Key: 8192 bit
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
17
CA Certificate
X509v3 extensions:
•X509v3 Basic Constraints: critical, CA:TRUE
•X509v3 Subject Key Identifier:
–keyid: be 60 d2 4e 45 40 84 ea 89 d7 72 57 89 1f 1b 01 9f89 69 94
•X509v3 Authority Key Identifier:
–keyid: be 60 d2 4e 45 40 84 ea 89 d7 72 57 89 1f 1b 01 9f89 69 94
–Key Usage: Certificate Signing, Off-line CRL Signing, CRLSigning
•X509v3 Subject Alternative Name:
–email: cagrid@ca.hiast.edu.sy
•X509v3 Issuer Alternative Name:
–email: cagrid@ca.hiast.edu.sy
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
18
Certificate Revocation
Can be requested by: [CP/CPS 4.9.2]
•the certificate subscriber
•any other entity presenting proof of knowledge of:
–private key compromise
–modification of the subscriber's data
A certificate will be revoked in the followingcircumstances [CP/CPS 4.9.1]:
•the subject of the certificate has ceased being an eligible endentity for certification
•the subject does not require the certificate any more
•the private key has been lost or compromised
•the information in the certificate is wrong or inaccurate
•the system to which the certificate has been issued has beenretired
•the subject has failed to comply with the rules of HIASTCP/CPS Policy
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
19
Certificate Revocation
Procedure for Revocation Request [CP/CPS 4.9.3]:
Unless the HIAST Grid CA acts on its own, a revocationrequest must be made:
•by the owner of the certificate in an e-mail signed with theprivate key associated with the (still not expired) certificate,
•on behalf of the owner who has lost his/her private key in ane-mail signed by an authorized person of theorganization/unit that consented to the certificate
•by the RA using a secure web interface
The HIAST Grid CA must process revocation requests with thehighest priority within one working day [CP/CPS 4.9.5]
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
20
Certificate Revocation List
Lifetime is 30 days [CP/CPS 4.9.7]
CRL issuance [CP/CPS 4.9.7]
•CRLs are issued after every certificate revocation
•at least every month, 7 days before the month-longvalidity of the CRL has expired
•Available at online repository:
•Version: x509 v2 [CP/CPS 7.2]
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
21
End Entity Certificates & Keys
Key size >=1024 bits [CP/CPS 6.1.5]
Life time :1 year plus one month (395 days) [CP/CPS 6.3.2]
User certificate must not be shared [CP/CPS 7.1.4]
Each entity must generate its key pair [CP/CPS 6.1.1, 6.1.2]
End entity should protect his/her passphrase according to“Guidelines on Private Key Protection” [CP/CPS 4.1.2]
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
22
End Entity Certificates & Keys
Enrollment Process (User Certificate) [CP/CPS 4.1.2]
1)For the first time, a subscriber must be authenticated by theRA: Presenting officially recognized document in F2F meeting
2.After successful authentication:
RA will enter the requester's name, e-mail address andaffiliation to the SSL secured HIAST Grid CA web site
a random 12-digit number will be generated:
The first 6 digits will be given to the requester inwritten form
the rest 6 digits will be sent automatically by the HIASTGrid CA to his e-mail address
From that point the requester has 2 working days tosubmit his certificate request to the HIAST Grid CA
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
23
End Entity Certificates & Keys
Enrollment Process (Host/service Certificate) [CP/CPS 4.1.2]
The subject must already have a valid HIAST Grid CA certificate
Two alternatives:
1)Submission via web interface:
–the subject imports his HIAST Grid CA certificate in thebrowser in order to be authenticated automatically by theHIAST Grid CA server
–Upon successful authentication the user submits thecertificate request via a web based form
2)Via e-mail:
–the subject sends e-mail signed via his HIAST Grid CAcertificate to ragrid@hiast.edu.sy with the certificaterequests attached and stating in the body that he is theperson responsible for the host/service
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
24
End Entity Certificates & Keys
Meaningful names [CP/CPS 3.1.2]
•Subject Name must be:
–easily understandable
–have a reasonable association with the authenticatedname
Name uniqueness [CP/CPS 3.1.5]
•subject name must be unambiguous and unique
•For user certificates, additional numbers or letters maybe appended to the real name
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
25
End Entity Certificates & Keys
Identity Validation by RA [CP/CPS 3.2]
•Authentication Of Organization Identity:
–RA verify that the requesting party's organization isentitled [CP/CPS 1.3.3] to get a certificate and that itconsents to the request
–The first time an organization wants to get a certificate fora user/server/service, it has to announce this officially tothe RA or the HIAST Grid CA
–The RA has to ascertain that the organization exists and isentitled to request a HIAST certificate
–It must also get competent information on who is entitledto sign on behalf of the institution
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
26
End Entity Certificates & Keys
X509 format with extension [CP/CPS 7.1]
•basicConstraints Critical, CA: false
•keyUsage critical
•User certificate: subscriber E-mail is included in theSubjectAlternativeName
•Host certificate: a FQDN is included as a dnsName in theSubjectAlternativeName
•CRLDistributionPoints:URI:https://ca.grid.hiast.edu.sy/crl/cacrl.der
•Policy Identifier contain an OID and URI:
–Policy: 1.3.6.1.4.1.27601.1.1.0.94
–CPS:https://ca.grid.hiast.edu.sy/download/HIAST_CP_CPS_V_0_94.pdf
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
27
End Entity Certificates & Keys
Certificate Renewal [CP/CPS 4.6]
•HIAST Grid CA does not permit certificate signingrequest with the same key as the previous certificate
Certificate Re-key [CP/CPS 4.7.3]
•After a certificate has been revoked, expired, will beexpired in one month, or the private key iscompromised
•If the certificate has been revoked, expired, orcompromised, it must follow enrolment process of[CP/CPS 4.1.2]
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
28
End Entity Certificates & Keys
Certificate Re-key [CP/CPS 4.7.3]
•If the certificate still has one month to expire, thesubscriber don’t need to fill the application form norneed to participate in the F2F meeting with RA until 5years of initial ID vetting
•After 3 years, the subscriber of the certificate shouldfollow the enrolment process [CP/CPS 4.1.2] again to geta new certificate
Certificate Modification [CP/CPS 4.8]
•HIAST Grid CA does not support certificate modification
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
29
Records Archival
Records archived [CP/CPS 5.5.1]
•System boots and shutdowns
•Interactive system logins
•Periodic message digests of all system files
•Requests for certificates
•Identity verification procedures
•Identity validation records which RA collects [CP/CPS3.2.3]
•Certificate issuing
•Requests for revocation
•CRL issuing
Retention period [CP/CPS 5.5.2]
•General: minimum 3 years
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
30
Audits
Compliance Audit: [CP/CPS 8]
CA or RA will, at least once a year:
•self-assessment to check the compliance of the CA operationwith the CP/CPS document
•assess the compliance of the procedures of the RA with theCP/CPS document
•assess the CA and RA staff
HIAST Grid CA accepts being audited by otheraccredited CAs to verify its adherence to the rulesand procedures specified in its CP/CPS document
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
31
Publication & Repository
HIAST Grid CA will publish the following informationon its website [CP/CPS 2.2]:
•General information about HIAST Grid CA
•E-mail addresses for inquiries and fault reporting
•Mailing address of CA Administration location
•HIAST Grid CA root certificate
•PEM format of the HIAST Grid CA certificate
•Issued certificates
•The Certificate Revocation List
•A copy of CP/CPS policy
This web repository is available 24x7 on a besteffort basis
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
32
Privacy and Confidentiality
Privacy [CP/CPS 9.4]
•HIAST Grid CA collects the following information which is notdeemed as private:
–subscriber's e-mail address
–subscriber's name
–subscriber's organization
–subscriber's certificate
•HIAST Grid CA has not responsibility to protect any otherprivate information as all the information it collects isconsidered public.
Confidentiality [CP/CPS 9.4.4]
•HIAST Grid CA guarantees to not use the photo ID documentfor any other purposes other than the ones it is intended for
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
33
Compromise and Disaster Recovery
If CA private key is (or suspect to be) compromised[CP/CPS 5.7.1]:
1.Inform the RA, subscribers and relying parties of which the CAis aware
2.Terminate the certificates and CRL distribution services forcertificates and CRLs issued using the compromised key
3.Notify relevant security contacts
If an RA Operator’s private key is compromised orsuspected to be compromised [CP/CPS 5.7.1]:
•the RA Operator or Manager must inform the CA and request therevocation of the RA Operator’s certificate
If Entity Private Key is compromised [CP/CPS 5.7.1]:
•RA has to be informed immediately in order to start thecertificate revocation process
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
34
Compromise and Disaster Recovery
Hardware, Software, and/or Data AreCorrupted [CP/CPS 5.7.2]:
•Hardware: a functioning hardware shall be loaded with thelatest state of the software and data backed-up on a read-onlymedium and estimated to be uncorrupted
•Software/data corrupted: Restored from removable mediaafter a new release of any of its components is installed.
Disaster:
•The system must be recovered as soon as possible
•Plan to keep the annual backup data to the locked cabinet inanother building (arrangement in progress), it would speed upsystem recovery in case of serious disaster (fire, flood) in thebuilding
Introduction
CP/CPS
CA System
CA private key
CA certificate
CertificateRevocation
CertificateRevocation List
End entitycertificates andkeys
Records Archival
Audits
Publication &Repository
Privacy andconfidentiality
compromise andDisaster Recovery
21th EUGridPMA Meeting, Utrecht, 2011
35
Future works
Working on latest comments received from RobertoCecchini on 12 Jan, 2011
Implementing comments from today’s meeting
Customizing the on-line web site to meet the currentCP/CPS
Releasing the CP/CPS version 0.94 for reviewing
Acquiring new server hardware for CA system
Enhancing CA system security
21th EUGridPMA Meeting, Utrecht, 2011
36
Thank you for your Attention
Questions ?