The Brazilian Grid Certification Authority (BrGrid CA)

FP6−2004−Infrastructures−6-SSA-026409

www.eu-eela.org

E-infrastructure shared between Europe and Latin America

The Brazilian Grid Certification Authority (BrGrid CA)

Vinod RebelloUniversidade Federal FluminenseTAGPMA Face-to-Face MeetingRio de Janeiro, Brazil, 27-29.03.2006

TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 2FP6−2004−Infrastructures−6-SSA-026409


• Introduction• Repository• Name Spaces• Certificate and CRL profiles• BrGrid CA Structure • End Entity Identification and Verification Process• Certificate Issuance• Security controls• Audit/Archive procedures• Compromise procedures • Disaster recovery • What’s next and future plans

Presentation Outline



• Traditional X.509 Public Key Certification Authority which issues long-term credentials.

• CP/CPS follows the IETF’s RFC 3647– Version 0.5, OID 1.3.6.1.4.1.24839.2.1.10.1.1.0.5

• Fully compliant with the IGTF Classic CA Profile, maintained by EUgridPMA.– Will issue X509 v3 certificates to support Brazilian academic

R&D activities in eScience and Grid Computing.– CA key size 2048 bits RSA mod. Initial 5 year lifetime.

– EE key size 1024 bits, certificates valid for one year.

BrGrid CA Overview



• Universidade Federal Fluminense (UFF), Niterói, Brazil– Instituto de Computação

Smart Grid Computing Laboratory• Vinod Rebello (CA Manager)

• Daniela Vianna

• Jacques da Silva

• Carlos Cunha (Technical support)

• Rafael Pereira (Technical support)

Web repository: http://brgrid-ca.ic.uff.br/ Email: [email protected]

BrGrid CA Operations



• The BrGrid CA will operate a high availability secure online repository that contains:– the BrGrid CA’s root certificate and any previous one necessary;– information to validate the integrity of the root certificate;– all certificates issued by the BrGrid CA;– URLs to text, DER and PEM formatted versions of the Certificate

Revocation List (http://brgrid-ca.ic.uff.br/crl);– the current and all previous versions of approved CP/CPS documents;– a contact email address for inquires and fault and incident reporting;– a postal contact address;– as well as any other information deemed relevant to the BrGrid CA

service.

• As an accredited CA member of the TAGPMA, the BrGrid CA grants the IGTF and its PMAs the right of unlimited redistribution of this information.

Secure Online Repository



• The certificate subject names obey the X.501 standard.• Subject names start with the fixed component to

which a variable component is appended to make it unique. – /C=BR/O=BrGridCA/O=organization/OU=organizational-unit/

CN=subject-name /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=John Smith

– /C=BR/O=BrGridCA/O=organization/OU=org-unit/CN=host/host-dns-name /C=BR/O=BrGridCA/O=UFRJ/OU=IF/CN=host/ce.if.ufrj.br

– /C=BR/O=BrGridCA/O=organization/OU=org-unit/CN=service/host-dns-name /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=ldap/ca.ic.uff.br

• Are there benefits from using acronyms in the DN?

Name Space



• Basic Constraints: critical, ca: true• Subject Key Identifier: unique identifier of the subject key

(composed of the 160-bit SHA-1 hash of the value of the certified public key).

• Authority Key Identifier: unique identifier of the issuing CA (composed of the 160-bit SHA-1 hash of the value of the public key of the BrGrid CA)

• Key Usage: critical, digitalSignature, nonRepudiation, keyCertSign, cRL Sign

• Extended Key Usage: timeStamping• Netscape Cert Type: SSL Certificate Authority, Email Certificate

Authority, Object Signing• Netscape Comment: CP/CPS version and CA name• X509v3 CRL Distribution Points: URI of the CRL• Certificate policy Identifier: The OID of the BrGrid CA CP/CPS

Certificate Profiles - CA



• Basic Constraints: critical, ca: false• Subject Key Identifier: hash• Authority Key Identifier: CA keyid• Key Usage: critical, digitalSignature, nonRepudiation,

keyEncipherment, dataEncipherment• Extended Key Usage: clientAuth, emailProtection, codeSigning,

timeStamping• Netscape Cert Type: SSL Client, S/MIME, Object Signing• Netscape Comment: CP/CPS version and CA name• X509v3 CRL Distribution Points: URI of the CRL • Subject alternative name: User E-mail address• Issuer alternative name: BrGrid CA E-mail address • Certificate policy Identifier: The OID of the BrGrid CA CP/CPS

Certificate Profiles - Personal



• Basic Constraints: critical, ca: false• Subject Key Identifier: hash• Authority Key Identifier: CA keyid • Key Usage: critical, digitalSignature, nonRepudiation,

keyEncipherment, dataEncipherment• Extended Key Usage: serverAuth, clientAuth, emailProtection,

codeSigning, timeStamping• Netscape Cert Type: SSL Server, SSL Client, S/MIME, Object

Signing• Netscape Comment: CP/CPS version and CA name• X509v3 CRL Distribution Points: URI of the CRL • Subject alternative name: Server DNS FQDN host name• Issuer alternative name: BrGrid CA E-mail address• Certificate policy Identifier: The OID of the BrGrid CA CP/CPS

Certificate Profiles - Host/Service

TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 10



• The BrGrid CA creates and publishes X.509 version 2 Certificate Revocation Lists.

• The BrGrid CA shall issue complete CRLs for all certificates issued by it independently of the reason for the revocation.

• The CRL extensions that are included:– the Authority Key Identifier (equal to the issuer's key identifier); and– the CRL Number (a monotonically increasing sequence number).

• The CRL Reason Code and the Invalidity Date will also be included as a CRL entry extension.

• The CRL shall have a lifetime of at most 30 days.• The CRL will include the date by which the next CRL should be

issued.• The BrGrid CA must publish in repository a new CRL at least 7

days before expiration or immediately after a revocation issued, whichever comes first.

CRL Profile




• BrGrid CA – CA Manager, CA Operators, CA tech support, CA Auditor– Offline dedicated signing machine and secure online repository– CA operations, registering RAs and maintaining BrGrid CA

management software

• BrGrid CA RAs (RAs of the BrGrid CA) – RA manager appointed by his/her organization and RA Local

Representatives chosen by RA Manager– Vetting (identification, authorization and entitlement) and

issuing Certificate Signing Requests– CSR operations carried out through its specific RA SSL

protected web interface of CA management software running on the BrGrid CA web server (requires bi-directional authentication) or (as a backup) through digitally signed e-mail.

BrGrid CA and RAs




• If an organization or unit intends to requests a number of certificates, it is encouraged to setup a BrGrid CA RA

• For first time requests, the CA (when request is to become an RA) or the RA (in the case of a certificate request from end entity) must ascertain: – whether or not that the organization or organizational unit

exists; – is entitled to request BrGrid certificates; and– obtain competent information on who is entitled to sign

documents on behalf of that institution.

Organization Identification




Verification of Affiliation

• The current relationship between the subscriber and the organization or unit mentioned in the subject name must be proved through:– a legally acceptable document; – an organization identity card; or – an official organization document stamped and signed by an

official representative of that organization.

• The request may optionally be authorized through the digital signature of an official representative of the organization in possession of a valid BrGrid CA issued certificate.

• In special cases, an organization can provide the RA with access to official databases to verify the relationship.




• Individuals are authenticated through the presentation of a valid identity document officially recognized under Brazilian Law.

• The individual should present himself in person to a BrGrid CA RA for their identity to be verified. At that moment, the individual must present: – Proof of their current relationship with the organization(s) to be

specified in the DN; – Identity document with photograph; and– A photocopy of this documentation to be archived by the RA.

• But Brazil is the size of Europe…

Identity Validation (1)




• In exceptional cases, for example due to a subscriber’s geographical remote location, this presentation may be held by video conference.

• In this situation, an authenticated photocopy of all identity documentation together with the subscriber’s notarized signature must be sent by mail/courier to the RA manager (or the CA Manager in the case of setting up an RA) prior to the meeting.

• Note that “authenticated” and “notarized” refer to verifications made by a legally appointed (under Brazilian Law) notary public.

Identity Validation (2)




• For host or service certificates, the requests must be signed with a BrGrid CA issued personal certificate corresponding to the system administrator or person responsible of the resource.

• The RA corresponding to the organisation mentioned in the certificate request distinguish name will verify whether – the requester has the right to request a certificate for the

intended host or service; and– the FQDN appears in the DNS.

Host/Service Verification




Certificate Issuance

• Upon successful authentication, an electronic copy of the requesting party's identification documents and the certification request shall be sent to the BrGrid CA via its management software or digitally signed e-mail.

• A CA operator shall transfer the CSR manually to the offline signing computer (i.e. not connected to any network) running only the services necessary for the CA operations.

• The certificate will be created and signed with the operator’s personally encrypted private key of BrGrid CA and then transferred back manually to the BrGrid CA repository.

• End Entities must acknowledge acceptance of certificates.




• The Br Grid CA is not operational. • The CA management software is currently under

development, evaluation and test.• The repository is related to the management software

development and thus only contains test data.• Additional resources are being acquired for a CA

environment containing a signing machine, CA Web server and repository, backup service, safe(s) and other security equipment (requires evaluation).

• Security issues also related to pending supercomputer installation at IC-UFF.

Current Status




• The BrGrid CA equipment is housed within the post graduation laboratory of IC-UFF. Located inside a federal building, access to the grounds and premises are controlled (and protected) by security guards and cameras.

• IC-UFF maintains an access control system to the laboratory.– All accesses to the CA web server are limited to BrGrid CA personnel

and system administrators of IC-UFF. Analyzed daily for breaches in system security.

– The BrGrid CA signing machine is offline at all times and secured in a safe when not in use together with: Personal encrypted copies of the CA’s private key kept on removable

storage media; CA audit data stored on read-only DVD or CD; and backup copies and snapshot of CA system kept on DVD or CD.

– The safe itself is housed in a lock room where access is logged and restricted to authorized personnel.

Security Controls




• Events such as certificate lifecycle operations, access attempts and requests to RAs and the CA will be logged. – The audit log files shall be processed and archived once a

month, or after a security breach is suspected or known.– Audit data on the BrGrid CA web server will be analyzed daily

for potential breaches of system security automatically.– While in the system, the audit logs are protected by the file

system security mechanisms and shall only be accessible to the BrGrid CA Manager, Auditor and system administrators.

– When processed, the archives are copied to a read only off-line medium (to prevent modification) in an encrypted form and stored in a safe place.

– Only an external auditor and CA personnel will have access to this archive.

Audit/Archive Procedures




• If the private key of the BrGrid CA is compromised (or suspected of being) the CA Manager must:– Make every reasonable effort to notify subscribers and RAs;– Terminate the issuing and distributing of certificates and CRLs;– Generate a new CA key pair and certificate, and publish the

certificate in the repository;– Revoke all certificates signed that have been previously signed

by the compromised key; – Publish the new CRL on the BrGrid CA repository; – Notify relevant security contacts; and– Notify all relying parties and cross-certifying CAs, of which the

CA is aware, as widely as possible.

Compromise Procedure (1)




• If the keys of an end entity are lost or compromised, the appropriate RA must be informed immediately in order to start the certificate revocation process.

• If an RA Manager’s private key is compromised or suspected to be compromised, the RA Manager must inform the CA and request revocation.

• Web interface will be available for trouble and incident reporting by relying parties. CA Manager will receive notification via cell phone.

Compromise Procedure (2)




• In order to resume operations as soon as possible after corruption, the following precautions shall be performed:– all CA software shall be backed-up on a removable medium after a

new release or modifications to any of its components have been installed;

– all data files of the offline CA shall be backed-up on a removable medium after each change, before the session is closed.

• In case of corruption, the CA systems are either repaired or rebuilt from the last good backup.

• The BrGrid CA operates a secondary web server/repository. • If all but one of the encrypted copies of the private key been

destroyed or lost and none of the keys were comprised, CA operations shall be re-established without need to revoke issued certificates.

Disaster Recovery (1)




• All critical CA data necessary for the successful operation of the BrGrid CA will be stored securely at an off-site location.

• In the case of a major disaster, where critical CA information is completely lost, the CA will suspend operations as in the case of CA private key compromise.

Disaster Recovery (2)




• Implementation and extensive testing of CA management software

• Installation of new CA infrastructure• Training of CA and RA personnel (quality of service)• Test procedures and develop an Operations Manual• Objective: fully operational and ready for “complete”

accreditation by the next F2F TAGPMA meeting in July 2006.

• RNP’s Hardware Security Module– Still at the prototype stage, when HSM will be available is

unclear.– Certification acceptability and cost?

What’s Next and Future Plans

Documents

The Brazilian Grid Certification Authority (BrGrid CA)