TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, 16-18 January, 2012 Heithem ABBES Mohamed JEMNI

Slides:



Advertisements
Similar presentations
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Advertisements

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Tunis, Tunisia, June 2012 Cloud Research Activities Pr. Mohamed JEMNI Computing Center Al Khawarizmi (CCK) Research Laboratory LaTICE
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
QuoVadis accreditation with EuGridPMA Alessandro Usai
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
GRID-FR French CA Alice de Bignicourt.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
H I A S T HIAST GRID CA 21 th EUGridPMA meeting Utrecht, January, 2011 Ghassan SABA Houssam ABED
IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani
MD-Grid CA Valentin Pocotilenco RENAM Association
Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.
Setting up and Managing National CA for GRID Computing Ghassan SABA, HIAST H I A S T Regional Seminar on Identity Management and E-signatures Damascus,
GRID Certificate Authority TSU - Georgia 31th EUGridPMA Meeting May , Tartu, Estonia Temur Maisuradze Mikheil Makhviladze
26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL.
IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.
Public Key Infrastructure (PKI)
AEGIS Certification Authority
UGRID CA Sergii Stirenko, Oleg Alienin
Cryptography and Network Security
HellasGrid CA & euGridPMA
APNIC Trial of Certification of IP Addresses and ASes
زير ساخت كليد عمومي و گواهي هويت
APNIC Trial of Certification of IP Addresses and ASes
جايگاه گواهی ديجيتالی در ايران
Digital Certificates and X.509
MaGrid CA Self audit and update
NATIONAL CENTRE FOR PHYSICS PK-Grid-CA
PKI (Public Key Infrastructure)
Emir Imamagić University Computing Centre (Srce)
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019
KISTI CA Report Status & Self-Audit
BG.ACAD CA Self-audit report 2018
Presentation transcript:

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI Research Unit Technolgies of Information and Communication University of Tunis

24 th EUGridPMA Meeting, Ljubljana, Slovenia, TNGrid : Tunisian National Grid  The TNGrid project is an initiative of the research unit of Technologies of Information and Communication (UTIC) at the Higher School of Sciences and Technology of Tunis (ESSTT) of the University of Tunis  TNGrid offers an open and free Tunisian National Grid for researchers  The grid computing platform is based on institutional resources and volunteer participations.

24 th EUGridPMA Meeting, Ljubljana, Slovenia, TNGrid : Tunisian National Grid

24 th EUGridPMA Meeting, Ljubljana, Slovenia, TNGrid CA  UTIC research unit is involved in grid computing research axis since  UTIC research unit is working and is participating in EUMEDGRID projects coordinated by INFN (Italy) since  We have started as Registration Authority, managed by Mohamed Jemni, with INFN CA and still using INFN CA services.  We have prepared to set up the TNGrid CA and to be fully operational just after our accreditation process with EuGridPMA.

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Certificate usage  Certificates issued by the TNGrid CA are only valid in the context of scientific activities: User certificates can be issued to authenticate the users who benefit from academic and research resources, services and activities. Host certificates can be used for the machines of clusters inside TNGrid Service certificates can be used to recognize services used inside TNGrid

24 th EUGridPMA Meeting, Ljubljana, Slovenia, CA Manager  TNGrid CA will be managed by UTIC which manages TNGrid infrastructure  The Manager of the TNGrid CA is: Mohamed Jemni The alternate representative is: Heithem Abbes

24 th EUGridPMA Meeting, Ljubljana, Slovenia, CP/CPS  OID: [CP/CPS 7.1.6]  Structured as defined in RFC 3647 [CP/CPS 1.1] OID IANA 37660UTIC.1TNGrid CA.1CP/CPS document 1.0CP/CPS Version

24 th EUGridPMA Meeting, Ljubljana, Slovenia, CP/CPS  Policy Administration [CP/CPS 1.5] UTIC research unit (ESSTT University) is responsible for the management, registration, maintenance and interpretation of TNGrid CA. It is reachable at: All major changes related to policy, technology or security must be approved by TNGRID CA before signing any certificates under the new CP/CPS  All versions will be available at online repository => “PKI Info” => “Get CA Policy” => “Certification Authority” => “Policy Document”

24 th EUGridPMA Meeting, Ljubljana, Slovenia, CA System  Uses 2 dedicated machines: One offline signing server (Offline CA server)  Intel Core 2 Duo 2,33GHZ, 3GB RAM ;300 GB HD  Operating System: Debian  Software: OpenCA v1.1.1, OpenSSL V2.0.31, Apache V2.2.9, MySQL v 5.1 One online web server (Online CA server):  : For Subscribers  :For RA Manager  Intel Core 2 Duo 2,33GHZ, 3GB RAM ; 200 GB HD  Operating System: Debian  Software: OpenCA v1.1.1, OpenSSL V2.0.31, Apache V2.2.9, MySQL v 5.1  Located at Grid Center Room, ESSTT  Only CA managers and CA operators can be granted physical access to CA machines  A secure environment where access is controlled

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Name Forms  Issuer (TNGrid CA) : C=TN/O=TNGrid/CN=TNGrid CA  User : C=TN, O=TNGrid, OU=organizationName, CN=commonName – organizationName is the organization name of the subject. – commonName must be the Forename and the Surname of the subject  Host : C=TN, O=TNGrid, OU=organizationName, CN=commonName – organizationName is the name of the organization owning the host. – commonName must be the DNS FQDN of the host preceded by ‘host/’  Service : C=TN, O=TNGrid, OU=organizationName, CN=commonName – organizationName is the name of the organization owning the service. – commonName must be the DNS FQDN of the server preceded by ‘serviceName/’ where serviceName must uniquely identify the service

24 th EUGridPMA Meeting, Ljubljana, Slovenia, CA Private Key  Asymmetric algorithm: RSA  Key size: 2048 bits [CP/CPS 4.1.2]  Protected by a pass-phrase of 15 characters [CP/CPS 6.4.1]  The pass-phrase is only known to CA operators  TNGrid CA private key is kept, encrypted, in multiple copies and in different locations [CP/CPS 6.2.4]  In case the private key of the TNGrid CA is (or suspected to be) compromised, the CA shall [CP/CPS 5.7.3] : notify subscribers terminate issuing certificates and CRLs generate a new CA key pair revoke all certificates signed using the compromised key

24 th EUGridPMA Meeting, Ljubljana, Slovenia, CA Certificate  Version: 3 (0x2)  Serial Number: 2 (0x2)  Signature Algorithm: sha256WithRSAEncryption  Issuer: CN=TNGrid CA,O=TNGrid,C=TN  Validity Not Before: Dec 16 14:27: GMT Not After : Dec 11 14:27: GMT  Subject: CN=TNGrid CA,O=TNGrid,C=TN  Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: 2048 bit

24 th EUGridPMA Meeting, Ljubljana, Slovenia, CA Certificate  The values of extensions in case of CA certificate are following: Basic Constraints: critical, CA:TRUE Key Usage: critical, keyCertSign, CRL Signing Subject Key Identifier: CA key ID Authority Key Identifier: keyid,issuer crlDistributionPoints = URI

24 th EUGridPMA Meeting, Ljubljana, Slovenia, End Entity Certificates & Keys  Key size >=1024 bits [CP/CPS 6.1.5]  Life time :1 year plus one month (395 days) [CP/CPS 6.3.2]  User certificate must not be shared [CP/CPS 4.5]  Each entity must generate its key pair [CP/CPS 6.1.1, 6.1.2]  End entity should protect his/her passphrase according to “Guidelines on Private Key Protection” [CP/CPS 4.1.2]

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Enrollment process & responsibilities For user certificates  User certificate requests is submitted by an online procedure on TNGrid CA secure website ( using a web browser.  The key pairs are generated by the web browser locally on the user's machine.  The certificate (public key signed by the CA) can only be downloaded using the same browser, including the key pair, on the same machine, by a secure URL from TNGrid CA website.

24 th EUGridPMA Meeting, Ljubljana, Slovenia, For host or service certificat es  The host or service administrator creates key pair and certificate request file using OpenSSL packages, submit certificate request file to the TNGrid CA by a signed .  The private key is kept by the host or service administrator.  The certificate request will be verified by the appropriate RA  If the request is approved by the RA, the requester will then receive an , containing his/her certificate or information needed to download using a browser by a secure URL on the TNGrid CA website. Enrollment process & responsibilities

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Certificate issuance  The certificate request shall be transferred to the machine which holds the private key of TNGrid CA and which is offline.  On this machine the certificate is created and signed.  The signed certificate shall then be transferred back to the online CA server and an will be sent to the relevant RA manager informing him/her about the action.  The lifetime of the certificate is one year.

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Certificate acceptance  The subscriber must send an within 15 days from the day that his/her certificate was issued.  He/she will sign his/her with issued certificate confirming the acceptance of the certificated his/her adhesion to the policy.  Upon receipt of a certificate acceptance the TNGrid CA will make available the certificate on its repository.

24 th EUGridPMA Meeting, Ljubljana, Slovenia, End Entity Certificates & Keys  The values of extensions in case of user certificates are following basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth, Protection crlDistributionPoints=URI certificatePolicies=Your_OID, Authentication_Profile_OID subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName=

24 th EUGridPMA Meeting, Ljubljana, Slovenia, End Entity Certificates & Keys  The values of extensions in case of host and service certificates are following: basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth, serverAuth crlDistributionPoints=URI: certificatePolicies=Your_OID, Authentication_Profile_OID subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName=DNS:

24 th EUGridPMA Meeting, Ljubljana, Slovenia, End Entity Certificates & Keys  Certificate Renewal [CP/CPS 4.6] TNGrid CA does not permit certificate signing request with the same key as the previous certificate  Certificate Re-key [CP/CPS 4.7.3] After a certificate has been revoked, expired, will be expired in one month, or the private key is compromised If the certificate has been revoked, expired, or compromised, it must follow enrolment process

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Certificate Revocation  Can be requested by: the certificate subscriber any other entity presenting proof of knowledge of: – private key compromise – modification of the subscriber's data  A certificate will be revoked in the following circumstances : the subject of the certificate has ceased being an eligible end entity for certification the subject does not require the certificate any more the private key has been lost or compromised the information in the certificate is wrong or inaccurate the system to which the certificate has been issued has been retired the subject has failed to comply with the rules of TNGrid CP/CPS Policy

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Certificate Revocation Procedure for Revocation Request [CP/CPS 4.9.3] :  A revocation request must be made: by the owner of the certificate in an signed with the private key associated with the (still not expired) certificate, on behalf of the owner who has lost his/her private key in an signed by an authorized person of the organization/unit that consented to the certificate by the RA using a secure web interface  The TNGrid CA must process revocation requests with the highest priority within one working day [CP/CPS 4.9.5]

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Certificate Revocation List  Lifetime is 30 days [CP/CPS 4.9.7]  CRL issuance [CP/CPS 4.9.7] CRLs are issued after every certificate revocation at least every month, 7 days before the month-long validity of the CRL has expired Available at online repository:   Version: x509 v3 [CP/CPS 7.2]

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Compromise and Disaster Recovery  If CA private key is (or suspect to be) compromised [CP/CPS 5.7.1]: 1.Inform the RA, subscribers and relying parties of which the CA is aware 2.Terminate the certificates and CRL distribution services for certificates and CRLs issued using the compromised key 3.Notify relevant security contacts  If a RA Operator’s private key is (or suspected to be) compromised [CP/CPS 5.7.1]: the RA Operator or Manager must inform the CA and request the revocation of the RA Operator’s certificate  If Entity Private Key is compromised [CP/CPS 5.7.1]: RA has to be informed immediately in order to start the certificate revocation process

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Publication & Repository  TNGrid CA will publish the following information on its website [CP/CPS 2.2]: General information about TNGrid CA addresses for inquiries and fault reporting Mailing address of CA Administration location TNGrid CA root certificate PEM format of the TNGrid CA certificate Issued certificates Certificate Revocation List CP/CPS document  This web repository is available 24x7 on a best effort basis

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Achieved works  Preparation CP/CPS Document  CP/CPS is revised (3 times) by : Feyza Eryol from TUBITAK ULAKBIM,Turkey  Comments from Fayza were implemented  Software for CA setup (both for online and offline CA)  Testing the CA : Generate CA private key Issue CA certificates Issue a user certificates Issue a host certificates  Online web repository is operational

24 th EUGridPMA Meeting, Ljubljana, Slovenia,

24 th EUGridPMA Meeting, Ljubljana, Slovenia,

24 th EUGridPMA Meeting, Ljubljana, Slovenia, Thanks for your Attention