National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

QuoVadis accreditation with EuGridPMA Alessandro Usai

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

Guidelines for auditing Grid CAs

جايگاه گواهی ديجيتالی در ايران

MaGrid CA Self audit and update

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information Technology Research Institute AIST, Japan

Contents Overview and organization CA Architecture Results of self auditing 9 B scores 4 C scores

Introduction of AIST One of the largest Nat ’ l Labs in Japan Research topics include Environment Material Bio/Life science Standards (JIS/OSI) Geographical survey Semiconductor device Computer Science etc. 3,500+ employees AIST Tsukuba Main Campus 7 other campuses across Japan Narita Tokyo Tsukuba 50km 40km 50km

Overview of AIST Grid CA Identification AIST: GRID: AIST GRID CA: AIST GRID CA CP: Community and Applicability Issue certificates for Researchers in AIST Researchers in out side of AIST who have research collaboration with AIST Issue certificates for Grid authentication

Issued certificates User certificates: 136 Valid: 31 Invalid (revoked or expired): 105 Host certificates: 1706 Valid: 509 Invalid (revoked or expired): 1197 LDAP certificates: 262 Valid: 33 Invalid (revoked or expired): 229

Root CA Certificate Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, O=AIST, OU=GRID, CN=Certificate Authority Validity Not Before: Oct 19 10:28: GMT Not After : Oct 18 10:28: GMT Subject: C=JP, O=AIST, OU=GRID, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ….. X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: ….. X509v3 Subject Key Identifier: …..

Organization

Organization (cont’d) Main role Security Officer (2 officers) Administrates all tasks on the CA system including the CA private key Akihiro Iijima, Motokuni Tsushima CA Operator (3 operators) Administrates RA and CA servers Generates LICENSE IDs and deliver them to subscribers Maintains the CA system Mototsune Oomura, Takahiro Hamanishi, Jin Ishii Help Desk Contact point for users about CA operation Akihiro Iijima, Mototsune Oomura, Jin Ishi Takahiro Hamanishi, Yoshio Tanaka User Administrator (1 admin) Accepts user enrollment Examines user information and approve the user Yoshio Tanaka

CA system: Online CA + NAREGI CA Software RA server (dedicated) CA server (dedicated) HSM Web server (repository) Secure protocol Limited port SafeNet LUNA CA 3 FIPS Level3

Physical controls CA system is located in AIST Tsukuba Center. A dedicated CA room inside the machine room. Multiple-levels of authentication for access to the CA room To enter the building To enter the 2 nd floor To enter the machine room To enter the CA room Only Security Officers and CA Operators are able to enter the CA room.

Physical controls (cont’d)

Procedure for certificate enrollment RA server (dedicated) CA server (dedicated) HSM RA (user admin) CA operator 1.Application by 2.F2F vetting 3.Notification by signed 4.Encrypted LICENSE ID by 5.Passphrase by FAX

Results of self-auditing: Score B (3)Whenever there is a change in the CP/CPS the O.I.D. of the document must change and the major changes must be announced to the responsible PMA and approved before signing any certificates under the new CP/CPS. New OID is not assigned for minor (editorial) changes (5)The CP/CPS documents should be structured as defined in RFC CP/CPS is structured based on RFC2527.

Results of self-auditing: Score B (13)The pass phrase of the encrypted private key must also be kept on offline media, separated from the encrypted private keys and guarded in a secure location where only the authorized personnel of the CA have access. Alternatively, another documented procedure that is equally secure may be used. We do keep the pass phrase on offline media and stored in a safe place where separated from the encrypted private keys, but no description in CP/CPS.

Results of self-auditing: Score B (22)Certificate revocation can be requested by users, the registration authorities, and the CA. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key. The CP/CPS does not describe that “others can request revocation.” (23)The CA must react as soon as possible, but within one working day, to any revocation request received. The CP/CPS does not describe “but within one working day.” (24)An end entity must request revocation of its certificate as soon as possible, but within one working day after detection of… The CP/CPS does not describe “but within one working day.”

Results of self-auditing: Score B (43)Certificates (and private keys) managed in a software token should only be re-keyed, not renewed. (45)Certificates may be renewed or re-keyed for more than 5 years without a form of identity and eligibility verification, and this procedure must be described in the CP/CPS. The CP/CPS does not clearly distinguish re-key and renew. (57)The CA shall provide their trust anchor to a trust anchor repository, specified by the accrediting PMA, via the method specified in the policy of the trust anchor repository. Currently, AIST GRID CA does not provide its trust anchor to a trust anchor repository.

Results of self-auditing: Score C (15)When the CA’s cryptographic data needs to be changed, such a transition shall be managed; from the time of distribution of the new cryptographic data, only the new key will be used for certificate signing purposes. (16)The overlap of the old and new key must be at least the longest time an end-entity certificate can be valid. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired. The CP/CPS does not describe the transition procedure

Results of self-auditing: Score C (25)Revocation requests must be properly authenticated. Authentication of revocation requests descried in the CP/CPS is applicable only for the following case: A user, who has a valid certificate and corresponding private key, requests revocation of her/his/host certificate. (6)Over the entire lifetime of the CA it must not be linked to any other entity. Currently, not yet implemented. Need to consider how to implement.

Summary Revision of the CP/CPS and operation will be made in 2 months Our Root CA certificate will be expired in October next year. Need to establish the transition procedure by this Spetember!