FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority (BrGrid CA) Vinod Rebello Universidade Federal Fluminense TAGPMA Face-to-Face Meeting Rio de Janeiro, Brazil,

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Introduction Repository Name Spaces Certificate and CRL profiles BrGrid CA Structure End Entity Identification and Verification Process Certificate Issuance Security controls Audit/Archive procedures Compromise procedures Disaster recovery What’s next and future plans Presentation Outline

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Traditional X.509 Public Key Certification Authority which issues long-term credentials. CP/CPS follows the IETF’s RFC 3647 –Version 0.5, OID Fully compliant with the IGTF Classic CA Profile, maintained by EUgridPMA. –Will issue X509 v3 certificates to support Brazilian academic R&D activities in eScience and Grid Computing. –CA key size 2048 bits RSA mod. Initial 5 year lifetime. –EE key size 1024 bits, certificates valid for one year. BrGrid CA Overview

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Universidade Federal Fluminense (UFF), Niterói, Brazil –Instituto de Computação  Smart Grid Computing Laboratory Vinod Rebello (CA Manager) Daniela Vianna Jacques da Silva Carlos Cunha (Technical support) Rafael Pereira (Technical support)  Web repository:  BrGrid CA Operations

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, The BrGrid CA will operate a high availability secure online repository that contains: –the BrGrid CA’s root certificate and any previous one necessary; –information to validate the integrity of the root certificate; –all certificates issued by the BrGrid CA; –URLs to text, DER and PEM formatted versions of the Certificate Revocation List ( –the current and all previous versions of approved CP/CPS documents; –a contact address for inquires and fault and incident reporting; –a postal contact address; –as well as any other information deemed relevant to the BrGrid CA service. As an accredited CA member of the TAGPMA, the BrGrid CA grants the IGTF and its PMAs the right of unlimited redistribution of this information. Secure Online Repository

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, The certificate subject names obey the X.501 standard. Subject names start with the fixed component to which a variable component is appended to make it unique. –/C=BR/O=BrGridCA/O=organization/OU=organizational- unit/CN=subject-name  /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=John Smith –/C=BR/O=BrGridCA/O=organization/OU=org- unit/CN=host/host-dns-name  /C=BR/O=BrGridCA/O=UFRJ/OU=IF/CN=host/ce.if.ufrj.br –/C=BR/O=BrGridCA/O=organization/OU=org- unit/CN=service/host-dns-name  /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=ldap/ca.ic.uff.br Are there benefits from using acronyms in the DN? Name Space

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Basic Constraints: critical, ca: true Subject Key Identifier: unique identifier of the subject key (composed of the 160-bit SHA-1 hash of the value of the certified public key). Authority Key Identifier: unique identifier of the issuing CA (composed of the 160-bit SHA-1 hash of the value of the public key of the BrGrid CA) Key Usage: critical, digitalSignature, nonRepudiation, keyCertSign, cRL Sign Extended Key Usage: timeStamping Netscape Cert Type: SSL Certificate Authority, Certificate Authority, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Certificate policy Identifier: The OID of the BrGrid CA CP/CPS Certificate Profiles - CA

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: CA keyid Key Usage: critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Extended Key Usage: clientAuth, Protection, codeSigning, timeStamping Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Subject alternative name: User address Issuer alternative name: BrGrid CA address Certificate policy Identifier: The OID of the BrGrid CA CP/CPS Certificate Profiles - Personal

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: CA keyid Key Usage: critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Extended Key Usage: serverAuth, clientAuth, Protection, codeSigning, timeStamping Netscape Cert Type: SSL Server, SSL Client, S/MIME, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Subject alternative name: Server DNS FQDN host name Issuer alternative name: BrGrid CA address Certificate policy Identifier: The OID of the BrGrid CA CP/CPS Certificate Profiles - Host/Service

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, The BrGrid CA creates and publishes X.509 version 2 Certificate Revocation Lists. The BrGrid CA shall issue complete CRLs for all certificates issued by it independently of the reason for the revocation. The CRL extensions that are included: –the Authority Key Identifier (equal to the issuer's key identifier); and –the CRL Number (a monotonically increasing sequence number). The CRL Reason Code and the Invalidity Date will also be included as a CRL entry extension. The CRL shall have a lifetime of at most 30 days. The CRL will include the date by which the next CRL should be issued. The BrGrid CA must publish in repository a new CRL at least 7 days before expiration or immediately after a revocation issued, whichever comes first. CRL Profile

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, BrGrid CA –CA Manager, CA Operators, CA tech support, CA Auditor –Offline dedicated signing machine and secure online repository –CA operations, registering RAs and maintaining BrGrid CA management software BrGrid CA RAs (RAs of the BrGrid CA) –RA manager appointed by his/her organization and RA Local Representatives chosen by RA Manager –Vetting (identification, authorization and entitlement) and issuing Certificate Signing Requests –CSR operations carried out through its specific RA SSL protected web interface of CA management software running on the BrGrid CA web server (requires bi-directional authentication) or (as a backup) through digitally signed . BrGrid CA and RAs

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, If an organization or unit intends to requests a number of certificates, it is encouraged to setup a BrGrid CA RA For first time requests, the CA (when request is to become an RA) or the RA (in the case of a certificate request from end entity) must ascertain: –whether or not that the organization or organizational unit exists; –is entitled to request BrGrid certificates; and –obtain competent information on who is entitled to sign documents on behalf of that institution. Organization Identification

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Verification of Affiliation The current relationship between the subscriber and the organization or unit mentioned in the subject name must be proved through: –a legally acceptable document; –an organization identity card; or –an official organization document stamped and signed by an official representative of that organization. The request may optionally be authorized through the digital signature of an official representative of the organization in possession of a valid BrGrid CA issued certificate. In special cases, an organization can provide the RA with access to official databases to verify the relationship.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Individuals are authenticated through the presentation of a valid identity document officially recognized under Brazilian Law. The individual should present himself in person to a BrGrid CA RA for their identity to be verified. At that moment, the individual must present: –Proof of their current relationship with the organization(s) to be specified in the DN; –Identity document with photograph; and –A photocopy of this documentation to be archived by the RA. But Brazil is the size of Europe… Identity Validation (1)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, In exceptional cases, for example due to a subscriber’s geographical remote location, this presentation may be held by video conference. In this situation, an authenticated photocopy of all identity documentation together with the subscriber’s notarized signature must be sent by mail/courier to the RA manager (or the CA Manager in the case of setting up an RA) prior to the meeting. Note that “authenticated” and “notarized” refer to verifications made by a legally appointed (under Brazilian Law) notary public. Identity Validation (2)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, For host or service certificates, the requests must be signed with a BrGrid CA issued personal certificate corresponding to the system administrator or person responsible of the resource. The RA corresponding to the organisation mentioned in the certificate request distinguish name will verify whether –the requester has the right to request a certificate for the intended host or service; and –the FQDN appears in the DNS. Host/Service Verification

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Certificate Issuance Upon successful authentication, an electronic copy of the requesting party's identification documents and the certification request shall be sent to the BrGrid CA via its management software or digitally signed . A CA operator shall transfer the CSR manually to the offline signing computer (i.e. not connected to any network) running only the services necessary for the CA operations. The certificate will be created and signed with the operator’s personally encrypted private key of BrGrid CA and then transferred back manually to the BrGrid CA repository. End Entities must acknowledge acceptance of certificates.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, The Br Grid CA is not operational. The CA management software is currently under development, evaluation and test. The repository is related to the management software development and thus only contains test data. Additional resources are being acquired for a CA environment containing a signing machine, CA Web server and repository, backup service, safe(s) and other security equipment (requires evaluation). Security issues also related to pending supercomputer installation at IC-UFF. Current Status

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, The BrGrid CA equipment is housed within the post graduation laboratory of IC-UFF. Located inside a federal building, access to the grounds and premises are controlled (and protected) by security guards and cameras. IC-UFF maintains an access control system to the laboratory. –All accesses to the CA web server are limited to BrGrid CA personnel and system administrators of IC-UFF.  Analyzed daily for breaches in system security. –The BrGrid CA signing machine is offline at all times and secured in a safe when not in use together with:  Personal encrypted copies of the CA’s private key kept on removable storage media;  CA audit data stored on read-only DVD or CD; and  backup copies and snapshot of CA system kept on DVD or CD. –The safe itself is housed in a lock room where access is logged and restricted to authorized personnel. Security Controls

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Events such as certificate lifecycle operations, access attempts and requests to RAs and the CA will be logged. –The audit log files shall be processed and archived once a month, or after a security breach is suspected or known. –Audit data on the BrGrid CA web server will be analyzed daily for potential breaches of system security automatically. –While in the system, the audit logs are protected by the file system security mechanisms and shall only be accessible to the BrGrid CA Manager, Auditor and system administrators. –When processed, the archives are copied to a read only off- line medium (to prevent modification) in an encrypted form and stored in a safe place. –Only an external auditor and CA personnel will have access to this archive. Audit/Archive Procedures

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, If the private key of the BrGrid CA is compromised (or suspected of being) the CA Manager must: –Make every reasonable effort to notify subscribers and RAs; –Terminate the issuing and distributing of certificates and CRLs; –Generate a new CA key pair and certificate, and publish the certificate in the repository; –Revoke all certificates signed that have been previously signed by the compromised key; –Publish the new CRL on the BrGrid CA repository; –Notify relevant security contacts; and –Notify all relying parties and cross-certifying CAs, of which the CA is aware, as widely as possible. Compromise Procedure (1)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, If the keys of an end entity are lost or compromised, the appropriate RA must be informed immediately in order to start the certificate revocation process. If an RA Manager’s private key is compromised or suspected to be compromised, the RA Manager must inform the CA and request revocation. Web interface will be available for trouble and incident reporting by relying parties. CA Manager will receive notification via cell phone. Compromise Procedure (2)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, In order to resume operations as soon as possible after corruption, the following precautions shall be performed: –all CA software shall be backed-up on a removable medium after a new release or modifications to any of its components have been installed; –all data files of the offline CA shall be backed-up on a removable medium after each change, before the session is closed. In case of corruption, the CA systems are either repaired or rebuilt from the last good backup. The BrGrid CA operates a secondary web server/repository. If all but one of the encrypted copies of the private key been destroyed or lost and none of the keys were comprised, CA operations shall be re-established without need to revoke issued certificates. Disaster Recovery (1)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, All critical CA data necessary for the successful operation of the BrGrid CA will be stored securely at an off-site location. In the case of a major disaster, where critical CA information is completely lost, the CA will suspend operations as in the case of CA private key compromise. Disaster Recovery (2)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Implementation and extensive testing of CA management software Installation of new CA infrastructure Training of CA and RA personnel (quality of service) Test procedures and develop an Operations Manual Objective: fully operational and ready for “complete” accreditation by the next F2F TAGPMA meeting in July RNP’s Hardware Security Module –Still at the prototype stage, when HSM will be available is unclear. –Certification acceptability and cost? What’s Next and Future Plans