Presentation is loading. Please wait.

Presentation is loading. Please wait.

FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

Published byClifton Harvey Modified over 8 years ago

Similar presentations

Presentation on theme: "FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority."— Presentation transcript:

1 FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority (BrGrid CA) Vinod Rebello Universidade Federal Fluminense TAGPMA Face-to-Face Meeting Rio de Janeiro, Brazil, 27-29.03.2006

2 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 2 Introduction Repository Name Spaces Certificate and CRL profiles BrGrid CA Structure End Entity Identification and Verification Process Certificate Issuance Security controls Audit/Archive procedures Compromise procedures Disaster recovery What’s next and future plans Presentation Outline

3 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 3 Traditional X.509 Public Key Certification Authority which issues long-term credentials. CP/CPS follows the IETF’s RFC 3647 –Version 0.5, OID 1.3.6.1.4.1.24839.2.1.10.1.1.0.5 Fully compliant with the IGTF Classic CA Profile, maintained by EUgridPMA. –Will issue X509 v3 certificates to support Brazilian academic R&D activities in eScience and Grid Computing. –CA key size 2048 bits RSA mod. Initial 5 year lifetime. –EE key size 1024 bits, certificates valid for one year. BrGrid CA Overview

4 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 4 Universidade Federal Fluminense (UFF), Niterói, Brazil –Instituto de Computação  Smart Grid Computing Laboratory Vinod Rebello (CA Manager) Daniela Vianna Jacques da Silva Carlos Cunha (Technical support) Rafael Pereira (Technical support)  Web repository: http://brgrid-ca.ic.uff.br/http://brgrid-ca.ic.uff.br/  Email: brgrid-ca@ic.uff.brbrgrid-ca@ic.uff.br BrGrid CA Operations

5 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 5 The BrGrid CA will operate a high availability secure online repository that contains: –the BrGrid CA’s root certificate and any previous one necessary; –information to validate the integrity of the root certificate; –all certificates issued by the BrGrid CA; –URLs to text, DER and PEM formatted versions of the Certificate Revocation List (http://brgrid-ca.ic.uff.br/crl);http://brgrid-ca.ic.uff.br/crl –the current and all previous versions of approved CP/CPS documents; –a contact email address for inquires and fault and incident reporting; –a postal contact address; –as well as any other information deemed relevant to the BrGrid CA service. As an accredited CA member of the TAGPMA, the BrGrid CA grants the IGTF and its PMAs the right of unlimited redistribution of this information. Secure Online Repository

6 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 6 The certificate subject names obey the X.501 standard. Subject names start with the fixed component to which a variable component is appended to make it unique. –/C=BR/O=BrGridCA/O=organization/OU=organizational- unit/CN=subject-name  /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=John Smith –/C=BR/O=BrGridCA/O=organization/OU=org- unit/CN=host/host-dns-name  /C=BR/O=BrGridCA/O=UFRJ/OU=IF/CN=host/ce.if.ufrj.br –/C=BR/O=BrGridCA/O=organization/OU=org- unit/CN=service/host-dns-name  /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=ldap/ca.ic.uff.br Are there benefits from using acronyms in the DN? Name Space

7 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 7 Basic Constraints: critical, ca: true Subject Key Identifier: unique identifier of the subject key (composed of the 160-bit SHA-1 hash of the value of the certified public key). Authority Key Identifier: unique identifier of the issuing CA (composed of the 160-bit SHA-1 hash of the value of the public key of the BrGrid CA) Key Usage: critical, digitalSignature, nonRepudiation, keyCertSign, cRL Sign Extended Key Usage: timeStamping Netscape Cert Type: SSL Certificate Authority, Email Certificate Authority, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Certificate policy Identifier: The OID of the BrGrid CA CP/CPS Certificate Profiles - CA

8 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 8 Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: CA keyid Key Usage: critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Extended Key Usage: clientAuth, emailProtection, codeSigning, timeStamping Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Subject alternative name: User E-mail address Issuer alternative name: BrGrid CA E-mail address Certificate policy Identifier: The OID of the BrGrid CA CP/CPS Certificate Profiles - Personal

9 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 9 Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: CA keyid Key Usage: critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Extended Key Usage: serverAuth, clientAuth, emailProtection, codeSigning, timeStamping Netscape Cert Type: SSL Server, SSL Client, S/MIME, Object Signing Netscape Comment: CP/CPS version and CA name X509v3 CRL Distribution Points: URI of the CRL Subject alternative name: Server DNS FQDN host name Issuer alternative name: BrGrid CA E-mail address Certificate policy Identifier: The OID of the BrGrid CA CP/CPS Certificate Profiles - Host/Service

10 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 10 The BrGrid CA creates and publishes X.509 version 2 Certificate Revocation Lists. The BrGrid CA shall issue complete CRLs for all certificates issued by it independently of the reason for the revocation. The CRL extensions that are included: –the Authority Key Identifier (equal to the issuer's key identifier); and –the CRL Number (a monotonically increasing sequence number). The CRL Reason Code and the Invalidity Date will also be included as a CRL entry extension. The CRL shall have a lifetime of at most 30 days. The CRL will include the date by which the next CRL should be issued. The BrGrid CA must publish in repository a new CRL at least 7 days before expiration or immediately after a revocation issued, whichever comes first. CRL Profile

11 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 11 BrGrid CA –CA Manager, CA Operators, CA tech support, CA Auditor –Offline dedicated signing machine and secure online repository –CA operations, registering RAs and maintaining BrGrid CA management software BrGrid CA RAs (RAs of the BrGrid CA) –RA manager appointed by his/her organization and RA Local Representatives chosen by RA Manager –Vetting (identification, authorization and entitlement) and issuing Certificate Signing Requests –CSR operations carried out through its specific RA SSL protected web interface of CA management software running on the BrGrid CA web server (requires bi-directional authentication) or (as a backup) through digitally signed e-mail. BrGrid CA and RAs

12 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 12 If an organization or unit intends to requests a number of certificates, it is encouraged to setup a BrGrid CA RA For first time requests, the CA (when request is to become an RA) or the RA (in the case of a certificate request from end entity) must ascertain: –whether or not that the organization or organizational unit exists; –is entitled to request BrGrid certificates; and –obtain competent information on who is entitled to sign documents on behalf of that institution. Organization Identification

13 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 13 Verification of Affiliation The current relationship between the subscriber and the organization or unit mentioned in the subject name must be proved through: –a legally acceptable document; –an organization identity card; or –an official organization document stamped and signed by an official representative of that organization. The request may optionally be authorized through the digital signature of an official representative of the organization in possession of a valid BrGrid CA issued certificate. In special cases, an organization can provide the RA with access to official databases to verify the relationship.

14 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 14 Individuals are authenticated through the presentation of a valid identity document officially recognized under Brazilian Law. The individual should present himself in person to a BrGrid CA RA for their identity to be verified. At that moment, the individual must present: –Proof of their current relationship with the organization(s) to be specified in the DN; –Identity document with photograph; and –A photocopy of this documentation to be archived by the RA. But Brazil is the size of Europe… Identity Validation (1)

15 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 15 In exceptional cases, for example due to a subscriber’s geographical remote location, this presentation may be held by video conference. In this situation, an authenticated photocopy of all identity documentation together with the subscriber’s notarized signature must be sent by mail/courier to the RA manager (or the CA Manager in the case of setting up an RA) prior to the meeting. Note that “authenticated” and “notarized” refer to verifications made by a legally appointed (under Brazilian Law) notary public. Identity Validation (2)

16 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 16 For host or service certificates, the requests must be signed with a BrGrid CA issued personal certificate corresponding to the system administrator or person responsible of the resource. The RA corresponding to the organisation mentioned in the certificate request distinguish name will verify whether –the requester has the right to request a certificate for the intended host or service; and –the FQDN appears in the DNS. Host/Service Verification

17 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 17 Certificate Issuance Upon successful authentication, an electronic copy of the requesting party's identification documents and the certification request shall be sent to the BrGrid CA via its management software or digitally signed e-mail. A CA operator shall transfer the CSR manually to the offline signing computer (i.e. not connected to any network) running only the services necessary for the CA operations. The certificate will be created and signed with the operator’s personally encrypted private key of BrGrid CA and then transferred back manually to the BrGrid CA repository. End Entities must acknowledge acceptance of certificates.

18 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 18 The Br Grid CA is not operational. The CA management software is currently under development, evaluation and test. The repository is related to the management software development and thus only contains test data. Additional resources are being acquired for a CA environment containing a signing machine, CA Web server and repository, backup service, safe(s) and other security equipment (requires evaluation). Security issues also related to pending supercomputer installation at IC-UFF. Current Status

19 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 19 The BrGrid CA equipment is housed within the post graduation laboratory of IC-UFF. Located inside a federal building, access to the grounds and premises are controlled (and protected) by security guards and cameras. IC-UFF maintains an access control system to the laboratory. –All accesses to the CA web server are limited to BrGrid CA personnel and system administrators of IC-UFF.  Analyzed daily for breaches in system security. –The BrGrid CA signing machine is offline at all times and secured in a safe when not in use together with:  Personal encrypted copies of the CA’s private key kept on removable storage media;  CA audit data stored on read-only DVD or CD; and  backup copies and snapshot of CA system kept on DVD or CD. –The safe itself is housed in a lock room where access is logged and restricted to authorized personnel. Security Controls

20 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 20 Events such as certificate lifecycle operations, access attempts and requests to RAs and the CA will be logged. –The audit log files shall be processed and archived once a month, or after a security breach is suspected or known. –Audit data on the BrGrid CA web server will be analyzed daily for potential breaches of system security automatically. –While in the system, the audit logs are protected by the file system security mechanisms and shall only be accessible to the BrGrid CA Manager, Auditor and system administrators. –When processed, the archives are copied to a read only off- line medium (to prevent modification) in an encrypted form and stored in a safe place. –Only an external auditor and CA personnel will have access to this archive. Audit/Archive Procedures

21 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 21 If the private key of the BrGrid CA is compromised (or suspected of being) the CA Manager must: –Make every reasonable effort to notify subscribers and RAs; –Terminate the issuing and distributing of certificates and CRLs; –Generate a new CA key pair and certificate, and publish the certificate in the repository; –Revoke all certificates signed that have been previously signed by the compromised key; –Publish the new CRL on the BrGrid CA repository; –Notify relevant security contacts; and –Notify all relying parties and cross-certifying CAs, of which the CA is aware, as widely as possible. Compromise Procedure (1)

22 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 22 If the keys of an end entity are lost or compromised, the appropriate RA must be informed immediately in order to start the certificate revocation process. If an RA Manager’s private key is compromised or suspected to be compromised, the RA Manager must inform the CA and request revocation. Web interface will be available for trouble and incident reporting by relying parties. CA Manager will receive notification via cell phone. Compromise Procedure (2)

23 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 23 In order to resume operations as soon as possible after corruption, the following precautions shall be performed: –all CA software shall be backed-up on a removable medium after a new release or modifications to any of its components have been installed; –all data files of the offline CA shall be backed-up on a removable medium after each change, before the session is closed. In case of corruption, the CA systems are either repaired or rebuilt from the last good backup. The BrGrid CA operates a secondary web server/repository. If all but one of the encrypted copies of the private key been destroyed or lost and none of the keys were comprised, CA operations shall be re-established without need to revoke issued certificates. Disaster Recovery (1)

24 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 24 All critical CA data necessary for the successful operation of the BrGrid CA will be stored securely at an off-site location. In the case of a major disaster, where critical CA information is completely lost, the CA will suspend operations as in the case of CA private key compromise. Disaster Recovery (2)

25 FP6−2004−Infrastructures−6-SSA-026409 E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006 25 Implementation and extensive testing of CA management software Installation of new CA infrastructure Training of CA and RA personnel (quality of service) Test procedures and develop an Operations Manual Objective: fully operational and ready for “complete” accreditation by the next F2F TAGPMA meeting in July 2006. RNP’s Hardware Security Module –Still at the prototype stage, when HSM will be available is unclear. –Certification acceptability and cost? What’s Next and Future Plans

Download ppt "FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.

Similar presentations

Ads by Google