; Brazil Presentation Vinod Rebello TAGPMA
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Brazil Presentation Vinod Rebello TAGPMA

VIEWS: 7 PAGES: 25

  • pg 1
									                   E-infrastructure shared between Europe and Latin America




                        The Brazilian Grid Certification
                        Authority (BrGrid CA)

                        Vinod Rebello
                        Universidade Federal Fluminense
                        TAGPMA Face-to-Face Meeting
                        Rio de Janeiro, Brazil, 27-29.03.2006



www.eu-eela.org


FP6−2004−Infrastructures−6-SSA-026409
                                                                              Presentation Outline
                   E-infrastructure shared between Europe and Latin America



   •   Introduction
   •   Repository
   •   Name Spaces
   •   Certificate and CRL profiles
   •   BrGrid CA Structure
   •   End Entity Identification and Verification Process
   •   Certificate Issuance
   •   Security controls
   •   Audit/Archive procedures
   •   Compromise procedures
   •   Disaster recovery
   •   What’s next and future plans

FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   2
                                                                              BrGrid CA Overview
                   E-infrastructure shared between Europe and Latin America




   • Traditional X.509 Public Key Certification Authority
     which issues long-term credentials.
   • CP/CPS follows the IETF’s RFC 3647
         – Version 0.5, OID 1.3.6.1.4.1.24839.2.1.10.1.1.0.5
   • Fully compliant with the IGTF Classic CA Profile,
     maintained by EUgridPMA.
         – Will issue X509 v3 certificates to support Brazilian academic
           R&D activities in eScience and Grid Computing.
         – CA key size 2048 bits RSA mod. Initial 5 year lifetime.
         – EE key size 1024 bits, certificates valid for one year.




FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   3
                                                                        BrGrid CA Operations
                   E-infrastructure shared between Europe and Latin America




   • Universidade Federal Fluminense
     (UFF), Niterói, Brazil
         – Instituto de Computação
               Smart Grid Computing Laboratory
                   •   Vinod Rebello (CA Manager)
                   •   Daniela Vianna
                   •   Jacques da Silva
                   •   Carlos Cunha (Technical support)
                   •   Rafael Pereira (Technical support)
               Web repository: http://brgrid-ca.ic.uff.br/
               Email: brgrid-ca@ic.uff.br




FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   4
                                                           Secure Online Repository
                   E-infrastructure shared between Europe and Latin America




  • The BrGrid CA will operate a high availability secure online
    repository that contains:
       –   the BrGrid CA’s root certificate and any previous one necessary;
       –   information to validate the integrity of the root certificate;
       –   all certificates issued by the BrGrid CA;
       –   URLs to text, DER and PEM formatted versions of the Certificate
           Revocation List (http://brgrid-ca.ic.uff.br/crl);
       –   the current and all previous versions of approved CP/CPS documents;
       –   a contact email address for inquires and fault and incident reporting;
       –   a postal contact address;
       –   as well as any other information deemed relevant to the BrGrid CA
           service.
  • As an accredited CA member of the TAGPMA, the BrGrid CA
    grants the IGTF and its PMAs the right of unlimited redistribution
    of this information.

FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   5
                                                                                            Name Space
                   E-infrastructure shared between Europe and Latin America




  • The certificate subject names obey the X.501 standard.
  • Subject names start with the fixed component to
    which a variable component is appended to make it
    unique.
       – /C=BR/O=BrGridCA/O=organization/OU=organizational-
         unit/CN=subject-name
             /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=John Smith
       – /C=BR/O=BrGridCA/O=organization/OU=org-
         unit/CN=host/host-dns-name
             /C=BR/O=BrGridCA/O=UFRJ/OU=IF/CN=host/ce.if.ufrj.br
       – /C=BR/O=BrGridCA/O=organization/OU=org-
         unit/CN=service/host-dns-name
             /C=BR/O=BrGridCA/O=UFF/OU=IC/CN=ldap/ca.ic.uff.br
  • Are there benefits from using acronyms in the DN?
FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   6
                                                                 Certificate Profiles - CA
                   E-infrastructure shared between Europe and Latin America




  •    Basic Constraints: critical, ca: true
  •    Subject Key Identifier: unique identifier of the subject key
       (composed of the 160-bit SHA-1 hash of the value of the certified
       public key).
  •    Authority Key Identifier: unique identifier of the issuing CA
       (composed of the 160-bit SHA-1 hash of the value of the public
       key of the BrGrid CA)
  •    Key Usage: critical, digitalSignature, nonRepudiation,
       keyCertSign, cRL Sign
  •    Extended Key Usage: timeStamping
  •    Netscape Cert Type: SSL Certificate Authority, Email Certificate
       Authority, Object Signing
  •    Netscape Comment: CP/CPS version and CA name
  •    X509v3 CRL Distribution Points: URI of the CRL
  •    Certificate policy Identifier: The OID of the BrGrid CA CP/CPS

FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   7
                                           Certificate Profiles - Personal
                   E-infrastructure shared between Europe and Latin America




  •    Basic Constraints: critical, ca: false
  •    Subject Key Identifier: hash
  •    Authority Key Identifier: CA keyid
  •    Key Usage: critical, digitalSignature, nonRepudiation,
       keyEncipherment, dataEncipherment
  •    Extended Key Usage: clientAuth, emailProtection, codeSigning,
       timeStamping
  •    Netscape Cert Type: SSL Client, S/MIME, Object Signing
  •    Netscape Comment: CP/CPS version and CA name
  •    X509v3 CRL Distribution Points: URI of the CRL
  •    Subject alternative name: User E-mail address
  •    Issuer alternative name: BrGrid CA E-mail address
  •    Certificate policy Identifier: The OID of the BrGrid CA CP/CPS

FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   8
                             Certificate Profiles - Host/Service
                   E-infrastructure shared between Europe and Latin America




  •    Basic Constraints: critical, ca: false
  •    Subject Key Identifier: hash
  •    Authority Key Identifier: CA keyid
  •    Key Usage: critical, digitalSignature, nonRepudiation,
       keyEncipherment, dataEncipherment
  •    Extended Key Usage: serverAuth, clientAuth, emailProtection,
       codeSigning, timeStamping
  •    Netscape Cert Type: SSL Server, SSL Client, S/MIME, Object
       Signing
  •    Netscape Comment: CP/CPS version and CA name
  •    X509v3 CRL Distribution Points: URI of the CRL
  •    Subject alternative name: Server DNS FQDN host name
  •    Issuer alternative name: BrGrid CA E-mail address
  •    Certificate policy Identifier: The OID of the BrGrid CA CP/CPS


FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   9
                                                                                               CRL Profile
                   E-infrastructure shared between Europe and Latin America




  •    The BrGrid CA creates and publishes X.509 version 2 Certificate
       Revocation Lists.
  •    The BrGrid CA shall issue complete CRLs for all certificates
       issued by it independently of the reason for the revocation.
  •    The CRL extensions that are included:
       –    the Authority Key Identifier (equal to the issuer's key identifier); and
       –    the CRL Number (a monotonically increasing sequence number).
  •    The CRL Reason Code and the Invalidity Date will also be
       included as a CRL entry extension.
  •    The CRL shall have a lifetime of at most 30 days.
  •    The CRL will include the date by which the next CRL should be
       issued.
  •    The BrGrid CA must publish in repository a new CRL at least 7
       days before expiration or immediately after a revocation issued,
       whichever comes first.

FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   10
                                                                              BrGrid CA and RAs
                   E-infrastructure shared between Europe and Latin America




  •    BrGrid CA
       – CA Manager, CA Operators, CA tech support, CA Auditor
       – Offline dedicated signing machine and secure online repository
       – CA operations, registering RAs and maintaining BrGrid CA
         management software
  •    BrGrid CA RAs (RAs of the BrGrid CA)
       – RA manager appointed by his/her organization and RA Local
         Representatives chosen by RA Manager
       – Vetting (identification, authorization and entitlement) and
         issuing Certificate Signing Requests
       – CSR operations carried out through its specific RA SSL
         protected web interface of CA management software running
         on the BrGrid CA web server (requires bi-directional
         authentication) or (as a backup) through digitally signed e-mail.

FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   11
                                                        Organization Identification
                   E-infrastructure shared between Europe and Latin America




  •    If an organization or unit intends to requests a
       number of certificates, it is encouraged to setup a
       BrGrid CA RA
  •    For first time requests, the CA (when request is to
       become an RA) or the RA (in the case of a certificate
       request from end entity) must ascertain:
       – whether or not that the organization or organizational unit
         exists;
       – is entitled to request BrGrid certificates; and
       – obtain competent information on who is entitled to sign
         documents on behalf of that institution.



FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   12
                                                                 Verification of Affiliation
                   E-infrastructure shared between Europe and Latin America



   • The current relationship between the subscriber and
     the organization or unit mentioned in the subject name
     must be proved through:
         – a legally acceptable document;
         – an organization identity card; or
         – an official organization document stamped and signed by an
           official representative of that organization.
   • The request may optionally be authorized through the
     digital signature of an official representative of the
     organization in possession of a valid BrGrid CA issued
     certificate.
   • In special cases, an organization can provide the RA
     with access to official databases to verify the
     relationship.
FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   13
                                                                              Identity Validation (1)
                   E-infrastructure shared between Europe and Latin America




  •    Individuals are authenticated through the
       presentation of a valid identity document officially
       recognized under Brazilian Law.
  •    The individual should present himself in person to a
       BrGrid CA RA for their identity to be verified. At that
       moment, the individual must present:
       – Proof of their current relationship with the organization(s) to be
         specified in the DN;
       – Identity document with photograph; and
       – A photocopy of this documentation to be archived by the RA.


  •    But Brazil is the size of Europe…


FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   14
                                                                              Identity Validation (2)
                   E-infrastructure shared between Europe and Latin America




  •    In exceptional cases, for example due to a
       subscriber’s geographical remote location, this
       presentation may be held by video conference.
  •    In this situation, an authenticated photocopy of all
       identity documentation together with the subscriber’s
       notarized signature must be sent by mail/courier to
       the RA manager (or the CA Manager in the case of
       setting up an RA) prior to the meeting.
  •    Note that “authenticated” and “notarized” refer to
       verifications made by a legally appointed (under
       Brazilian Law) notary public.


FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   15
                                                              Host/Service Verification
                   E-infrastructure shared between Europe and Latin America




  •    For host or service certificates, the requests must be
       signed with a BrGrid CA issued personal certificate
       corresponding to the system administrator or person
       responsible of the resource.
  •    The RA corresponding to the organisation mentioned
       in the certificate request distinguish name will verify
       whether
       – the requester has the right to request a certificate for the
         intended host or service; and
       – the FQDN appears in the DNS.




FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   16
                                                                              Certificate Issuance
                   E-infrastructure shared between Europe and Latin America



   • Upon successful authentication, an electronic copy of
     the requesting party's identification documents and the
     certification request shall be sent to the BrGrid CA via
     its management software or digitally signed e-mail.
   • A CA operator shall transfer the CSR manually to the
     offline signing computer (i.e. not connected to any
     network) running only the services necessary for the
     CA operations.
   • The certificate will be created and signed with the
     operator’s personally encrypted private key of BrGrid
     CA and then transferred back manually to the BrGrid
     CA repository.
   • End Entities must acknowledge acceptance of
     certificates.
FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   17
                                                                                       Current Status
                   E-infrastructure shared between Europe and Latin America




  •    The Br Grid CA is not operational.
  •    The CA management software is currently under
       development, evaluation and test.
  •    The repository is related to the management software
       development and thus only contains test data.
  •    Additional resources are being acquired for a CA
       environment containing a signing machine, CA Web
       server and repository, backup service, safe(s) and
       other security equipment (requires evaluation).
  •    Security issues also related to pending
       supercomputer installation at IC-UFF.


FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   18
                                                                               Security Controls
                   E-infrastructure shared between Europe and Latin America



  •    The BrGrid CA equipment is housed within the post graduation
       laboratory of IC-UFF. Located inside a federal building, access
       to the grounds and premises are controlled (and protected) by
       security guards and cameras.
  •    IC-UFF maintains an access control system to the laboratory.
       –    All accesses to the CA web server are limited to BrGrid CA personnel
            and system administrators of IC-UFF.
               Analyzed daily for breaches in system security.
       –    The BrGrid CA signing machine is offline at all times and secured in
            a safe when not in use together with:
               Personal encrypted copies of the CA’s private key kept on removable
                storage media;
               CA audit data stored on read-only DVD or CD; and
               backup copies and snapshot of CA system kept on DVD or CD.
       –    The safe itself is housed in a lock room where access is logged and
            restricted to authorized personnel.


FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   19
                                                          Audit/Archive Procedures
                   E-infrastructure shared between Europe and Latin America




  •    Events such as certificate lifecycle operations,
       access attempts and requests to RAs and the CA will
       be logged.
       – The audit log files shall be processed and archived once a
         month, or after a security breach is suspected or known.
       – Audit data on the BrGrid CA web server will be analyzed daily
         for potential breaches of system security automatically.
       – While in the system, the audit logs are protected by the file
         system security mechanisms and shall only be accessible to
         the BrGrid CA Manager, Auditor and system administrators.
       – When processed, the archives are copied to a read only off-
         line medium (to prevent modification) in an encrypted form and
         stored in a safe place.
       – Only an external auditor and CA personnel will have access to
         this archive.
FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   20
                                                      Compromise Procedure (1)
                   E-infrastructure shared between Europe and Latin America




  •    If the private key of the BrGrid CA is compromised (or
       suspected of being) the CA Manager must:
       – Make every reasonable effort to notify subscribers and RAs;
       – Terminate the issuing and distributing of certificates and CRLs;
       – Generate a new CA key pair and certificate, and publish the
         certificate in the repository;
       – Revoke all certificates signed that have been previously signed
         by the compromised key;
       – Publish the new CRL on the BrGrid CA repository;
       – Notify relevant security contacts; and
       – Notify all relying parties and cross-certifying CAs, of which the
         CA is aware, as widely as possible.



FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   21
                                                      Compromise Procedure (2)
                   E-infrastructure shared between Europe and Latin America




  •    If the keys of an end entity are lost or compromised,
       the appropriate RA must be informed immediately in
       order to start the certificate revocation process.
  •    If an RA Manager’s private key is compromised or
       suspected to be compromised, the RA Manager must
       inform the CA and request revocation.

  •    Web interface will be available for trouble and
       incident reporting by relying parties. CA Manager will
       receive notification via cell phone.




FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   22
                                                                          Disaster Recovery (1)
                   E-infrastructure shared between Europe and Latin America




  •    In order to resume operations as soon as possible after
       corruption, the following precautions shall be performed:
       –    all CA software shall be backed-up on a removable medium after a
            new release or modifications to any of its components have been
            installed;
       –    all data files of the offline CA shall be backed-up on a removable
            medium after each change, before the session is closed.
  •    In case of corruption, the CA systems are either repaired or
       rebuilt from the last good backup.
  •    The BrGrid CA operates a secondary web server/repository.
  •    If all but one of the encrypted copies of the private key been
       destroyed or lost and none of the keys were comprised, CA
       operations shall be re-established without need to revoke issued
       certificates.


FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   23
                                                                          Disaster Recovery (2)
                   E-infrastructure shared between Europe and Latin America



  •    All critical CA data necessary for the successful
       operation of the BrGrid CA will be stored securely at
       an off-site location.
  •    In the case of a major disaster, where critical CA
       information is completely lost, the CA will suspend
       operations as in the case of CA private key
       compromise.




FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   24
                                             What’s Next and Future Plans
                   E-infrastructure shared between Europe and Latin America




  •    Implementation and extensive testing of CA
       management software
  •    Installation of new CA infrastructure
  •    Training of CA and RA personnel (quality of service)
  •    Test procedures and develop an Operations Manual
  •    Objective: fully operational and ready for “complete”
       accreditation by the next F2F TAGPMA meeting in
       July 2006.

  •    RNP’s Hardware Security Module
       – Still at the prototype stage, when HSM will be available is
         unclear.
       – Certification acceptability and cost?
FP6−2004−Infrastructures−6-SSA-026409                       TAGPMA F2F Meeting, Rio de Janeiro, Brazil, 27-29.01.2006   25

								
To top
;