Government of Canada
Internal Credential Management Public Key Infrastructure
LRA Training Manual 2009/2010
Internal Credential Management • ICM is a PKI based credential management service for internal government business that issues and manages unique digital credentials to individuals, applications and devices.
What is PKI?
The combination of protocols, technologies, infrastructure, services policies and people that define how an organization maintains, distributes, creates, and validates public keys and associated information. • • ICM Service Provider (PWGSC) ICM Client Organizations
• • • • •
Key Management Centre (KMC)
Online Registration and Credential Administration (ORCA) myKEY National LRA Coordinator Local Registration Authority (LRA) Certificate Authority
What are PKI Keys?
• Protected by owner • Kept in physical possession of owner • Used to decrypt messages • Used to sign messages
• Distributed freely and openly
• Kept in public certificate key directory servers • Used to encrypt messages • Used to verify signatures
• Personal Keys • Device/Application Keys • Group Keys
Security and PKI • • • Security Elements Password Rules Securing My Credential
PKI and Security Confidentiality Access Control
Ensures that only authorized users or processes are permitted to access a given resource
Protection against unauthorized disclosure of information
Ensures information arrives to its intended destination as it was originated
Ensures originator is properly identified
Ensures that users cannot deny a transaction that they were involved with
Strong Password Rules • • • A minimum of 8 characters Must contain one uppercase letter Must contain one lowercase letter
• • •
Must contain one digit
Can contain special characters such as & * % $ # @! Should not contain too many instances of the same character Cannot contain a major sub-string of the user profile name (Profile name can be anything - only you will see it)
Securing My Credential The Credential is protected by security rules The Credential is protected with a strong password The user protects the password by not divulging it The user protects the Credential by storing it in a secure area The user protects the Credential by activating it themselves
What is ORCA?
• The Online Registration and Credential Administration (ORCA) solution will provide ICM clients with the ability to issue and manage ID-based Public Key Infrastructure (PKI) certificates (myKEY) in an online session. ORCA is an enhancement of the current manual LRA processes. During it’s initial release, ORCA will only be available to employees listed in the Regional Pay System. In it’s first release ORCA will facilitate both creations and recoveries. Other credential requests for Contractors, Devices and Groups will be handled using the current manual processes. ORCA will be rolled out to Departments in a phased approach beginning this year. LRAs will be contacted internally by their organization when ORCA is deployed in their area.
• • • • • •
What is myKEY? • • • “myKEY” has several aliases such as PKI Key, IDbased Certificate, Entrust Profile or PKI Certificate. As part of introducing ORCA, ICM has branded the product with the name “myKEY”. “myKEY” has all of the same functionalities as the current PKI Key.
What is myKEY used for? • • • • • To securely transfer files To securely store information To digitally sign documents and financial transactions To securely access remote networks To authenticate to secured applications
What is an LRA? • A Local Registration Authority (LRA) is the person who performs PKI Credential issuance duties on behalf of their organization.
What is a Guarantor? On behalf of the LRA, a Guarantor is responsible and accountable to identify and authenticate applicants/subscribers by: • • • • Meeting with the applicant Viewing 2 valid pieces of identification, 1 with a photo, both with signatures and valid expiry dates. Return application form to the LRA A Guarantor can be a Manager/Supervisor or equivalent
A Guarantor is not required to have a PKI certificate. The LRA is responsible for identifying and documenting which person of authority (supervisor, manager) acts as the Guarantor on their behalf.
What is a “Third Party”? • A Third Party is an ICM subscriber, with active PKI keys, who agrees to securely transfer an Authorization Code from the LRA to the applicant or subscriber.
Putting it all together
Processes and Guidelines
PKI Key Mgmt Services
Web Services Directory Services
• Each LRA must read the LRA Obligations document and sign the Appointment Certificate, acknowledging that they have read and understood their obligations
• • • • • •
An LRA must respect the obligations imposed in accordance with the processes identified in this document
• • • • Ensure all Contractor and Term Certificates are kept active or are revoked when contract or term ends. Work with “Guarantors” and “Third Parties” in the Identification and Authentication of individuals and the release of the Authorization Codes. Identify a back-up LRA to your subscribers in the event that you will be away Notify the LRA Coordinator when you are no longer taking care of the LRA responsibilities and identify your replacement (form available on the ICM website) Maintaining records of your LRA functions is not required however, should you wish to maintain records, note that physical and electronic storage should be secured as up to Protected B. Physical storage by locked container appropriate for up to Protected B sensitivity (e.g. locked filling cabinet). Electronic storage kept only in encrypted format on the desktop/network. All transaction records must be destroyed using a commercially available paper shredder producing a strip-cut to a maximum width of 3/8" (10mm).
myKEY - Request Processes • • • myKEY – LRA Request myKEY – Authorization Code Delivery Method myKEY – ORCA Request
myKEY Recovery – initiated by a Manager or Legal Authority
myKEY Revocation myKEY Distinguished Name Change
myKEY – LRA Request (new and recovery)
1. 2. 3. Applicant and/or LRA completes section 1 to 4 of the ICM Request Form. LRA completes section 5 and 6 of the form (and where indicated on External Subscriber Application and Change Request). LRA physically or digitally signs the form and sends it to the KMC.
• • 4. 5. 6.
By email, once scanned and encrypted; or By email, once completed electronically and encrypted
KMC verifies the LRA signature and processes the request. KMC sends the encrypted Authorization Code to the LRA and the Reference Number to the applicant. The LRA or Guarantor authenticates the applicant by verifying 2 pieces of identification, one with a picture, both with signatures and valid expiry dates. The LRA or Third Party provides the Authorization Code to the applicant.
myKEY – Authorization Code Delivery Method 1. The LRA provides the Authorization Code to the subscriber using one of the following approved methods: Face to Face, Registered Mail, Courier, Guarantor or Third Party Trust method. 2. The LRA provides the Authorization Code to the Guarantor or Third Party using one of the following approved methods: Registered Mail, Courier, or Encrypted Mail method. 3. The Guarantor or Third Party provides the Authorization Code to the subscriber using one of the following approved methods: Face to Face, Registered Mail or Courier.
myKEY - ORCA Request (new and recovery) • ORCA will be available through a web link where applicants can self-perform myKEY creations and recoveries. LRAs will be contacted internally by their organization when ORCA is deployed in their area.
myKEY – Recovery by a Manager / Legal Authority There may be a requirement where an organization needs to recover a subscriber’s myKEY on an urgent basis. Such as: • Access is required to corporate data after an employee leaves the organization, or • A department or criminal investigation is in progress. If this situation were to occur, the LRA opens a ticket with the PWGSC Operations Service Desk to be processed appropriately.
myKEY - Revocation
1. Subscriber / Manager / LRA encounters a myKEY revocation scenario e.g.: a. Cessation of operation (e.g. myKEY is no longer required by subscriber) b. subscriber’s termination of employment
c. myKEY compromise or suspected compromise
2. Subscriber / Manager contacts an LRA to request a key revocation. If the subscriber’s LRA is not available, the request is immediately re-directed to another LRA or to the PWGSC Operations Service Desk. LRA completes the Request Form and sends it to the KMC either by fax or by encrypted e-mail to the KMC requesting revocation.
KMC revokes the subscriber’s credential. The subscriber can no longer use myKEY.
KMC sends by email confirmation of the revocation to the LRA. The LRA informs the user.
myKEY – Distinguished Name Change • • • • LRA indicates on the request form the subscriber’s current information. LRA indicates on the request form the subscriber’s new information. LRA sends the form to the KMC either by fax or electronically. KMC notifies the subscriber of the changes and CCs the LRA.
ICM Forms • • • • ICM Subscriber Application Request Form / Change Request ICM Device/Group/Application Credential Request Form / Change Request ICM External Subscriber Application Form ICM External Subscriber Change Request Form
Trouble Shooting Tips
Your Departmental Help Desk is your first point of contact for assistance. Password Problem • • • • Ensure the CAPS LOCK button has not been engaged. Was the password typed with a French keyboard? Has the user deleted all old profiles from the media/drives? A password cannot be reset by the KMC (Key Recovery is required) Have you downloaded a new ENTRUST.INI file from the ICM website? (not applicable to ESP users) Ensure that two way communication is allowed via your departmental firewall. The Entrust.INI file indicates the ports and IP's required to be identified. Is the network cable properly connected to the PC/Laptop? Were there communication errors while initiating the keys?
Communication Errors • • • •
Incident Escalation Process
Your departmental Help Desk Support is your first point of contact for assistance. • Incidents not resolved internally can be reported to the PWGSC Operations Service Desk 7/24 (613) 738-7782 The service desk agent will inquire as to: Requestor name Department Telephone number Solution urgency Type of problem (communication, password, key compromise) Problem description Error codes
You will be given an Incident Record (IR) number, which you should record and keep until the incident is resolved.
• • ICM Website http://www.tpsgc-pwgsc.gc.ca/gji-icm Key Management Centre (KMC) Monday - Friday 7:00 - 16:00 ET Fax: (613) 946-9133 E-mail: firstname.lastname@example.org Group Key for Encryption of forms/e-mails: Group, PKI OPS National LRA Coordinator
PWGSC Operations Service Desk 7/24 (613) 738-7782