Eracom Encryption by dnq34267

VIEWS: 581 PAGES: 25

More Info
									 TAGPMA Accreditation Review
          for the
   TACC Root CA CP/CPS

            Margaret Murray
  Advanced Computing Systems Group
Texas Advanced Computing Center (TACC)
           July 17-19, 2006
        Ongoing Grid Projects in 2006

•   GridChem: US VO for computational chemistry
•   Open Science Grid (OSG): International collaboration framework
•   SURAgrid: Southeastern US regional grid
•   TeraGrid: US terascale cyberinfrastructure
•   TIGRE: state of Texas research and education Grid
•   UT Grid: UT-Austin campus grid


•   GridPort, GridShell, UnitedDevices: software tools to simplify and expand usage
    of cyberinfrastructure with powerful, easy-to-use interfaces




                         TAGPMA Meeting Ottawa July 17-19, 2006                   2
          TACC HPC & Storage Systems
       LONESTAR                         WRANGLER                          CHAMPION




 UPGRADE in October 2006:         Dell Xeon EM64T Linux Cluster        IBM Power5 System
at least 2000 dual-core CPUS,          656 CPUs (4.2 Tflops)             96 Power5 CPUs,
    3 TB memory, 40 Tflops          1.3 TB memory, ~4 TB disk        192 GB mem, ~1 teraflop

        STAMPEDE                        GLOBAL DISK                         ARCHIVE




     Mac Xserve G5 Cluster                Sun SANs and                   STK PowderHorns (2)
      46 CPUs (368 Gflops)               Data Direct Disk                 2.8 PB max capacity
    52GB memory, 3.7TB disk                  > 50TB                      managed by Cray DMF

                                TAGPMA Meeting Ottawa July 17-19, 2006                     3
                  CA Design Goals

• Customization: Support grid/VOs with different:
   –   AUPs
   –   Shared Resources
   –   Job characteristics
   –   User interfaces
• Scalability: Manage access efficiently.
   –   Improve security
   –   Impose consistent procedures
   –   Automate when appropriate with trusted software
   –   Integrate with TACC accounting system
   –   Log all activities
• Survivability: Limit scope of any compromise

                    TAGPMA Meeting Ottawa July 17-19, 2006   4
TACC Organization Collaborations




        TAGPMA Meeting Ottawa July 17-19, 2006   5
                 Pragmatic Issues

• Consider our environment. (we're not VISA or MasterCard…)
   – Balance security and ease-of-use requirements.
• Maintain scalability:
   – Consider cost-effectiveness of hardware and software
     infrastructure and CA/RA personnel.
   – Watch for changing CA performance loads.
   – Retain ability to change in the face of innovations.
• Apply lessons learned. (i.e. Use findings from our
  own research.)
• Leverage existing tools where appropriate.



                  TAGPMA Meeting Ottawa July 17-19, 2006      6
       New TACC CA Structure

• Root CA only generates subordinate CA
  certificates.
• Subordinate CAs protected by HSM
                      TACC Root CA
                        (off-line)




        TACC Subordinate             TACC Subordinate
         Classic Grid CA               SLCS Grid CA
            (on-line)                    (on-line)




              TAGPMA Meeting Ottawa July 17-19, 2006    7
  Hardware Security Module (HSM)

• SafeNet, Inc. ProtectServer Gold PCI
   – FIPS 140-2 Level 3 device (Review pending)
   – Utilities for configuring and managing HSM
   – OpenSSL framework manageable via production quality
     APIs
   – Tamper-proof: Key storage is zeroed if card is removed from
     PCI bus whether or not system is powered up
   – True Random Number Generator ANSI X9.31
   – Smart Card key transfer
• At $4800 GSA, cheapest I could find, but can we use
  just one to support our design?

                  TAGPMA Meeting Ottawa July 17-19, 2006       8
      ProtectServer Gold PCI HSM
• Sold by SafeNet, Inc {who acquired Australian company
  Eracom}
• Different Performance Levels:
   – Lowest is 25 encryption operations per second
   – Highest is 600 encryption operations per second
• PLUS Maintenance costs 20% of HW cost/year:
   – 24x7x365 1 hour phone response
   – Return to factory repair
   – Advance Exchange from spares pool within 24 hrs
• Device can be configured with up to 20 slots
   – Slot 0 is special Admin slot used to manage all slots
   – Each slot has a PIN protected token
   – Slots other than Admin slot usually associated with one
     application each.

                    TAGPMA Meeting Ottawa July 17-19, 2006     9
           ProtectServer Gold HSM
• On-board Secure memory = 4MB
   – 9372 DES3 keys
   – 2568 RSA 1024 bit key pair
   – 1840 RSA 2048 bit key pair
• ExtToken library supports secure external storage of token
  objects for: RSA signing; Checking certificates; DES key
  exchange; DES encryption transaction; other uses
• Uses internal cache memory to store most recently utilized
  token objects
   – Cache memory in HSM is 10MB
   – File containing objects must be <= 4GB




                   TAGPMA Meeting Ottawa July 17-19, 2006      10
          ProtectServer Gold PCI
             HSM Architecture
• User Roles: Public, Token User, Token Security
  Officer (PKCS#11 definitions)
• PINs: <=32 characters & roles are separated
• Partitions/Slots/Tokens
• 4MB on-board storage
   – Backup to SmartCard
• Multiple config options, including FIPS mode
• Secure Messaging System: Either HSM or
  application can be configured to require a trusted
  channel before crypto-sensitive services can happen
• Supports HSM-managed encrypted disk cache

                TAGPMA Meeting Ottawa July 17-19, 2006   11
                    FIPS mode
• Cryptographic services can't be performed by
  unauthenticated users.
• No clear PINs allowed.
• Authentication protection = ON
• Security policy locked to prevent change
• Tamper before firmware upgrade.
• Only allow FIPS approved algorithms.
   – SMS uses Anonymous Diffie-Hellman (ADH)
• All RSA ops require specified key has a modulus >=
  1024 bits.
• All DSA ops require specified key has a modulus >=
  512 bits.
                TAGPMA Meeting Ottawa July 17-19, 2006   12
   Configuring HSM Security Policy

• ctconf -fflags
   Must Be TRUE          Must Be FALSE             Optional

   a: FIPS algorithms    d: DES Keys Even          i: Increased Security
   Only                  Parity Allowed            Level
   c: No Public Crypto   e: Entrust Ready          N: Full Secure
   l: Mode Locked                                  Messaging
   n: No Clear PINs                                Encryption
   t: Tamper Before                                p: Pure PKCS#11
   Update                                          U: Full Secure
   u: Auth Protection                              Messaging Signing



                    TAGPMA Meeting Ottawa July 17-19, 2006                 13
            Application Roles for
           Administration and Use
Application Management:
• Security Officer (SO) [1/slot and its token]
   – Grants and revokes access to a token
   – Assists with key backups
• Token Owner or User [1/slot and its token]
   – Uses the token/slot for the application


HSM Admin and Management:
• Administration Security Officer (ASO) [1/HSM]
• Administrator [1/HSM]

                   TAGPMA Meeting Ottawa July 17-19, 2006   14
Administration Security Officer (ASO)

• Set initial Administrator PIN (can't change it later)
• Set CKA_TRUSTED attribute on a Public object
• Set CKA_EXPORT attribute on a Public object
• Exercise cryptographic services with Public objects
• Create, destroy, import, export, generate and derive
  Public objects
• Can change his/her own PIN




                TAGPMA Meeting Ottawa July 17-19, 2006    15
                      Administrator
•   Set or Change Real Time Clock value
•   Read the System Event Log
•   Purge a full System Event Log
•   Configure the Transport Mode feature
•   Specify the HSM Security Policy
•   Create new ProtecToolkit C Slots/Tokens and specify their
    {Label,SO PINs and min PIN}
•   Init smart cards and specify {Label, SO PINs}
•   Destroy individual Slots/Tokens
•   Erase HSM Secure Memory (aka 'tamper')
•   Perform Firmware Upgrades
•   Manage Host Interface Master Keys
•   Manage Public and Private objects on the Admin token


                    TAGPMA Meeting Ottawa July 17-19, 2006      16
               Security Officer

• Set the initial User PIN (can't change it later)
• Re-initialize Token and set a new Label
• Set CKA_TRUSTED attribute on a Public
  object
• Set CKA_EXPORT attribute on a Public
  object
• Manage Public objects
• May change his/her own PIN

               TAGPMA Meeting Ottawa July 17-19, 2006   17
          Token Owner (User)

• Exercise cryptographic services with Public or
  Private objects
• Create, destroy, import, export, generate and
  derive Public or Private objects
• May change his/her own PIN




              TAGPMA Meeting Ottawa July 17-19, 2006   18
     Approved FIPS Algorithms

• AES, Triple-DES, DSA, RSA, ECDSA,
  HMAC-SHA-1, HMAC-SHA-256, HMAC-
  SHA384, HMAC-SHA-512, SHA-1, SHA-256,
  SHA-384, SHA-512, Triple-DES MAC




           TAGPMA Meeting Ottawa July 17-19, 2006   19
 Many Secure Key Backup Methods
• Multiple Custodian Method
   – Shares (key divisions) get encrypted (wrapped) by a
     randomly selected wrapping key.
   – Key Splitting: N of M scheme
• Single Custodian Method
   – Key (CKA_EXTRACTABLE=TRUE) gets wrapped by a
     chosen wrapping key (CKA_WRAP=TRUE).
• Better: SO controls backup key.
  (CKA_EXPORT=TRUE) works with Key
  (CKA_EXPORTABLE=TRUE)
• Once wrapped, copy keys to backup medium
• ctkmu Utility manages key attributes, backups and
  restores

                  TAGPMA Meeting Ottawa July 17-19, 2006   20
               On-line Root?

• Seems possible with this technology…
• However, I can easily support an off-line root
  using a Virtual Machine backed up to
  CDROM stored in a GSR safe after initial
  subordinate key creation and delivery
• If needed, VM can run on any off-line MS
  laptop.



              TAGPMA Meeting Ottawa July 17-19, 2006   21
       How many subordinates?

• What is different between grid/VO
  organizations?
  – AUPs, eligible members
  – Application characteristics and User Interface
• What is the same for grid/VO certification
  creation and management?




               TAGPMA Meeting Ottawa July 17-19, 2006   22
   Importance of TACC Accounting
     Database and Procedures
• DB verifies identity uniqueness (CN) no matter what
  how many certificate flavors exist
• DB can validate RA collected data against a specific
  grid CP
• DB will collect end-entity answers to authentication
  questions
• DB already tracks user allocations and job usage
• Some procedures to manageTeraGrid AMIE db +
  TACC db are in place.
   – Enhanced functionality scheduled for Aug/Sep06
     deployment


                  TAGPMA Meeting Ottawa July 17-19, 2006   23
                      Passphrases

• Known difficulties can lead users to remove
  certificate passphrase.
• Java portlet can enforce passphrase strength rules
• Portal software can help if a user forgets
   – TeraGrid: reset to initial password for one-time
   – TACC portal can (but should it?) change a certificate
     passphrase if the user can provide:
       • TACC system login password
       • Answer(s) to stored authentication questions




                    TAGPMA Meeting Ottawa July 17-19, 2006   24
    For More Information on
     TACC Classic Grid CA

Marg Murray, Ph.D. Research Associate
       Advanced Computing Systems
     Texas Advanced Computing Center
      The University of Texas at Austin
             marg@tacc.utexas.edu




            J.J. Pickle Research Campus
             10100 Burnet Rd. (R8700)
            Austin, TX USA 78758-4497




         TAGPMA Meeting Ottawa July 17-19, 2006   25

								
To top