Presentation on HKU Grid CA

1
Presentation on HKU Grid CA

• Mr. Frankie F. T. Cheung
• HPC Team
• Computer Centre
• The University of Hong Kong
• E-mail ftcheung_at_hku.hk

2
Agenda (HKU Grid CA)

• 0. Introduction
• 1. CP/CPS
• 2. CA System
• 3. CA private key
• 4. CA certificate
• 5. Certificate Revocation
• 6. Certificate Revocation List
• 7. End entity certificates and keys
• 8. Records Archival
• 9. Audits
• 10. Publication Repository
• 11. Privacy and confidentiality
• 12. Comprise and Disaster Recovery

3
0. Introduction

• What is HKU?
• Oldest university in Hong Kong
• Comprehensive university with 10 faculties
• 12,300 undergraduate 9,900 postgraduate
  students
• What is HKU Computer Centre?
• A centralized IT service department to facilitate
  the use of the latest information technology in
  HKU teaching, learning, research and
  administration.
• To aim to provide the best quality IT service in
  Hong Kong as well as in the global perspective.

4
0. Introduction

• Why we want to host a CA ?
• HKU is the member of Grid organizations
• The member of China National Grid (CNGrid)
• The member of PRAGMA Grid
• The member of EGEE TWGrid
• The need from local researchers to use Grid
  resources
• Researchers from multi-discipline (Chemistry,
  Physics, Geo-science, Engineering) demand Grid
  resources
• No IGTF CA system in Hong Kong region
• They are reluctant to apply user certificate from
  other regions CA

5
0. Introduction

• CP/CPS is revised by 13 February 2009
• Hardware delivery at early March 2009
• Software (OS, OpenCA etc) setup at late March
  2009
• Put in production at 8 April 2009
• Generate CA private key
• Issue CA certificate
• Issue a user certificate
• Issue a host certificate
• Online web repository ready http//ca.grid.hku.hk

6
1. CP/CPS

• CP/CPS was drafted at 24 Dec 2008
• It was reviewed by IGCA and CNIC
• It was revised by 13 February
• CP OID 1.3.6.1.4.1.30850.2.2.40000.2.1.1.0
  CP/CPS 1.2
• CPS OID 1.3.6.1.4.1.30850.2.2.40000.2.2.1.0
  CP/CPS 1.2
• It was structured as defined in RFC 3647 CP/CPS
  1.1

7
1. CP/CPS

• Policy Administration CP/CPS 9.12
• Policy is developed and maintained by HKU GRID
  Policy Management Authority (HKU GRID PMA) at HKU
  Computer Centre
• All major changes related to policy, technology
  or security must be approved by APGrid PMA before
  signing any certificates under the new CP/CPS.
• Minor changes related to editorial problems can
  be made without approved by APGrid PMA.
• New OID will be assigned to major changes and
  will not be assigned to minor changes.
• All versions are available at online repository
  (http//ca.grid.hku.hk gt Publications)

8
1. CP/CPS

• Organization of HKU Grid PMA CP/CPS 5.2

9
1. CP/CPS

• Staff in HKU Grid PMA
• CA Managers
• Dr. P. T. Ho (hpt_at_cc.hku.hk)
• Mr. W. K. Kwan (kwk_at_cc.hku.hk)
• CA Operators
• Mr. Frankie Cheung (frankie_at_cc.hku.hk)
• Mr. Gripen Kwok (gripen_at_cc.hku.hk)
• RA Operator
• Mr. W. K. Kwan (kwk_at_cc.hku.hk)

10
2. CA System

• The CA systems are 2 dedicated machines
• One offline signing server (Offline CA server)
• One online web server (Online RA server)
• Hardware 2 x IBM x3650 servers, each with Intel
  quad-core 2.66GHz CPU, 2GB Ram, 4 x 73 disks in
  RAID-6

11
2. CA System

• Software
• OS Fedora v9
• CA software OpenCA v1.0.2
• OpenSSL OpenSSL v0.9.8h
• Web server Apache v2.2.9
• Database MySQL v5.0.51a
• Firewall protection
• Campus firewall block all incoming traffic except
  HTTP/HTTPS
• Host firewall block all incoming traffic except
  HTTP/HTTPS, SSH and SMTP from admin network
  segment

12
2. CA System

• The CA systems are located at Rack 40 in Room
  108 (Computer Server Room), Run Run Shaw
  Building, The University of Hong Kong CP/CPS
  5.1
• Before reaching the room doors With 2
  closed-circuit security cameras

13
2. CA System

• The CA systems are located at Rack 40 in Room
  108 (Computer Server Room), Run Run Shaw
  Building, The University of Hong Kong CP/CPS
  5.1
• Two level doors Only HKU Computer Centre system
  administrators operators grant access

14
2. CA System

• The CA systems are located at Rack 40 in Room
  108 (Computer Server Room), Run Run Shaw
  Building, The University of Hong Kong CP/CPS 5.1

• A secure environment where access is controlled
• The servers are located at a rack with
  key-locking, only administrator and operators
  keep the key

15
2. CA System

• The CA signing server is completely off line. No
  network cable is connected to this server.
  CP/CPS 6.2
• No Hardware Security Module(HSM) is deployed
• The CA systems are professionally managed CA
  operators.

16
3. CA private key

• Encryption algorithm DES3
• Asymmetric algorithm RSA
• Key size 2048 bits CP/CPS 6.1.5
• Protected by a pass-phase of 20 characters
  CP/CPS 6.4
• The pass-phase is only known to HKU Grid PMA.
• Backup copies of the encrypted private key are
  kept on offline mediums (4mm tapes) in the locked
  cabinet of HKU Computer Centre server room, where
  access is controlled. CP/CPS 6.2.4
• Backup copies of the private key is encrypted by
  backup password only known to CA operators.
• openssl des3 -salt -k password -e -in
  keyfile.tar.gz -out keyfile.pencrypted.tar.gz

17
3. CA private key

• The pass-phrase of the encrypted private is kept
  in a sealed envelope, which is put in another
  locked cabinet of HKU Computer Centre Staff room,
  for which only the HKU Grid PMA have key to
  access. CP/CPS 6.2.4
• When there is necessary to generate the new CA
  certificate(1 year before CA cert expired), a new
  CA private key and pass-phase will be generated.
  Then new key will be used for signing purpose.
  CP/CPS 5.6
• The overlap of the old and new key must be at
  least 1 year. The old version private key would
  be still kept to verify old signatures signed by
  valid certificate.

18
4. CA certificate CP/CPS 5.6, 7.1.2

• Version 3 (0x2)
• Serial Number b37f1f87249e4087
• Signature Algorithm sha1WithRSAEncryption
• Issuer CNHKU Grid CA,DCGRID,DCHKU,DCHK
• Validity
• Not Before Apr 8 130528 2009 GMT
• Not After Apr 3 130528 2029 GMT
• Subject CNHKU Grid CA,DCGRID,DCHKU,DCHK
• Subject Public Key Info
• Public Key Algorithm rsaEncryption
• RSA Public Key (2048 bit)

19
4. CA certificate

• X509v3 extensions
• X509v3 Basic Constraints critical, CATRUE
• X509v3 Subject Key Identifier
• 6BD2259324C4F26F8A89554ED25A5595B7
  AC2DE9
• X509v3 Authority Key Identifier
• keyid6BD2259324C4F26F8A89554ED25A55
  95B7AC2DE9
• X509v3 Key Usage critical, Certificate Sign, CRL
  Sign
• X509v3 Subject Alternative Name
• emailhpc_at_cc.hku.hk
• X509v3 Issuer Alternative Name
• emailhpc_at_cc.hku.hk

20
5. Certificate Revocation

• Can be requested by CP/CPS 4.9.2
• The certificate subscriber
• HKU Grid CA/RA
• Any other entity presenting evidence of
  circumstances that the criteria described in
  CP/CPS 4.2.1 violated.
• Any entities presenting evidence of the
  compromise of associated private key.
• An end entity must request revocation within one
  working day after detection CP/CPS 4.9.1
• The subscriber's private key is compromised or is
  suspected to have been compromised.
• The subscriber's information in the certificate
  is suspected to be inaccurate.

21
5. Certificate Revocation

• Procedure for Revocation Request CP/CPS 4.9.3
• End entity must use CRIN (Certificate Revocation
  Identification Number) pin or send revocation
  request using signed E-mail
• CA operator will authenticate the revocation
  request by CRIN pin or signed E-mail, or even
  telephone/VTC when necessary
• CA operator would revoke the certificate, update
  CRL and send notification E-mail
• HKU Grid CA must react within one working day, to
  any revocation request received. CP/CPS 4.9.5

22
6. Certificate Revocation List

• Lifetime is 30 days CP/CPS 4.9.7
• Issue CRL CP/CPS 4.9.7
• Every 23 days (Cron job to check CRL remaining
  life time, send E-mail to CA operators 10 days
  before)
• Or immediately after a revocation
• Available at online repository (http//ca.grid.hku
  .hk gt Publications)
• http//ca.grid.hku.hk/crl/cacrl.der
• Version x509 v2 CP/CPS 7.2
• Message digest algorithm SHA-1 CP/CPS 7.2

23
7. End entity certificates and keys

• Key size gt1024 bit CP/CPS 6.1.5
• Life time 1 year (365 days) CP/CPS 5.6, 6.3.2
• User certificate must not be shared CP/CPS 4.5
• Host certificate must be linked to a single
  network entity. CP/CPS 4.5
• CA only issue certificates based on cryptographic
  data generated by the subscriber. CP/CPS 4.1.2
• The key generation happens at the client side.
• Stated as responsibility of subscribers to manage
  the private key safely to prevent unauthorized
  uses
• End entity passphrase CP/CPS 4.5
• At least 12 characters (User cert is enforced by
  OpenCA web interface), and stated as
  responsibility of subscribers.

24
7. End entity certificates and keys

• Enrollment Process (User Certificate) CP/CPS
  4.1.2
• 1.Subscriber fill in user certificate application
  form and return to RA.
• 2. Subscriber wait for receiving the E-mail
  acknowledgement from the RA, then he/she can
  visit HKU Grid CA website and requests for CSR. A
  new CSR serial number would be assigned.
• 3.The subscriber would be arranged to have a
  face-to-face meeting with the RA and must present
  photo, work ID, CSR serial number and proof of
  work during the face-to-face meeting.
• 4. The RA examines the request according to
  CP/CPS 3.2

25
7. End entity certificates and keys

• Enrollment Process (User Certificate) CP/CPS
  4.1.2
• 5.Once the subscriber is authenticated, the RA
  would endorse the user certificate application
  form and approve request. The RA will then pass
  the signed application form to CA via signed
  e-mail or fax.
• 6. Upon receipt of the application form, CA will
  verify the RA signature in the application form
  and the CSR serial number. The HKU Grid CA
  manager may contact the RA if necessary via
  signed e-mail or telephone.
• 7. Now the CA operator will issue the certificate
  and sends an E-mail to the subscriber regarding
  the way to download the certificate.

26
7. End entity certificates and keys

• Enrollment Process (Host Certificate) CP/CPS
  4.1.2
• Similar to User Certificate enrollment process
• In step 1, subscriber who requests for host
  certificate must have a valid user certificate at
  HKU Grid CA.
• In step 3, subscriber must provide evidence or
  proof that the host certificate request is
  authorized by the owner of the FQDN.

27
7. End entity certificates and keys

• Meaningful names CP/CPS 3.1.2
• Reasonable association to end entity
• CN is FQDN for host certificate
• Name uniqueness CP/CPS 3.1.5
• User certificate CN must be the full name of the
  subscriber and combined with subscribers email
  id.
• Host certificate, the CN must be functional fully
  qualified domain name.

28
7. End entity certificates and keys

• Identity Validation by RA CP/CPS 3.2
• HKU member will be identified by inspection of
  the staff card or student card
• Other organizations subscriber must be identified
  by in person face-to-face interview. Photo-id and
  valid official documents (including work ID and
  the proof of work) must be presented at the
  interview
• Subscriber must provide evidence or proof that
  the host certificate request is authorized by the
  owner of the FQDN.

29
7. End entity certificates and keys

• x509 format with extension CP/CPS 7.1
• basicConstraints set to CA false and marked as
  critical
• keyUsage marked as critical
• User certificate subscriber E-mail is included
  in the SubjectAlternativeName
• Host certificate a FQDN is included as a dnsName
  in the SubjectAlternativeName
• CRLDistributionPoints URIhttp//ca.grid.hku.hk/c
  rl/cacrl.der
• Policy Identifier contain an OID and URI
• Policy 1.3.6.1.4.1.30850.2.2.40000.2.1.1.0
• CPS http//ca.grid.hku.hk/policy/HKU_gridca_CP-CP
  S-v1.0.pdf

30
7. End entity certificates and keys

• Certificate Renewal CP/CPS 4.6
• HKU Grid CA does not permit certificate signing
  request with the same key as the previous
  certificate.
• Certificate Re-key CP/CPS 4.7.3
• After a certificate has been revoked, expired or
  will be expired in one month
• If the certificate has been revoked or expired,
  must follow enrolment process of CP/CPS 4.1.2

31
7. End entity certificates and keys

• Certificate Re-key CP/CPS 4.7.3
• If the will be expired in one month, the
  subscriber, need not fill the application form
  and need not participate in the Face-to-Face
  meeting with RA until 5 years of initial ID
  vetting. After 5 years the subscriber of the
  certificate should follow the enrolment process
  CP/CPS 4.1.2 again to get a new certificate.
• Certificate Modification CP/CPS 4.8
• HKU Grid CA does not support certificate
  modification.

32
8. Records Archival

• Records archived CP/CPS 5.5.1
• Forms, emails, document etc. for certificate
  request and revoke request
• Monthly tape backup includes (media kept in
  locked cabinet with restrict access)
• Signing server and web server backup (including
  encrypted CA key)
• Issued Certificates, revoke request, CRLs
• Mail archive, system logs(login/logout/reboot)
• Retention period CP/CPS 5.5.2
• General minimum 3 years

33
9. Audits

• Compliance Audit CP/CPS 8
• Accept external audit, by APGrid PMA
• Self-audit of CA/RA and operation annually
  (April)
• Whether the HKU Grid CA certification duties are
  compliant to this CP/CPS?
• Records archived mentioned in CP/CPS can be
  obtained with 3 years retention period?
• Operated as minimum CA requirements specified by
  the APGrid PMA?
• A list of CA and RA personnel is verified at
  least once per year

34
10. Publication Repository

• http//ca.grid.hku.hk/ CP/CPS 2.1
• CA Certificate
• The end entity Certificates issued
• CRL
• Signing policy
• Procedures for each type of end entity
  certificates enrollment
• CP/CPS
• Contact information
• Other information
• This web repository is available 24x7 on a best
  effort basis
• Grant APGrid PMA and IGTF unlimited
  re-distribution

35
11. Privacy and confidentiality

• Privacy CP/CPS 9.4
• Subscribers supply info in enrollment process and
  HKU Grid CA would not disclose this information
• Position, Telephone
• Photo, WorkID, other valid official documents
• Except those specified in the certificate
• Name Email for user certificate
• FQDN for host certificate
• Organization Name Organization Unit Name
• Confidentiality CP/CPS 9.3
• Except explicit information specified in the web
  repository publication, all other information
  will be treated as confidential.

36
12. Compromise and Disaster Recovery

• If CA private key is compromised CP/CPS 5.7.1
• Make all reasonable effort to inform subscribers,
  RAs and relying parties
• Revoke all issued certificates
• Terminate distribution services for certificates
  and CRLs issued using the compromised key.
• Generate a new CA key pair and certificate and
  make the latter available in the public
  repository.
• If Entity Private Key is compromised CP/CPS
  5.7.3
• If an entity private key is compromised or
  suspected to be compromised, the entity or its
  administrator must request a revocation of the
  certificate

37
12. Compromise and Disaster Recovery

• Hardware, Software, and/or Data Are Corrupted
  CP/CPS 5.7.2
• Hardware Hardware replacement (Disk with RAID-6
  protection with tolerance of double disk failure)
  
• Software/data corrupted Restored from backup
  tape
• Disaster
• The system must be recovered as soon as possible.
• Plan to keep the annual backup tape to the locked
  cabinet in another building (arrangement in
  progress), it would speed up system recovery in
  case serious disaster (fire, flood) in the
  building.

38
Special Thank You to

• Yoshio Tanaka (AIST)
• Henry Sukumar (IGCA)
• Kevin Dong (CNIC CA)
• Jinny Chien (ASGC CA)
• WaUe Chen (NCHC CA)
• Question?