national institute of advanced industrial science and technology self-audit report of aist grid ca...
TRANSCRIPT
National Institute of Advanced Industrial Science and Technology
Self-audit report ofAIST GRID CA
Yoshio Tanaka Yoshio Tanaka ([email protected])([email protected])
Information Technology Research Information Technology Research InstituteInstitute
AIST,AIST, Japan Japan
Contents
Overview and organizationOverview and organization
CA ArchitectureCA Architecture
Results of self auditingResults of self auditing9 B scores4 C scores
Introduction of AIST
One of the largest NatOne of the largest Nat’’l l Labs in JapanLabs in Japan
Research topics includeResearch topics includeEnvironmentMaterialBio/Life scienceStandards (JIS/OSI)Geographical surveySemiconductor deviceComputer Scienceetc.
3,500+ employees3,500+ employees
AIST Tsukuba Main Campus
7 other campuses across Japan
NaritaTokyo
Tsukuba50km
40km
50km
Overview of AIST Grid CA
IdentificationIdentificationAIST: 1.3.6.1.4.1.18936
GRID: 1.3.6.1.4.1.18936.1AIST GRID CA: 1.3.6.1.4.1.18936.1.11
AIST GRID CA CP: 1.3.6.1.4.1.18936.1.11.2
Community and ApplicabilityCommunity and ApplicabilityIssue certificates for
Researchers in AISTResearchers in out side of AIST who have research collaboration with AIST
Issue certificates for Grid authentication
Issued certificates
User certificates: 136User certificates: 136Valid: 31Invalid (revoked or expired): 105
Host certificates: 1706Host certificates: 1706Valid: 509Invalid (revoked or expired): 1197
LDAP certificates: 262LDAP certificates: 262Valid: 33Invalid (revoked or expired): 229
Root CA Certificate Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, O=AIST, OU=GRID, CN=Certificate Authority Validity Not Before: Oct 19 10:28:35 2004 GMT Not After : Oct 18 10:28:35 2009 GMT Subject: C=JP, O=AIST, OU=GRID, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ….. X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: ….. X509v3 Subject Key Identifier: …..
Organization
HelpDesk
CA Operator
SecurityOfficer
Registration&Endorsement
ReceptionDesk
Accept CSR , revocation, registration, user administration
CertificateUser
HostAdministrator
Certificate Request
User Administrator
OSMaintenance
IAOperation
RAOperation
Private KeyManagement
CA System Administration
:Role
:Staff
Organization (cont’d)
Main roleSecurity Officer(2 officers)
•Administrates all tasks on the CA system including the CA private key
•Akihiro Iijima, Motokuni Tsushima
CA Operator(3 operators)
•Administrates RA and CA servers•Generates LICENSE IDs and deliver them to subscribers•Maintains the CA system
•Mototsune Oomura, Takahiro Hamanishi, Jin Ishii
Help Desk •Contact point for users about CA operation•Akihiro Iijima, Mototsune Oomura, Jin Ishi•Takahiro Hamanishi, Yoshio Tanaka
User Administrator(1 admin)
•Accepts user enrollment•Examines user information and approve the user
•Yoshio Tanaka
CA system: Online CA + NAREGI CA Software
RA server(dedicated
)
CA server(dedicated
)
HSM
Web server(repository)
Secure protocolLimited port
SafeNetLUNA CA3
FIPS 140-1 Level3
Physical controls
CA system is located in AIST Tsukuba Center.CA system is located in AIST Tsukuba Center.A dedicated CA room inside the machine room.
Multiple-levels of authentication for access to Multiple-levels of authentication for access to the CA roomthe CA room
To enter the buildingTo enter the 2nd floorTo enter the machine roomTo enter the CA room
Only Security Officers and CA Operators are Only Security Officers and CA Operators are able to enter the CA room.able to enter the CA room.
Physical controls (cont’d)
Procedure for certificate enrollment
RA server(dedicated
)
CA server(dedicated
)
HSM
RA (user admin)
CA operator
1. Application by email
2. F2F vetting
3. Notification bysigned email
4. Encrypted LICENSE IDby email
5. Passphrase by FAX
Results of self-auditing: Score B
(3)(3) Whenever there is a change in the CP/CPS the O.I.D. of the Whenever there is a change in the CP/CPS the O.I.D. of the document must change and the major changes must be document must change and the major changes must be announced to the responsible PMA and approved before announced to the responsible PMA and approved before signing any certificates under the new CP/CPS.signing any certificates under the new CP/CPS.
New OID is not assigned for minor (editorial) changes
(5)(5) The CP/CPS documents should be structured as defined in The CP/CPS documents should be structured as defined in RFC 3647.RFC 3647.
CP/CPS is structured based on RFC2527.
Results of self-auditing: Score B
(13)(13)The pass phrase of the encrypted private key must also be The pass phrase of the encrypted private key must also be kept on offline media, separated from the encrypted private kept on offline media, separated from the encrypted private keys and guarded in a secure location where only the keys and guarded in a secure location where only the authorized personnel of the CA have access. Alternatively, authorized personnel of the CA have access. Alternatively, another documented procedure that is equally secure may another documented procedure that is equally secure may be used.be used.
We do keep the pass phrase on offline media and stored in a safe place where separated from the encrypted private keys, but no description in CP/CPS.
Results of self-auditing: Score B(22)(22)Certificate revocation can be requested by users, the Certificate revocation can be requested by users, the
registration authorities, and the CA. Others can request registration authorities, and the CA. Others can request revocation if they can sufficiently prove compromise or revocation if they can sufficiently prove compromise or exposure of the associated private key.exposure of the associated private key.
The CP/CPS does not describe that “others can request revocation.”
(23)(23)The CA must react as soon as possible, but within one working The CA must react as soon as possible, but within one working day, to any revocation request received.day, to any revocation request received.
The CP/CPS does not describe “but within one working day.”
(24)(24)An end entity must request revocation of its certificate as soon An end entity must request revocation of its certificate as soon as possible, but within one working day after detection of…as possible, but within one working day after detection of…
The CP/CPS does not describe “but within one working day.”
Results of self-auditing: Score B
(43)(43)Certificates (and private keys) managed in a software token Certificates (and private keys) managed in a software token should only be re-keyed, not renewed.should only be re-keyed, not renewed.
(45)(45)Certificates may be renewed or re-keyed for more than 5 Certificates may be renewed or re-keyed for more than 5 years without a form of identity and eligibility verification, years without a form of identity and eligibility verification, and this procedure must be described in the CP/CPS.and this procedure must be described in the CP/CPS.
The CP/CPS does not clearly distinguish re-key and renew.
(57)(57)The CA shall provide their trust anchor to a trust anchor The CA shall provide their trust anchor to a trust anchor repository, specified by the accrediting PMA, via the repository, specified by the accrediting PMA, via the method specified in the policy of the trust anchor method specified in the policy of the trust anchor repository.repository.
Currently, AIST GRID CA does not provide its trust anchor to a trust anchor repository.
Results of self-auditing: Score C
(15)(15)When the CA’s cryptographic data needs to be changed, When the CA’s cryptographic data needs to be changed, such a transition shall be managed; from the time of such a transition shall be managed; from the time of distribution of the new cryptographic data, only the new distribution of the new cryptographic data, only the new key will be used for certificate signing purposes. key will be used for certificate signing purposes.
(16)(16)The overlap of the old and new key must be at least the The overlap of the old and new key must be at least the longest time an end-entity certificate can be valid. The older longest time an end-entity certificate can be valid. The older but still valid certificate must be available to verify old but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also certificates signed using the associated private key have also expired.expired.
The CP/CPS does not describe the transition procedure
Results of self-auditing: Score C
(25)(25)Revocation requests must be properly authenticated.Revocation requests must be properly authenticated.
Authentication of revocation requests descried in the CP/CPS is applicable only for the following case:
A user, who has a valid certificate and corresponding private key, requests revocation of her/his/host certificate.
(26)(26)Over the entire lifetime of the CA it must not be linked to Over the entire lifetime of the CA it must not be linked to any other entity.any other entity.
Currently, not yet implemented.Need to consider how to implement.
Summary
Revision of the CP/CPS and operation Revision of the CP/CPS and operation will be made in 2 monthswill be made in 2 months
Our Root CA certificate will be expired Our Root CA certificate will be expired in October next year.in October next year.
Need to establish the transition procedure by this Spetember!