Transcript IBCAST IRS - National Centre for Physics

NATIONAL CENTRE FOR PHYSICS
PK-Grid-CA
Mehnaz Hafeez
Usman Ahmad Malik
Sajjad Asghar
Advanced Scientific Computing
National Centre for Physics
Introduction
In 1976, 1st International Nathiagali Summer College
was organized by Prof. Salam.
It was his proposal that eventually this activity should
be transformed into a Centre for Physics
The Nucleating Centre was established in 1994.
Finally in 1999, the Centre was established on
Campus of Quaid-I-Azam University.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
3
National Centre for Physics
NCP is funded by the Government of Pakistan.
It is a National Centre, so we are open to all
universities in Pakistan.
The purpose of the Centre is to promote basic
research in Physics and to break the scientific
isolation of physicists of Pakistan.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
4
National Centre for Physics
Prof. Riazuddin is the Director of NCP.
We have:
Board of Governors
Scientific Council
The Centre has established number of National and
International Collaborations:
Abdus Salam ICTP
European Organization for Nuclear Research
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
5
National Centre for Physics
We organize Workshops, Conferences and
Symposia.
International Nathiagali Summer College
28.06.2004 – 12.07.2004
http://ncp.edu.edu.pk/insc
International Bhurban Conference
07.06.2004 – 12.06.2004
http://ibcast.org.pk
Workshop on Particle Physics (March every year)
Workshop on Advanced Scientific Computing
(October every year)
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
6
National Centre for Physics
The Centre is visitor oriented like ICTP.
Small permanent staff.
Faculty members 06
Students
12
Support Staff
06
Flagship activity is research in High-Energy Physics,
both theory and experiment.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
7
National Centre for Physics
NCP – CERN Collaboration:
Detector Simulation and Studies
Detector Construction
R&D related to Gaseous detectors
Physics Data Analysis
Computing for LHC
More information: http://www.ncp.edu.pk
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
8
PK-Grid-CA
The PK-Grid-CA is established and managed
by National Centre for Physics in Pakistan.
It provides X.509 certificate to support the
secure environment in grid related projects.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
9
Procedural Security
End Entity and Certificate Type
Identification and Authentication
Certificate Request
Certificate Revocation
Records Archival
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
10
End Entity and Certificate Type
End Entities
NCP Working partners in Domestic/International Grid-based
Application/Projects.
Certificate Type
User Certificate
C=PK, O=NCP, O=People, OU=<UNIT>,
CN=<FULL NAME>, EMAIL=<EMAIL ADDRESS>
Host Certificate
C=PK, O=NCP, O=Host, OU=<UNIT>, CN=<FQDN>
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
11
Identification and Authentication
User Certificate:
The subject must personally contact the CA/RA staff in order to
verify identity and the validity of the request.
The subject authentication is performed through the
presentation of a valid official identification document: passport;
national identity card.
Host Certificate:
Requests must be signed with the personal PK-Grid-CA
certificate.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
12
Certificate Request
On-line Request
The subject can request for a host or user certificate on-line at
http://ncp.edu.pk/pk-grid-ca
Off-Line Request
The subject can generate his key pair on his machine through
OpenSSL commands.
The subject has to send his public key through an encrypted
email at [email protected]
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
13
Certificate Revocation
The subject of the certificate has ceased his relation with the PKGrid projects.
The subject does not require the certificate any more
The private key has been lost or is suspected to be compromised.
The information in the certificate is wrong or inaccurate.
The system to which the certificate has been issued has been
retired.
The subject has failed to comply with the rules of this policy.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
14
Procedure for Revocation Request
The person requesting the revocation of
certificate must authenticate himself by:
Sending a signed e-mail to the PK-Grid-CA/RA
[email protected]
If this is not possible the CA/RA must be contacted
directly. Authentication can be performed with the
same procedure used to authenticate the identity of
person.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
15
Records Archival
PK-Grid-CA must record and archive
All requests for certificates
All issued certificates
All requests for revocation
All issued CRLs
Boots and shutdowns of the equipment
Interactive system logins
All archive data is stored and backed-up in safekeeping.
The retention period for archives is three years.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
16
Physical Security
The PK-Grid-CA issuing machine is:
A dedicated machine.
Not connected to any network.
Located in a secure environment only accessible by
PK-Grid-CA administrator.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
17
Technical Security
Key Generation
Key Restriction
Certificate Restriction
CRL Policy
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
18
Key Generation
Private key is generated by browsers on the
users’ machine.
CA and RA will never generate private key on
user’s behalf.
CA and RA have no access to the users’
private key.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
19
Key Restriction
Key Length
PK-Grid-CA private key is 2048 bits.
User private key must have 1024 bits.
Host private key must has 1024 bits.
Pass phrase
The pass phrase of PK-Grid-CA’s private key is at least 15
characters.
The pass phrase of end entity’s private key is at minimum 8
characters.
Protecting the pass phrase from others.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
20
Certificate Restriction
Certificate Lifetime for
Validity of PK-Grid-CA certificate is five (5) years.
User certificate is issued for one (1) year.
Host certificate is issued for one (1) year.
Certificate should not be shared.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
21
Certificate Revocation List (CRL) Policy
The lifetime of CRL is 23 days.
CRL is updated immediately after every
certificate revocation.
CRL is reissued 7 days before expiration even
if there have been no revocations.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
22
Related Information
Homepage
http://www.ncp.edu.pk
CP/CPS
Latest version: 1.3.6.1.4.1.19323.1.1.1.3
Follows the RFC 2527 structure
Available at: http:// www.ncp.edu.pk/pk-grid-ca
PK-Grid-CA certificate
Available at: http:// www.ncp.edu.pk/pk-grid-ca
CRL
Available at: http:// www.ncp.edu.pk/pk-grid-ca
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
23
Contact Information
Sajjad Asghar
Phone: (+92-51) 2273545
Fax: (+92-51) 9205753
Email: [email protected]
Address: National Centre for Physics,
Quaid-I-Azam University,
Islamabad – 45320,
Pakistan.
Usman Ahmad Malik
Phone: (+92-51) 2273545
Fax: (+92-51) 9205753
Email: [email protected]
Address: National Centre for Physics,
Quaid-I-Azam University,
Islamabad – 45320,
Pakistan.
7/8/2015
National Centre for Physics
http://www.ncp.edu.pk
24