TAGPMA Accreditation Review of TACC Root CA, TACC Classic
Download
Report
Transcript TAGPMA Accreditation Review of TACC Root CA, TACC Classic
IGTF Accreditation Review
of
MICS Authentication Profile
(Update)
Marg Murray
Texas Advanced Computing Center (TACC)
30 May 2007
1. Intro: MICS AP Goals
• Leverage existing IdM infrastructures.
• Generate end entity certificates based on a
membership or authentication system
maintained by an organization or federation
that last at most 1 year and 1 month.
• MICS CA maps IdM identity to an X.509 Grid
certificate identity.
• Define minimum security requirements.
10th EUGridPMA Mtg Istanbul 30May07
2
2.0 Compliant Architecture
Requirements
• Provide description of:
–
–
–
–
Policy & Procedures for initial registration
How IdM is managed and secured
Connection between IdM and the MICS CA
Translation from IdM namespace to X.509
namespace
– Protection of chain of trust during translation
process.
• Demonstrate long-term commitment
10th EUGridPMA Mtg Istanbul 30May07
3
3. Identity Rules (part 1)
• Any single X.509 DN permanently binds to one and only one
end entity for the lifetime of the CA service.
• Registered subject DN is unique to one registered owner.
• RA role and interactions defined by MICS CA
– Initial face-to-face meeting confirms official government-issued
photo-identification or similar documents.
– Identity documents recorded and archived.
• MICS CA CP/CPS must describe how:
–
–
–
–
Assigned DNs are unique in CA namespace
Identity is checked
Assigned DNs are never re-issued
DN accountability means: traceback to physical person
10th EUGridPMA Mtg Istanbul 30May07
4
3. Identity Rules (part 2)
• IdM must:
– Encrypt re-usable private information
– Provide contact info for notification of certificate issuance
– Provide information to determine whether face-to-face
identity vetting occurred (likely as a LoA)
• IdM may:
– Use a 2nd private element (not published and not normally
used to authenticate)
• If used, the CP/CPS must describe how 'private element' maps
to identity and how it increases identity assurance.
• IdM security mechanisms must be described to PMA.
10th EUGridPMA Mtg Istanbul 30May07
5
4. Operational Requirements (part 1)
• Dedicated machine in a secure environment
• On-line CA with FIPS 140 device
• Highly protected network; accessible from
Internet
• Tamper-protected log of issued certificates
• MICS CA private key >= 2048 bits
– Encrypted copies kept off-line; controlled access
• MICS CA signing lifetime <= 20 years
10th EUGridPMA Mtg Istanbul 30May07
6
4. Operational Requirements (part 2)
• CP/CPS in RFC 3647 format
• Publish CRLS unless EE certificate lifetime <
1 million s (~11 days)
• EE certificates
– Must be >= 1024 bits; lifetime <= 1year + 1month
– X.509v3, RFC3280 compliant
– Section 4.2-4.5: CA & EE certificate profile; CRL
profile; Host Certificates; Revocation; CA Key
Changeover
10th EUGridPMA Mtg Istanbul 30May07
7
5. Site and IdM System Security
• 5.1 Site CA Security
• 5.2 IdM Security
10th EUGridPMA Mtg Istanbul 30May07
8
6. Publication and Repository
• http or https URL: CA general info web page
• MICS CA root certificate or set of CA
certificates up to a self-signed root
• http or https URL: PEM-formatted CA
certificate
• If revocation is supported: http URL of PEM
or DER formatted CRL
• http URL of CP/CPS; contact email and
postal address
10th EUGridPMA Mtg Istanbul 30May07
9
7. Audits
• MICS CA must record and archive (for at least three
years):
– CSRs; issued certs; CRRs; login/logout/reboot of issuing
machine
• MICS CA must accept auditing by other accredited
Cas
• MICS CA should perform internal operational audits
of CA/RA staff and IdM interfaces
• MICS CA recommends that IdM system make their
periodic audits and reviews available to MICS CA
staff
10th EUGridPMA Mtg Istanbul 30May07
10
8. Privacy and Confidentiality
• MICS CAs must define and follow a privacy and data
release policy compliant with their relevant national
legislation.
• MICS CA is responsible for recording (at the time of
validation) sufficient information to uniquely identify
the person getting the certificate.
• The MICS CA is not required to release identity
information unless presented with a valid legal
request compliant with relevant laws.
10th EUGridPMA Mtg Istanbul 30May07
11
9. Compromise and Disaster
Recovery
• MICS CA should have a Business Continuity
and Disaster Recovery Plan
– Doesn't need to be disclosed in CP/CPS
– Must be willing to discuss procedures with PMA
10th EUGridPMA Mtg Istanbul 30May07
12
10. Due Diligence for Subscribers
• MICS CA should make a reasonable effort to
teach subscribers how to properly protect
their private data.
• Long-term X.509 credentials require the user
to protect his/her private key with a strong
pass phrase.
10th EUGridPMA Mtg Istanbul 30May07
13
End of MICS CA Profile Summary
• And now:
– Issues:
• 2nd authentication element
• Levels of Assurance
– Examples:
• NCSA MICS CA
• TACC MICS CA
10th EUGridPMA Mtg Istanbul 30May07
14
Issue: 2nd Identity Element
• Requirements:
– High assurance of unique mapping to end entity
– Enhance end entity validation.
• In elevated security mode?
• Examples of what works:
– Answers to random questions collected out-ofband (e.g., at initial registration)
• Examples of what doesn't work:
– Birthday
10th EUGridPMA Mtg Istanbul 30May07
15
Issue: MICS CA and LoA
• IdM Maintains Levels of Assurance (LoA)
– Definitions of different levels are crucial
– Use of a Private Key restricted solely to a
hardware token enhances LoA.
• Examples???
10th EUGridPMA Mtg Istanbul 30May07
16
MICS CA Examples
• NCSA MICS CA
– Provisionally accredited for TeraGrid
• Replaces F2F vetting with long-standing NSF Allocations
Peer Review process
• TACC MICS CA
– Seeking full accreditation for operation within
Texas; applies to more than one grid organization
– 1st recognized IdM: UT-System Federation
– 2nd candidate IdM: Texas A&M University System
10th EUGridPMA Mtg Istanbul 30May07
17
How Does Shibboleth Work?
Your request is
forwarded to
Identity Provider
your
User/Web
Organization’s
browser
IdP HS/SSO
Home campus What is your
Organization?
Authentication
4
3
Who are
You?
System
Can you login?
(ISO/SSO/Cert)
WAYF
5
I am satisfied with the
attributes. Control is passed
to the
11application.
Service Provider
1
2
(Federation)
Handle Service/SSO
Authority
8
9
I know who
7 you are.
10
Your request and
handle is redirected to
Attributes determined by ARP
SP.
LDAP (eduPerson)
Now I know you
are someone.
Assertion
I need more
Consumer
Service
information.
What are
you asking
Attribute
for and does
Requestor
6
What are the
attributes for
this
user?
Attribute
Web application
The allowed attributes
are returned to the SP.
it require a
Resourceshibb
session?
Manager/Svr
Module
Web Site
U.T. System IdM Roadmap
Source:
https://idm.utsystem.edu/
IdentityMgmtpage4.pdf
Color Key:
Complete
Current
Development
In-Progress
Longer-term Future
10th EUGridPMA Mtg Istanbul 30May07
19
TACC Member-Integrated CA Portal
Services
•
AUTHENTICATE Identity
– Does IdP know this user based on in-person ID vetting?
• If not in-person, user access to low-risk applications is ok, but no X.509 credential
– Request user attributes from IdP.
•
If eduPersonEntitlement "PIeligible" attribute is asserted, enable "Request Allocation" button
– Query TACC Accounting DB for User Context
•
•
•
•
•
•
–
•
Can check that user answers security question setup at initial registration
Check for active Projects, Allocations, and VO membership and roles
Find user's unique Distinguished Name (CN+issuer) by querying CN list by
eduPersonPrincipalName OR eduPersonTargetedID
Check that IdM is not re-using eduPersonPrincipalName by matching email, phone,address
Query VOMRS attribute server to verify user's VO membership and roles
Determine length of short-term certificate
Enable "Get short-term X.509 cert" button
PROVIDE resulting short-term X.509 credential when user wants it
10th EUGridPMA Mtg Istanbul 30May07
20
2) UT-System Shibboleth WAYF
Dialogue
User
Selects
Identity
Provider
from Pulldown menu
10th EUGridPMA Mtg Istanbul 30May07
21
3) Authenticate with
Home Identity Provider
Regular
Campus/IdP
login.
This one is
for UTSystem
10th EUGridPMA Mtg Istanbul 30May07
22
Each IdP Presents Its Own
Dialogue/Look and Feel
This is the login
dialogue for the
UT-Austin IdP
10th EUGridPMA Mtg Istanbul 30May07
23
UT-System Also Supports the
ProtectNetwork IdP
ProtectNetwork
offers both free
LoA-1 identity
and Validated
LoA-2 identity
for $$.
(One option for
external, lowrisk application
users.)
10th EUGridPMA Mtg Istanbul 30May07
24
TACC MICS Namespace
DC = edu; DC = utexas; DC = tacc
O = UT-Austin; OU=TACC MICS CA
--------- {added if RA not at TACC}
O = {RA-org}; OU = {RA-dept}
O = {IdM}; OU = {IdP}
--------CN = {PERSON: firstname initial lastname{seq}}
SubjectAltName =
{PERSON: email address}
10th EUGridPMA Mtg Istanbul 30May07
25
TACC MICS CA: DN Uniqueness
• Successful DN registration ==> UNIQUE
– Initial registration process checks {cn & email & phone &
eduPersonPrincipalName & address &
edupersonTargetedID} to prevent duplicates
– Uniqueness is maintained across both TACC MICS and
TACC Classic CA
AND
• UT-System eduPersonTargetedID ==> UNIQUE
– Campus suffix + campus policy enforces
– Alternately, eduPersonPrincipalName & email & phone &
address can enforce uniqueness requirement
– Allows TACC to map each user to a specific DN (CN+issuer)
10th EUGridPMA Mtg Istanbul 30May07
26
TACC CA Structure
• Off-line Root CA generates only subordinate CA
certificates. (OpenCA)
• Subordinate CA private keys protected by HSM on
CA server. (OpenCA & SafeNet SDK)
TACC Root CA
(off-line)
TACC Subordinate
Classic CA
(on-line)
TACC Subordinate
MICS CA
(on-line)
10th EUGridPMA Mtg Istanbul 30May07
27
Shibboleth Identity Verification
• User interacts with access protected URL that
requires creation of a Shibboleth session
– User picks home campus from pull-down menu
– Redirect (WAYF) sent to specific campus IdP
• {username/password} Success => Shib session handle
– Redirect back to Special URL at TACC (presence of handle
asserts identity)
– Shib/SAML call between TACC app & campus Attribute
Authority (AA) retrieves from back end datastore (LDAP):
{eduPersonPrincipalName, cn, eduPersonTargetedID, LOA,
email, phone, address, eduPersonEntitlement(PIeligible)}
• If LOA <= 2 OR TACC is in elevated security mode:
– Ask user 2nd element question (from initial registration)
– If user's answer matches:
ACCEPT Identity AND MAP to unique name AND ISSUE CSR
10th EUGridPMA Mtg Istanbul 30May07
28
How Does Shibboleth Work?
Your request is
forwarded to
Identity Provider
your
User/Web
Organization’s
browser
IdP HS/SSO
Home campus What is your
Organization?
Authentication
4
3
Who are
You?
System
Can you login?
(ISO/SSO/Cert)
WAYF
5
I am satisfied with the
attributes. Control is passed
to the
11application.
Service Provider
1
2
(Federation)
Handle Service/SSO
Authority
8
9
I know who
7 you are.
10
Your request and
handle is redirected to
Attributes determined by ARP
SP.
LDAP (eduPerson)
Now I know you
are someone.
Assertion
I need more
Consumer
Service
information.
What are
you asking
Attribute
for and does
Requestor
6
What are the
attributes for
this
user?
Attribute
Web application
The allowed attributes
are returned to the SP.
it require a
Resourceshibb
session?
Manager/Svr
Module
Web Site
TACC MICS Initial Registration
• Portal front-end already has general information
about user from UT-System Shibboleth
– General Info: cn, eduPersonPrincipalName,
eduPersonTargetedName, address, email, phone
• Portlet can contact CA to check Name (cn) against
existing CNs
– Results: No match (OK) OR send email to Security Officer
"Identity Verification Followup Required!"
• CN bound to one and only one individual
• CN can be used in both Classic and MICS certificates
10th EUGridPMA Mtg Istanbul 30May07
30
Hardware Security Controls
• SafeNet ProtectServer Gold PCI HSM card
– FIPS 140-2 Level 3 (Stage 5: Finalization 12Mar07)
• TACC installed FIPS evaluated firmware and software
• Testing using command line tools was successful for multitoken operation in FIPS mode
• Application Development underway.
• Servers in Secure Rack within controlled access
computer room (Logged access limited to Security
Officers)
• GSA fireproof safe also in Secure Rack contains
TACC Root CA
• Server containing HSM is dedicated to CA functions
• Server is behind a (still problematic) hardware firewall
10th EUGridPMA Mtg Istanbul 30May07
31
Software Security Controls
•
•
•
•
•
OS kept at most current security patch level
CA Server timestamps synced with ntpd
CA Server runs only minimum OS services
CA Server runs shorewall (software firewall)
Front-end and Back-end Portlets that talk to CA
developed following security best practices
– Now have a development portal server and a production
portal server (provided by UT-System)
– Portal prototype developed using GridSphere 2.2.8
– Upgrading to tomcat 5.5.21 to avoid security flaw
– Considering advantages of using Shibboleth 2.0 instead of
Shibboleth 1.3
10th EUGridPMA Mtg Istanbul 30May07
32
Event Logging
• CA server syslog (timestamped)
– System startup & shutdown; Device install and errors;
service startup & shutdown
• HSM event logs (timestamped)
– HSM tamper detect and device errors; Slot operations; SO,
Admin and User access
• ssh logs (timestamped in /var/log/secure)
• Portal apache and tomcat access and error logs
(timestamped)
• HW firewall alarms if stateful packet inspection
detects that rate of auth attempts is above threshold
for an individual user. (Still debugging HW firewall.)
10th EUGridPMA Mtg Istanbul 30May07
33
Disaster Recovery Procedures
• CA private keys stored off-line in GSA safe
• CA server uses private keys and signs CSRs using
tamper-proof HSM functions
• HSM card is on maintenance with spare shipped
overnight
• CA private keys securely exported from HSM to
SmartCard; stored in GSA safe
• End entity Certificates stored on dedicated CA server
in HSM and is SMS protected file. Periodically burned
to CDROM; stored in GSA safe
• Servers running RedHat Linux are on hardware and
software maintenance. Security officer logs in and
uses OTP to apply vetted patches:
– % sudo up2date -uv{f}
10th EUGridPMA Mtg Istanbul 30May07
34
Additional questions or concerns on the
MICS Authentication Profile?
Marg Murray, Ph.D. Research Associate
Advanced Computing Systems
Texas Advanced Computing Center
The University of Texas at Austin
[email protected]
J.J. Pickle Research Campus
10100 Burnet Rd. (R8700)
Austin, TX USA 78758-4497
10th EUGridPMA Mtg Istanbul 30May07
35