RootCA Init; Interesting external resources

2017-02-05 17:15:28 +01:00 · 2017-02-05 17:15:28 +01:00 · e44a25b643
parent f5c69eaf0b
commit e44a25b643
6 changed files with 179 additions and 76 deletions
--- a/design/hs_pki_architecture
+++ b/design/hs_pki_architecture
@ -50,13 +50,27 @@ Components:
 - Monitor ICC (javacard + NXP)

 Roles:
- - Root CA:		Issue CA ceritifcates and KC certificates (at least N>2)
- - CA:			Issues end-user/device certificates (N>2)
- - Key Custodian:	PKI peptide control interface (N>2)
- - Key Custodian:	CA KC performing action in ceremony.
+ - CA:			Certificate Authority. 
+			Issues end-user/device certificates (N>2)
+			CA is online, connected to infrastructure.
+
+ - Root CA:		Issue CA ceritifcates and KC certificates (at least N>2).
+			Root CA is offline, airgapped device.
+
+ - AIA:			Authority Information Access - CA certificates repo (ldap/https)
+
+ - CRL:			Certificate Revocation List. List of certificates that CA issued
+			but must be revoked (i.e. compromised) before end of it's
+			lifetime.
+ - CDP:			CRL distribution point.
+
+ - Key Custodian:	PKI peptide control interface (N>2). 
+
 - Master of Ceremony: 	PKI meta-peptide control interface for CA ceremonies. 
   			Should not be Key Custodian during ceremony. N=1
+
 - Key Manager: 	Spin all this shit around.
+
 - Auditor: 		Looking at others hands.

 I Bootstrap
@ -65,7 +79,7 @@ A KC cards
 ?> First 2 KCs generate their keys and CSR's on KC ICC using KC tools.
   This can be done on their workstation, but doing it on Root CA will be more convinient.

-># KC init
+># kc init
 <# Set PIN
 ># ****
 <# PIN set
@ -73,33 +87,82 @@ A KC cards
 ># cn=<username>,ou=pki,ou=Services,dc=hackerspace,dc=pl
 <# KC ICC done

-<- KC1_ICC:KC1PK
-<- KC1.csr
-<- KC2_ICC:KC2PK
-<- KC2.csr
+<- KC1_ICC:KC1_sigPK	#Used for issuing commands to CA/RootCA
+<- KC1_ICC:KC1_CAzmkPK	#Used to protect backups of CA private keys
+<- KC1_sigPK.csr	#Export to RootCA to get KC certificate
+<- KC1_zmkPK.csr	#Export for CA to encrypt it's private keys

-B Root_CA_1
+<- KC2_ICC:KC2_sigPK	#Same as above for KC2
+<- KC2_ICC:KC2_CAzmkPK
+<- KC2_sigPK.csr
+<- KC2_zmkPK.csr
+   ...
+<- KCN_ICC:KCN_sigPK	#Same as above for KCN
+<- KCN_ICC:KCN_CAzmkPK
+<- KCN_sigPK.csr
+<- KCN_CAzmkPK.csr
+
+B Root_CA_N1

- CA_N1
 -> Key manager initiates self-generation of asymmetric crypto keys on 1st CA ICC and
-   sets two initial KC:
+   sets two (or more) initial KC's:

-># ca init -a KC1.csr -a KC2.csr
-<# CA 
+># ca root init -kc KC1*.csr -kc KC2*.csr [-kc KCN*.csr]

-<- CA_N1_ICC:CA_sigPK
-<- CA_N1_ICC:CA_srvPK
-<- CA_N1_ICC:CA_admPK
-<- CA_N1_InitCAsig.crt
-<- CA_N1_InitCAsrv.crt
-<- CA_N1_InitCAadm.crt
-<- CA1_KC1.crt
-<- CA1_KC2.crt
+<- Root_CA_N1_ICC:RootCA_sigPK:pub	#Will be used in CA cert but also for integrity
+<- Root_CA_N1_ICC:RootCA_sigPK:priv	#Used for issuing CA and KC certificates
+<- Root_CA_N1_ICC:RootCA_KC_zmkPK:pub	#Will be used by KC to send recovery share to CA
+<- Root_CA_N1_ICC:RootCA_KC_zmkPK:priv	#Will be used by CA to decrypt share from KC
+
+
+<- (Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)	#Option: generate AES key for protection
+						# 	 of CA signing key
+<- (Root_CA_N1_ICC:RootCA_sigPK:priv.encr.aes)	#Option: Encrypt signing key with AES
+<- Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_1..N	# Split signing key (or it's
+							# encryption key) into shares
+							# for each KC
+
+<- Root_CA_N1_sigPriv_SSSS_1_KC1_zmk.enc	#Encrypt CA private key share1 with KC1
+						#encryption key
+
+<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_1	#Remove share1
+<- Root_CA_N1_sigPriv_SSSS_2_KC2_zmk.enc		#Share2 for KC2
+<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_2	#Remove share2
+   ...
+<- Root_CA_N1_sigPriv_SSSS_N_KCN_zmk.enc		#ShareN for KCN
+<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_N	#Remove shareN
+
+<- Root_CA_N1_sigPriv_SSSS_1_KC1_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
+<- Root_CA_N1_sigPriv_SSSS_2_KC2_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
+   ...
+<- Root_CA_N1_sigPriv_SSSS_N_KCN_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
+
+<- Root_CA_N1_sigPriv_SSSS_1_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
+<- Root_CA_N1_sigPriv_SSSS_2_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
+   ...
+<- Root_CA_N1_sigPriv_SSSS_N_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
+
+<- Root_CA_N1_ICC:RootCA_KC1_encPK	# CA encryption public key for KC to send
+					# their encrypted shares
+<- Root_CA_N1_KC1.kc.crt		# KC1 certificate issued with Root_CA
+					# This will be used to issue commands to RootCA
+<- Root_CA_N1_KC2.kc.crt		# Same as above for KC2 ...
+   ...
+<- Root_CA_N1_KCN.crt.kc		# ... and KCN
+<- Root_CA_N1.crt			# Issue self-signed certificate
+<- Root_CA_N1.csr			# Issue CSR for root cross-signing
+<x Root_CA_N1_ICC:RootCA_sigPK:priv	# Destroy signing private key
+
+===================================
+Root_CA_N1_ICC:
+	RootCA_sigPK:pub		# Retain it or not?
+	RootCA_KC_zmkPK:priv		# Decrypt CA signing private key shares from KC
+	

 C CA_N2
 -> Key manager initiates key generation on 2nd CA ICC

-># ca
+># ca root init -ca 

 .B same as 1.A but on 2nd CA ICC and any further CA ICC

--- a/design/hs_pki_ldap
+++ b/design/hs_pki_ldap
@ -15,12 +15,6 @@ cn=CA1,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
 cn=CA2,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
 ...

-# PKI KC certs store (rw for servers, ro for KC):
-cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
-uid=enleth,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
-uid=cranix,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
-uid=q3k,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
-
 # CRL Distribution Points - each CA has its own
 cn=CDP,cn=PKI,ou=Services,dc=hackerspace,dc=pl
 cn=CA1,cn=CA1,cn=PKI,ou=Services,dc=hackerspace,dc=pl
--- a/design/hs_pki_policy
+++ b/design/hs_pki_policy
@ -1,3 +1,5 @@
+Serial numbers: sequence or *hash*?
+
 Root CA cert valid for 6y
 Root CA CRL valid for 14m
 * need ceremony at least once per y to renew CRL
--- a/design/hs_pki_templates
+++ b/design/hs_pki_templates
@ -1,19 +1,34 @@
-End user:
-	End user split in:
-	 - soft stored certs
-	 - obfuscated certs
-	 - hardware secured certs
+Category depending on how keys are protected
+	- soft stored certs
+	- obfuscated certs
+	- hardware secured certs
+	- fips secured certs

-	End user:
-	 - Client certs (auth)
-	 - E-mail certs (signing)
-	 - Encryption
+Usage:
+	- Signing
+	 * Code
+	 * E-Mails
+	 * WS Requests / RPC / Messages
+	- Authentication
+	 * TLS
+	 * SSH(?)

-	Device:
-	 - TLS certs (encr/auth)
-	  * server
-	  * client
-	  * server+client(?)
+	 * Server
+	 * Client
+	 * Server + Client (?)
+	
+	- Encryption
+	 * Recovery
+
+Algos:
+	-Encrypt / auth: RSA, EC
+	-Integrity: SHA-1,SHA-2,SHA-3
+
+Network Zone:
+	- External (public certificates)
+	- DMZ
+	- Internal
+	- Core

 	All above should be issued per application or generally applications should
 	leverage main user certificate
--- a/design/hs_pki_uc
+++ b/design/hs_pki_uc
@ -1,33 +0,0 @@
-UC1.	Bootstraping itself
-UC2.	Issuing new certificates
-UC2.1	Key Generation + Archival
-UC2.2	Signing external CRL's
-UC3.	Revoking existing keys (CRL)
-UC3.1	Renewing CRL (no need of KC interaction if there was no additional certs)
-UC3.2?	DeltaCRL
-UC4.	Monitoring
-UC5.	Backup
-UC5.1	Backup verification
-UC6	High availability (cluster)
-UC6.1	Adding/decomissioning new Root CA node to PKI cluster
-UC6.2	Adding/decomissioning new CA node to PKI cluster
-UC6.3	Adding/decomissioning new Monitor
-UC7	RA
-UC7.1	RA notifies KC on new requests (ra@pki.hackerspace.pl?)
-UC	Agent(?) to request/renew certificates from end device
-UC	ICC deployment agent (for issuing member cards)
-UC	Renewing member certificate / lost password (other 2 members is enough, 
-	no KC need to be involved)
-UC	ICC for servers (how to secure?)
-UC	Agent(?) to fetch CRL
-UC	Enrollment agent for stupid devices (ansible/salt)
-
-
-SR1.	CA Private key is never under control of single user or device (SPOF)
-SR2.	Low level verification if CA is issuing only end-user certificates
-SR2.1	Policy constraints with certificate depth for CA
-SR3.	Auditing
-SR3.1	Non repudative audit log (merkle trees)
-SR4	Adding new KC
-SR4.1	Revoking KC
-SR5	Mass revoke/renew certificates
--- a/design/hs_pki_uc+req
+++ b/design/hs_pki_uc+req
@ -0,0 +1,62 @@
+UC1.	Bootstraping itself
+UC2.	Issuing new certificates
+UC2.1	Key Generation + Archival (encryption certs)
+UC2.2	Signing external CRL's
+UC2.3	End user certificates
+UC2.4	Applications
+UC2.4.1	Device certificates
+UC2.4.1.1	Servers
+UC2.4.1.1.1	Linux
+UC2.4.1.1.2	Hypervisors
+UC2.4.1.1.2.1	Kubernetes
+UC2.4.1.1.2.1.1	POD
+UC2.4.1.2	Network devices
+UC2.4.1.3	HS Access
+UC2.4.2	Dedicated user certificates (if main user certificate is not suitable)
+UC2.4.3	Other certificates (?)
+UC2.5	Certificate templates
+UC2.5.1	Device certificate templates
+UC2.5.2 End user certificate templates (US CAC format preferred)
+UC2.5.3	Other certificates (?)
+UC3.	Revoking existing keys (CRL)
+UC3.1	Renewing CRL (no need of KC interaction if there was no additional certs)
+UC3.2?	DeltaCRL
+UC4.	Monitoring
+UC5.	Backup
+UC5.1	Backup verification
+UC5.2	Backup of encryption certificates
+UC6	High availability (cluster)
+UC6.1	Adding/decomissioning new Root CA node to PKI cluster
+UC6.2	Adding/decomissioning new CA node to PKI cluster
+UC6.3	Adding/decomissioning new Monitor
+UC7	RA
+UC7.1	RA notifies KC on new requests (ra@pki.hackerspace.pl?)
+UC8	Enrollment
+UC8.1	Agent(?) to request/renew certificates from end device (a'la certbot)
+UC8.2	ICC deployment agent 
+UC8.2.1	for member cards
+UC8.2.2	for devices
+UC8.2.2.1	support device migration between hosts
+UC8.2.3	Enrollment agent for stupid devices (ansible/salt)
+UC8.3	Manage certificates issued by external CA
+UC8.3.1	Notify about expiry
+UC8.3.2	Manage renewal (if possible) & redeploy (letsencrypt)
+UC9	Certificate renewal
+UC9.1	Renewing member certificate / lost password (other 2 members is enough, 
+	no KC need to be involved)
+UC9.2	Plain renewal - use plain cert authentication, to ask for renewal
+UC9.2.1	Consider signing / encryption certs without auth extensions
+UC10	Agent(?) to fetch CRL
+UC11	List of all certificates
+UC11.1	Certificate status from whole infrastructure on demand
+UC12	Support for PKCS#11 interface
+
+SR1.	CA Private key is never under control of single user or device (SPOF)
+SR2.	Low level verification if CA is issuing only end-user certificates
+SR2.1	Policy constraints with certificate depth for CA
+SR3.	Auditing
+SR3.1	Non repudative audit log (merkle trees with pbkdf2)
+SR3.2	COINKS?
+SR4	Adding new KC
+SR4.1	Revoking KC
+SR5	Mass revoke/renew certificates