diff --git a/design/hs_pki_architecture b/design/hs_pki_architecture index 6931e94..1e928cb 100644 --- a/design/hs_pki_architecture +++ b/design/hs_pki_architecture @@ -50,13 +50,27 @@ Components: - Monitor ICC (javacard + NXP) Roles: - - Root CA: Issue CA ceritifcates and KC certificates (at least N>2) - - CA: Issues end-user/device certificates (N>2) - - Key Custodian: PKI peptide control interface (N>2) - - Key Custodian: CA KC performing action in ceremony. + - CA: Certificate Authority. + Issues end-user/device certificates (N>2) + CA is online, connected to infrastructure. + + - Root CA: Issue CA ceritifcates and KC certificates (at least N>2). + Root CA is offline, airgapped device. + + - AIA: Authority Information Access - CA certificates repo (ldap/https) + + - CRL: Certificate Revocation List. List of certificates that CA issued + but must be revoked (i.e. compromised) before end of it's + lifetime. + - CDP: CRL distribution point. + + - Key Custodian: PKI peptide control interface (N>2). + - Master of Ceremony: PKI meta-peptide control interface for CA ceremonies. Should not be Key Custodian during ceremony. N=1 + - Key Manager: Spin all this shit around. + - Auditor: Looking at others hands. I Bootstrap @@ -65,7 +79,7 @@ A KC cards ?> First 2 KCs generate their keys and CSR's on KC ICC using KC tools. This can be done on their workstation, but doing it on Root CA will be more convinient. -># KC init +># kc init <# Set PIN ># **** <# PIN set @@ -73,33 +87,82 @@ A KC cards ># cn=,ou=pki,ou=Services,dc=hackerspace,dc=pl <# KC ICC done -<- KC1_ICC:KC1PK -<- KC1.csr -<- KC2_ICC:KC2PK -<- KC2.csr +<- KC1_ICC:KC1_sigPK #Used for issuing commands to CA/RootCA +<- KC1_ICC:KC1_CAzmkPK #Used to protect backups of CA private keys +<- KC1_sigPK.csr #Export to RootCA to get KC certificate +<- KC1_zmkPK.csr #Export for CA to encrypt it's private keys -B Root_CA_1 +<- KC2_ICC:KC2_sigPK #Same as above for KC2 +<- KC2_ICC:KC2_CAzmkPK +<- KC2_sigPK.csr +<- KC2_zmkPK.csr + ... +<- KCN_ICC:KCN_sigPK #Same as above for KCN +<- KCN_ICC:KCN_CAzmkPK +<- KCN_sigPK.csr +<- KCN_CAzmkPK.csr + +B Root_CA_N1 - CA_N1 -> Key manager initiates self-generation of asymmetric crypto keys on 1st CA ICC and - sets two initial KC: + sets two (or more) initial KC's: -># ca init -a KC1.csr -a KC2.csr -<# CA +># ca root init -kc KC1*.csr -kc KC2*.csr [-kc KCN*.csr] -<- CA_N1_ICC:CA_sigPK -<- CA_N1_ICC:CA_srvPK -<- CA_N1_ICC:CA_admPK -<- CA_N1_InitCAsig.crt -<- CA_N1_InitCAsrv.crt -<- CA_N1_InitCAadm.crt -<- CA1_KC1.crt -<- CA1_KC2.crt +<- Root_CA_N1_ICC:RootCA_sigPK:pub #Will be used in CA cert but also for integrity +<- Root_CA_N1_ICC:RootCA_sigPK:priv #Used for issuing CA and KC certificates +<- Root_CA_N1_ICC:RootCA_KC_zmkPK:pub #Will be used by KC to send recovery share to CA +<- Root_CA_N1_ICC:RootCA_KC_zmkPK:priv #Will be used by CA to decrypt share from KC + + +<- (Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key) #Option: generate AES key for protection + # of CA signing key +<- (Root_CA_N1_ICC:RootCA_sigPK:priv.encr.aes) #Option: Encrypt signing key with AES +<- Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_1..N # Split signing key (or it's + # encryption key) into shares + # for each KC + +<- Root_CA_N1_sigPriv_SSSS_1_KC1_zmk.enc #Encrypt CA private key share1 with KC1 + #encryption key + + sig +<- Root_CA_N1_sigPriv_SSSS_2_KC2_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig + ... +<- Root_CA_N1_sigPriv_SSSS_N_KCN_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig + +<- Root_CA_N1_sigPriv_SSSS_1_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc +<- Root_CA_N1_sigPriv_SSSS_2_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc + ... +<- Root_CA_N1_sigPriv_SSSS_N_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc + +<- Root_CA_N1_ICC:RootCA_KC1_encPK # CA encryption public key for KC to send + # their encrypted shares +<- Root_CA_N1_KC1.kc.crt # KC1 certificate issued with Root_CA + # This will be used to issue commands to RootCA +<- Root_CA_N1_KC2.kc.crt # Same as above for KC2 ... + ... +<- Root_CA_N1_KCN.crt.kc # ... and KCN +<- Root_CA_N1.crt # Issue self-signed certificate +<- Root_CA_N1.csr # Issue CSR for root cross-signing + Key manager initiates key generation on 2nd CA ICC -># ca +># ca root init -ca .B same as 1.A but on 2nd CA ICC and any further CA ICC diff --git a/design/hs_pki_ldap b/design/hs_pki_ldap index 16e8a3f..8b8c378 100644 --- a/design/hs_pki_ldap +++ b/design/hs_pki_ldap @@ -15,12 +15,6 @@ cn=CA1,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl cn=CA2,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl ... -# PKI KC certs store (rw for servers, ro for KC): -cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl -uid=enleth,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl -uid=cranix,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl -uid=q3k,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl - # CRL Distribution Points - each CA has its own cn=CDP,cn=PKI,ou=Services,dc=hackerspace,dc=pl cn=CA1,cn=CA1,cn=PKI,ou=Services,dc=hackerspace,dc=pl diff --git a/design/hs_pki_policy b/design/hs_pki_policy index b90e145..5f22b2c 100644 --- a/design/hs_pki_policy +++ b/design/hs_pki_policy @@ -1,3 +1,5 @@ +Serial numbers: sequence or *hash*? + Root CA cert valid for 6y Root CA CRL valid for 14m * need ceremony at least once per y to renew CRL diff --git a/design/hs_pki_templates b/design/hs_pki_templates index 3196fc6..b4f1f5d 100644 --- a/design/hs_pki_templates +++ b/design/hs_pki_templates @@ -1,19 +1,34 @@ -End user: - End user split in: - - soft stored certs - - obfuscated certs - - hardware secured certs +Category depending on how keys are protected + - soft stored certs + - obfuscated certs + - hardware secured certs + - fips secured certs - End user: - - Client certs (auth) - - E-mail certs (signing) - - Encryption +Usage: + - Signing + * Code + * E-Mails + * WS Requests / RPC / Messages + - Authentication + * TLS + * SSH(?) - Device: - - TLS certs (encr/auth) - * server - * client - * server+client(?) + * Server + * Client + * Server + Client (?) + + - Encryption + * Recovery + +Algos: + -Encrypt / auth: RSA, EC + -Integrity: SHA-1,SHA-2,SHA-3 + +Network Zone: + - External (public certificates) + - DMZ + - Internal + - Core All above should be issued per application or generally applications should leverage main user certificate diff --git a/design/hs_pki_uc b/design/hs_pki_uc deleted file mode 100644 index 7a40901..0000000 --- a/design/hs_pki_uc +++ /dev/null @@ -1,33 +0,0 @@ -UC1. Bootstraping itself -UC2. Issuing new certificates -UC2.1 Key Generation + Archival -UC2.2 Signing external CRL's -UC3. Revoking existing keys (CRL) -UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs) -UC3.2? DeltaCRL -UC4. Monitoring -UC5. Backup -UC5.1 Backup verification -UC6 High availability (cluster) -UC6.1 Adding/decomissioning new Root CA node to PKI cluster -UC6.2 Adding/decomissioning new CA node to PKI cluster -UC6.3 Adding/decomissioning new Monitor -UC7 RA -UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?) -UC Agent(?) to request/renew certificates from end device -UC ICC deployment agent (for issuing member cards) -UC Renewing member certificate / lost password (other 2 members is enough, - no KC need to be involved) -UC ICC for servers (how to secure?) -UC Agent(?) to fetch CRL -UC Enrollment agent for stupid devices (ansible/salt) - - -SR1. CA Private key is never under control of single user or device (SPOF) -SR2. Low level verification if CA is issuing only end-user certificates -SR2.1 Policy constraints with certificate depth for CA -SR3. Auditing -SR3.1 Non repudative audit log (merkle trees) -SR4 Adding new KC -SR4.1 Revoking KC -SR5 Mass revoke/renew certificates diff --git a/design/hs_pki_uc+req b/design/hs_pki_uc+req new file mode 100644 index 0000000..b96031d --- /dev/null +++ b/design/hs_pki_uc+req @@ -0,0 +1,62 @@ +UC1. Bootstraping itself +UC2. Issuing new certificates +UC2.1 Key Generation + Archival (encryption certs) +UC2.2 Signing external CRL's +UC2.3 End user certificates +UC2.4 Applications +UC2.4.1 Device certificates +UC2.4.1.1 Servers +UC2.4.1.1.1 Linux +UC2.4.1.1.2 Hypervisors +UC2.4.1.1.2.1 Kubernetes +UC2.4.1.1.2.1.1 POD +UC2.4.1.2 Network devices +UC2.4.1.3 HS Access +UC2.4.2 Dedicated user certificates (if main user certificate is not suitable) +UC2.4.3 Other certificates (?) +UC2.5 Certificate templates +UC2.5.1 Device certificate templates +UC2.5.2 End user certificate templates (US CAC format preferred) +UC2.5.3 Other certificates (?) +UC3. Revoking existing keys (CRL) +UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs) +UC3.2? DeltaCRL +UC4. Monitoring +UC5. Backup +UC5.1 Backup verification +UC5.2 Backup of encryption certificates +UC6 High availability (cluster) +UC6.1 Adding/decomissioning new Root CA node to PKI cluster +UC6.2 Adding/decomissioning new CA node to PKI cluster +UC6.3 Adding/decomissioning new Monitor +UC7 RA +UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?) +UC8 Enrollment +UC8.1 Agent(?) to request/renew certificates from end device (a'la certbot) +UC8.2 ICC deployment agent +UC8.2.1 for member cards +UC8.2.2 for devices +UC8.2.2.1 support device migration between hosts +UC8.2.3 Enrollment agent for stupid devices (ansible/salt) +UC8.3 Manage certificates issued by external CA +UC8.3.1 Notify about expiry +UC8.3.2 Manage renewal (if possible) & redeploy (letsencrypt) +UC9 Certificate renewal +UC9.1 Renewing member certificate / lost password (other 2 members is enough, + no KC need to be involved) +UC9.2 Plain renewal - use plain cert authentication, to ask for renewal +UC9.2.1 Consider signing / encryption certs without auth extensions +UC10 Agent(?) to fetch CRL +UC11 List of all certificates +UC11.1 Certificate status from whole infrastructure on demand +UC12 Support for PKCS#11 interface + +SR1. CA Private key is never under control of single user or device (SPOF) +SR2. Low level verification if CA is issuing only end-user certificates +SR2.1 Policy constraints with certificate depth for CA +SR3. Auditing +SR3.1 Non repudative audit log (merkle trees with pbkdf2) +SR3.2 COINKS? +SR4 Adding new KC +SR4.1 Revoking KC +SR5 Mass revoke/renew certificates