RootCA Init; Interesting external resources
parent
f5c69eaf0b
commit
e44a25b643
|
@ -50,13 +50,27 @@ Components:
|
||||||
- Monitor ICC (javacard + NXP)
|
- Monitor ICC (javacard + NXP)
|
||||||
|
|
||||||
Roles:
|
Roles:
|
||||||
- Root CA: Issue CA ceritifcates and KC certificates (at least N>2)
|
- CA: Certificate Authority.
|
||||||
- CA: Issues end-user/device certificates (N>2)
|
Issues end-user/device certificates (N>2)
|
||||||
- Key Custodian: PKI peptide control interface (N>2)
|
CA is online, connected to infrastructure.
|
||||||
- Key Custodian: CA KC performing action in ceremony.
|
|
||||||
|
- Root CA: Issue CA ceritifcates and KC certificates (at least N>2).
|
||||||
|
Root CA is offline, airgapped device.
|
||||||
|
|
||||||
|
- AIA: Authority Information Access - CA certificates repo (ldap/https)
|
||||||
|
|
||||||
|
- CRL: Certificate Revocation List. List of certificates that CA issued
|
||||||
|
but must be revoked (i.e. compromised) before end of it's
|
||||||
|
lifetime.
|
||||||
|
- CDP: CRL distribution point.
|
||||||
|
|
||||||
|
- Key Custodian: PKI peptide control interface (N>2).
|
||||||
|
|
||||||
- Master of Ceremony: PKI meta-peptide control interface for CA ceremonies.
|
- Master of Ceremony: PKI meta-peptide control interface for CA ceremonies.
|
||||||
Should not be Key Custodian during ceremony. N=1
|
Should not be Key Custodian during ceremony. N=1
|
||||||
|
|
||||||
- Key Manager: Spin all this shit around.
|
- Key Manager: Spin all this shit around.
|
||||||
|
|
||||||
- Auditor: Looking at others hands.
|
- Auditor: Looking at others hands.
|
||||||
|
|
||||||
I Bootstrap
|
I Bootstrap
|
||||||
|
@ -65,7 +79,7 @@ A KC cards
|
||||||
?> First 2 KCs generate their keys and CSR's on KC ICC using KC tools.
|
?> First 2 KCs generate their keys and CSR's on KC ICC using KC tools.
|
||||||
This can be done on their workstation, but doing it on Root CA will be more convinient.
|
This can be done on their workstation, but doing it on Root CA will be more convinient.
|
||||||
|
|
||||||
># KC init
|
># kc init
|
||||||
<# Set PIN
|
<# Set PIN
|
||||||
># ****
|
># ****
|
||||||
<# PIN set
|
<# PIN set
|
||||||
|
@ -73,33 +87,82 @@ A KC cards
|
||||||
># cn=<username>,ou=pki,ou=Services,dc=hackerspace,dc=pl
|
># cn=<username>,ou=pki,ou=Services,dc=hackerspace,dc=pl
|
||||||
<# KC ICC done
|
<# KC ICC done
|
||||||
|
|
||||||
<- KC1_ICC:KC1PK
|
<- KC1_ICC:KC1_sigPK #Used for issuing commands to CA/RootCA
|
||||||
<- KC1.csr
|
<- KC1_ICC:KC1_CAzmkPK #Used to protect backups of CA private keys
|
||||||
<- KC2_ICC:KC2PK
|
<- KC1_sigPK.csr #Export to RootCA to get KC certificate
|
||||||
<- KC2.csr
|
<- KC1_zmkPK.csr #Export for CA to encrypt it's private keys
|
||||||
|
|
||||||
B Root_CA_1
|
<- KC2_ICC:KC2_sigPK #Same as above for KC2
|
||||||
|
<- KC2_ICC:KC2_CAzmkPK
|
||||||
|
<- KC2_sigPK.csr
|
||||||
|
<- KC2_zmkPK.csr
|
||||||
|
...
|
||||||
|
<- KCN_ICC:KCN_sigPK #Same as above for KCN
|
||||||
|
<- KCN_ICC:KCN_CAzmkPK
|
||||||
|
<- KCN_sigPK.csr
|
||||||
|
<- KCN_CAzmkPK.csr
|
||||||
|
|
||||||
|
B Root_CA_N1
|
||||||
|
|
||||||
CA_N1
|
|
||||||
-> Key manager initiates self-generation of asymmetric crypto keys on 1st CA ICC and
|
-> Key manager initiates self-generation of asymmetric crypto keys on 1st CA ICC and
|
||||||
sets two initial KC:
|
sets two (or more) initial KC's:
|
||||||
|
|
||||||
># ca init -a KC1.csr -a KC2.csr
|
># ca root init -kc KC1*.csr -kc KC2*.csr [-kc KCN*.csr]
|
||||||
<# CA
|
|
||||||
|
|
||||||
<- CA_N1_ICC:CA_sigPK
|
<- Root_CA_N1_ICC:RootCA_sigPK:pub #Will be used in CA cert but also for integrity
|
||||||
<- CA_N1_ICC:CA_srvPK
|
<- Root_CA_N1_ICC:RootCA_sigPK:priv #Used for issuing CA and KC certificates
|
||||||
<- CA_N1_ICC:CA_admPK
|
<- Root_CA_N1_ICC:RootCA_KC_zmkPK:pub #Will be used by KC to send recovery share to CA
|
||||||
<- CA_N1_InitCAsig.crt
|
<- Root_CA_N1_ICC:RootCA_KC_zmkPK:priv #Will be used by CA to decrypt share from KC
|
||||||
<- CA_N1_InitCAsrv.crt
|
|
||||||
<- CA_N1_InitCAadm.crt
|
|
||||||
<- CA1_KC1.crt
|
<- (Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key) #Option: generate AES key for protection
|
||||||
<- CA1_KC2.crt
|
# of CA signing key
|
||||||
|
<- (Root_CA_N1_ICC:RootCA_sigPK:priv.encr.aes) #Option: Encrypt signing key with AES
|
||||||
|
<- Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_1..N # Split signing key (or it's
|
||||||
|
# encryption key) into shares
|
||||||
|
# for each KC
|
||||||
|
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_1_KC1_zmk.enc #Encrypt CA private key share1 with KC1
|
||||||
|
#encryption key
|
||||||
|
|
||||||
|
<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_1 #Remove share1
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_2_KC2_zmk.enc #Share2 for KC2
|
||||||
|
<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_2 #Remove share2
|
||||||
|
...
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_N_KCN_zmk.enc #ShareN for KCN
|
||||||
|
<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_N #Remove shareN
|
||||||
|
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_1_KC1_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_2_KC2_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
|
||||||
|
...
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_N_KCN_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
|
||||||
|
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_1_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_2_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
|
||||||
|
...
|
||||||
|
<- Root_CA_N1_sigPriv_SSSS_N_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
|
||||||
|
|
||||||
|
<- Root_CA_N1_ICC:RootCA_KC1_encPK # CA encryption public key for KC to send
|
||||||
|
# their encrypted shares
|
||||||
|
<- Root_CA_N1_KC1.kc.crt # KC1 certificate issued with Root_CA
|
||||||
|
# This will be used to issue commands to RootCA
|
||||||
|
<- Root_CA_N1_KC2.kc.crt # Same as above for KC2 ...
|
||||||
|
...
|
||||||
|
<- Root_CA_N1_KCN.crt.kc # ... and KCN
|
||||||
|
<- Root_CA_N1.crt # Issue self-signed certificate
|
||||||
|
<- Root_CA_N1.csr # Issue CSR for root cross-signing
|
||||||
|
<x Root_CA_N1_ICC:RootCA_sigPK:priv # Destroy signing private key
|
||||||
|
|
||||||
|
===================================
|
||||||
|
Root_CA_N1_ICC:
|
||||||
|
RootCA_sigPK:pub # Retain it or not?
|
||||||
|
RootCA_KC_zmkPK:priv # Decrypt CA signing private key shares from KC
|
||||||
|
|
||||||
|
|
||||||
C CA_N2
|
C CA_N2
|
||||||
-> Key manager initiates key generation on 2nd CA ICC
|
-> Key manager initiates key generation on 2nd CA ICC
|
||||||
|
|
||||||
># ca
|
># ca root init -ca
|
||||||
|
|
||||||
.B same as 1.A but on 2nd CA ICC and any further CA ICC
|
.B same as 1.A but on 2nd CA ICC and any further CA ICC
|
||||||
|
|
||||||
|
|
|
@ -15,12 +15,6 @@ cn=CA1,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||||
cn=CA2,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
cn=CA2,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||||
...
|
...
|
||||||
|
|
||||||
# PKI KC certs store (rw for servers, ro for KC):
|
|
||||||
cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
|
||||||
uid=enleth,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
|
||||||
uid=cranix,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
|
||||||
uid=q3k,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
|
||||||
|
|
||||||
# CRL Distribution Points - each CA has its own
|
# CRL Distribution Points - each CA has its own
|
||||||
cn=CDP,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
cn=CDP,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||||
cn=CA1,cn=CA1,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
cn=CA1,cn=CA1,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
Serial numbers: sequence or *hash*?
|
||||||
|
|
||||||
Root CA cert valid for 6y
|
Root CA cert valid for 6y
|
||||||
Root CA CRL valid for 14m
|
Root CA CRL valid for 14m
|
||||||
* need ceremony at least once per y to renew CRL
|
* need ceremony at least once per y to renew CRL
|
||||||
|
|
|
@ -1,19 +1,34 @@
|
||||||
End user:
|
Category depending on how keys are protected
|
||||||
End user split in:
|
- soft stored certs
|
||||||
- soft stored certs
|
- obfuscated certs
|
||||||
- obfuscated certs
|
- hardware secured certs
|
||||||
- hardware secured certs
|
- fips secured certs
|
||||||
|
|
||||||
End user:
|
Usage:
|
||||||
- Client certs (auth)
|
- Signing
|
||||||
- E-mail certs (signing)
|
* Code
|
||||||
- Encryption
|
* E-Mails
|
||||||
|
* WS Requests / RPC / Messages
|
||||||
|
- Authentication
|
||||||
|
* TLS
|
||||||
|
* SSH(?)
|
||||||
|
|
||||||
Device:
|
* Server
|
||||||
- TLS certs (encr/auth)
|
* Client
|
||||||
* server
|
* Server + Client (?)
|
||||||
* client
|
|
||||||
* server+client(?)
|
- Encryption
|
||||||
|
* Recovery
|
||||||
|
|
||||||
|
Algos:
|
||||||
|
-Encrypt / auth: RSA, EC
|
||||||
|
-Integrity: SHA-1,SHA-2,SHA-3
|
||||||
|
|
||||||
|
Network Zone:
|
||||||
|
- External (public certificates)
|
||||||
|
- DMZ
|
||||||
|
- Internal
|
||||||
|
- Core
|
||||||
|
|
||||||
All above should be issued per application or generally applications should
|
All above should be issued per application or generally applications should
|
||||||
leverage main user certificate
|
leverage main user certificate
|
||||||
|
|
|
@ -1,33 +0,0 @@
|
||||||
UC1. Bootstraping itself
|
|
||||||
UC2. Issuing new certificates
|
|
||||||
UC2.1 Key Generation + Archival
|
|
||||||
UC2.2 Signing external CRL's
|
|
||||||
UC3. Revoking existing keys (CRL)
|
|
||||||
UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs)
|
|
||||||
UC3.2? DeltaCRL
|
|
||||||
UC4. Monitoring
|
|
||||||
UC5. Backup
|
|
||||||
UC5.1 Backup verification
|
|
||||||
UC6 High availability (cluster)
|
|
||||||
UC6.1 Adding/decomissioning new Root CA node to PKI cluster
|
|
||||||
UC6.2 Adding/decomissioning new CA node to PKI cluster
|
|
||||||
UC6.3 Adding/decomissioning new Monitor
|
|
||||||
UC7 RA
|
|
||||||
UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?)
|
|
||||||
UC Agent(?) to request/renew certificates from end device
|
|
||||||
UC ICC deployment agent (for issuing member cards)
|
|
||||||
UC Renewing member certificate / lost password (other 2 members is enough,
|
|
||||||
no KC need to be involved)
|
|
||||||
UC ICC for servers (how to secure?)
|
|
||||||
UC Agent(?) to fetch CRL
|
|
||||||
UC Enrollment agent for stupid devices (ansible/salt)
|
|
||||||
|
|
||||||
|
|
||||||
SR1. CA Private key is never under control of single user or device (SPOF)
|
|
||||||
SR2. Low level verification if CA is issuing only end-user certificates
|
|
||||||
SR2.1 Policy constraints with certificate depth for CA
|
|
||||||
SR3. Auditing
|
|
||||||
SR3.1 Non repudative audit log (merkle trees)
|
|
||||||
SR4 Adding new KC
|
|
||||||
SR4.1 Revoking KC
|
|
||||||
SR5 Mass revoke/renew certificates
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
UC1. Bootstraping itself
|
||||||
|
UC2. Issuing new certificates
|
||||||
|
UC2.1 Key Generation + Archival (encryption certs)
|
||||||
|
UC2.2 Signing external CRL's
|
||||||
|
UC2.3 End user certificates
|
||||||
|
UC2.4 Applications
|
||||||
|
UC2.4.1 Device certificates
|
||||||
|
UC2.4.1.1 Servers
|
||||||
|
UC2.4.1.1.1 Linux
|
||||||
|
UC2.4.1.1.2 Hypervisors
|
||||||
|
UC2.4.1.1.2.1 Kubernetes
|
||||||
|
UC2.4.1.1.2.1.1 POD
|
||||||
|
UC2.4.1.2 Network devices
|
||||||
|
UC2.4.1.3 HS Access
|
||||||
|
UC2.4.2 Dedicated user certificates (if main user certificate is not suitable)
|
||||||
|
UC2.4.3 Other certificates (?)
|
||||||
|
UC2.5 Certificate templates
|
||||||
|
UC2.5.1 Device certificate templates
|
||||||
|
UC2.5.2 End user certificate templates (US CAC format preferred)
|
||||||
|
UC2.5.3 Other certificates (?)
|
||||||
|
UC3. Revoking existing keys (CRL)
|
||||||
|
UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs)
|
||||||
|
UC3.2? DeltaCRL
|
||||||
|
UC4. Monitoring
|
||||||
|
UC5. Backup
|
||||||
|
UC5.1 Backup verification
|
||||||
|
UC5.2 Backup of encryption certificates
|
||||||
|
UC6 High availability (cluster)
|
||||||
|
UC6.1 Adding/decomissioning new Root CA node to PKI cluster
|
||||||
|
UC6.2 Adding/decomissioning new CA node to PKI cluster
|
||||||
|
UC6.3 Adding/decomissioning new Monitor
|
||||||
|
UC7 RA
|
||||||
|
UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?)
|
||||||
|
UC8 Enrollment
|
||||||
|
UC8.1 Agent(?) to request/renew certificates from end device (a'la certbot)
|
||||||
|
UC8.2 ICC deployment agent
|
||||||
|
UC8.2.1 for member cards
|
||||||
|
UC8.2.2 for devices
|
||||||
|
UC8.2.2.1 support device migration between hosts
|
||||||
|
UC8.2.3 Enrollment agent for stupid devices (ansible/salt)
|
||||||
|
UC8.3 Manage certificates issued by external CA
|
||||||
|
UC8.3.1 Notify about expiry
|
||||||
|
UC8.3.2 Manage renewal (if possible) & redeploy (letsencrypt)
|
||||||
|
UC9 Certificate renewal
|
||||||
|
UC9.1 Renewing member certificate / lost password (other 2 members is enough,
|
||||||
|
no KC need to be involved)
|
||||||
|
UC9.2 Plain renewal - use plain cert authentication, to ask for renewal
|
||||||
|
UC9.2.1 Consider signing / encryption certs without auth extensions
|
||||||
|
UC10 Agent(?) to fetch CRL
|
||||||
|
UC11 List of all certificates
|
||||||
|
UC11.1 Certificate status from whole infrastructure on demand
|
||||||
|
UC12 Support for PKCS#11 interface
|
||||||
|
|
||||||
|
SR1. CA Private key is never under control of single user or device (SPOF)
|
||||||
|
SR2. Low level verification if CA is issuing only end-user certificates
|
||||||
|
SR2.1 Policy constraints with certificate depth for CA
|
||||||
|
SR3. Auditing
|
||||||
|
SR3.1 Non repudative audit log (merkle trees with pbkdf2)
|
||||||
|
SR3.2 COINKS?
|
||||||
|
SR4 Adding new KC
|
||||||
|
SR4.1 Revoking KC
|
||||||
|
SR5 Mass revoke/renew certificates
|
Loading…
Reference in New Issue