RootCA Init; Interesting external resources
parent
f5c69eaf0b
commit
e44a25b643
|
@ -50,13 +50,27 @@ Components:
|
|||
- Monitor ICC (javacard + NXP)
|
||||
|
||||
Roles:
|
||||
- Root CA: Issue CA ceritifcates and KC certificates (at least N>2)
|
||||
- CA: Issues end-user/device certificates (N>2)
|
||||
- Key Custodian: PKI peptide control interface (N>2)
|
||||
- Key Custodian: CA KC performing action in ceremony.
|
||||
- CA: Certificate Authority.
|
||||
Issues end-user/device certificates (N>2)
|
||||
CA is online, connected to infrastructure.
|
||||
|
||||
- Root CA: Issue CA ceritifcates and KC certificates (at least N>2).
|
||||
Root CA is offline, airgapped device.
|
||||
|
||||
- AIA: Authority Information Access - CA certificates repo (ldap/https)
|
||||
|
||||
- CRL: Certificate Revocation List. List of certificates that CA issued
|
||||
but must be revoked (i.e. compromised) before end of it's
|
||||
lifetime.
|
||||
- CDP: CRL distribution point.
|
||||
|
||||
- Key Custodian: PKI peptide control interface (N>2).
|
||||
|
||||
- Master of Ceremony: PKI meta-peptide control interface for CA ceremonies.
|
||||
Should not be Key Custodian during ceremony. N=1
|
||||
|
||||
- Key Manager: Spin all this shit around.
|
||||
|
||||
- Auditor: Looking at others hands.
|
||||
|
||||
I Bootstrap
|
||||
|
@ -65,7 +79,7 @@ A KC cards
|
|||
?> First 2 KCs generate their keys and CSR's on KC ICC using KC tools.
|
||||
This can be done on their workstation, but doing it on Root CA will be more convinient.
|
||||
|
||||
># KC init
|
||||
># kc init
|
||||
<# Set PIN
|
||||
># ****
|
||||
<# PIN set
|
||||
|
@ -73,33 +87,82 @@ A KC cards
|
|||
># cn=<username>,ou=pki,ou=Services,dc=hackerspace,dc=pl
|
||||
<# KC ICC done
|
||||
|
||||
<- KC1_ICC:KC1PK
|
||||
<- KC1.csr
|
||||
<- KC2_ICC:KC2PK
|
||||
<- KC2.csr
|
||||
<- KC1_ICC:KC1_sigPK #Used for issuing commands to CA/RootCA
|
||||
<- KC1_ICC:KC1_CAzmkPK #Used to protect backups of CA private keys
|
||||
<- KC1_sigPK.csr #Export to RootCA to get KC certificate
|
||||
<- KC1_zmkPK.csr #Export for CA to encrypt it's private keys
|
||||
|
||||
B Root_CA_1
|
||||
<- KC2_ICC:KC2_sigPK #Same as above for KC2
|
||||
<- KC2_ICC:KC2_CAzmkPK
|
||||
<- KC2_sigPK.csr
|
||||
<- KC2_zmkPK.csr
|
||||
...
|
||||
<- KCN_ICC:KCN_sigPK #Same as above for KCN
|
||||
<- KCN_ICC:KCN_CAzmkPK
|
||||
<- KCN_sigPK.csr
|
||||
<- KCN_CAzmkPK.csr
|
||||
|
||||
B Root_CA_N1
|
||||
|
||||
CA_N1
|
||||
-> Key manager initiates self-generation of asymmetric crypto keys on 1st CA ICC and
|
||||
sets two initial KC:
|
||||
sets two (or more) initial KC's:
|
||||
|
||||
># ca init -a KC1.csr -a KC2.csr
|
||||
<# CA
|
||||
># ca root init -kc KC1*.csr -kc KC2*.csr [-kc KCN*.csr]
|
||||
|
||||
<- CA_N1_ICC:CA_sigPK
|
||||
<- CA_N1_ICC:CA_srvPK
|
||||
<- CA_N1_ICC:CA_admPK
|
||||
<- CA_N1_InitCAsig.crt
|
||||
<- CA_N1_InitCAsrv.crt
|
||||
<- CA_N1_InitCAadm.crt
|
||||
<- CA1_KC1.crt
|
||||
<- CA1_KC2.crt
|
||||
<- Root_CA_N1_ICC:RootCA_sigPK:pub #Will be used in CA cert but also for integrity
|
||||
<- Root_CA_N1_ICC:RootCA_sigPK:priv #Used for issuing CA and KC certificates
|
||||
<- Root_CA_N1_ICC:RootCA_KC_zmkPK:pub #Will be used by KC to send recovery share to CA
|
||||
<- Root_CA_N1_ICC:RootCA_KC_zmkPK:priv #Will be used by CA to decrypt share from KC
|
||||
|
||||
|
||||
<- (Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key) #Option: generate AES key for protection
|
||||
# of CA signing key
|
||||
<- (Root_CA_N1_ICC:RootCA_sigPK:priv.encr.aes) #Option: Encrypt signing key with AES
|
||||
<- Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_1..N # Split signing key (or it's
|
||||
# encryption key) into shares
|
||||
# for each KC
|
||||
|
||||
<- Root_CA_N1_sigPriv_SSSS_1_KC1_zmk.enc #Encrypt CA private key share1 with KC1
|
||||
#encryption key
|
||||
|
||||
<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_1 #Remove share1
|
||||
<- Root_CA_N1_sigPriv_SSSS_2_KC2_zmk.enc #Share2 for KC2
|
||||
<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_2 #Remove share2
|
||||
...
|
||||
<- Root_CA_N1_sigPriv_SSSS_N_KCN_zmk.enc #ShareN for KCN
|
||||
<x Root_CA_N1_ICC:RootCA_sigPK:priv(.aes_key)_SSSS_N #Remove shareN
|
||||
|
||||
<- Root_CA_N1_sigPriv_SSSS_1_KC1_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
|
||||
<- Root_CA_N1_sigPriv_SSSS_2_KC2_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
|
||||
...
|
||||
<- Root_CA_N1_sigPriv_SSSS_N_KCN_zmk.enc.RootCA_sigPK.sig #Integrity check enc -> sig
|
||||
|
||||
<- Root_CA_N1_sigPriv_SSSS_1_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
|
||||
<- Root_CA_N1_sigPriv_SSSS_2_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
|
||||
...
|
||||
<- Root_CA_N1_sigPriv_SSSS_N_RootCA_sigPK.sig_KC1_zmk.enc #Integrity check sig -> enc
|
||||
|
||||
<- Root_CA_N1_ICC:RootCA_KC1_encPK # CA encryption public key for KC to send
|
||||
# their encrypted shares
|
||||
<- Root_CA_N1_KC1.kc.crt # KC1 certificate issued with Root_CA
|
||||
# This will be used to issue commands to RootCA
|
||||
<- Root_CA_N1_KC2.kc.crt # Same as above for KC2 ...
|
||||
...
|
||||
<- Root_CA_N1_KCN.crt.kc # ... and KCN
|
||||
<- Root_CA_N1.crt # Issue self-signed certificate
|
||||
<- Root_CA_N1.csr # Issue CSR for root cross-signing
|
||||
<x Root_CA_N1_ICC:RootCA_sigPK:priv # Destroy signing private key
|
||||
|
||||
===================================
|
||||
Root_CA_N1_ICC:
|
||||
RootCA_sigPK:pub # Retain it or not?
|
||||
RootCA_KC_zmkPK:priv # Decrypt CA signing private key shares from KC
|
||||
|
||||
|
||||
C CA_N2
|
||||
-> Key manager initiates key generation on 2nd CA ICC
|
||||
|
||||
># ca
|
||||
># ca root init -ca
|
||||
|
||||
.B same as 1.A but on 2nd CA ICC and any further CA ICC
|
||||
|
||||
|
|
|
@ -15,12 +15,6 @@ cn=CA1,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
|||
cn=CA2,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||
...
|
||||
|
||||
# PKI KC certs store (rw for servers, ro for KC):
|
||||
cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||
uid=enleth,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||
uid=cranix,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||
uid=q3k,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||
|
||||
# CRL Distribution Points - each CA has its own
|
||||
cn=CDP,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||
cn=CA1,cn=CA1,cn=PKI,ou=Services,dc=hackerspace,dc=pl
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
Serial numbers: sequence or *hash*?
|
||||
|
||||
Root CA cert valid for 6y
|
||||
Root CA CRL valid for 14m
|
||||
* need ceremony at least once per y to renew CRL
|
||||
|
|
|
@ -1,19 +1,34 @@
|
|||
End user:
|
||||
End user split in:
|
||||
- soft stored certs
|
||||
- obfuscated certs
|
||||
- hardware secured certs
|
||||
Category depending on how keys are protected
|
||||
- soft stored certs
|
||||
- obfuscated certs
|
||||
- hardware secured certs
|
||||
- fips secured certs
|
||||
|
||||
End user:
|
||||
- Client certs (auth)
|
||||
- E-mail certs (signing)
|
||||
- Encryption
|
||||
Usage:
|
||||
- Signing
|
||||
* Code
|
||||
* E-Mails
|
||||
* WS Requests / RPC / Messages
|
||||
- Authentication
|
||||
* TLS
|
||||
* SSH(?)
|
||||
|
||||
Device:
|
||||
- TLS certs (encr/auth)
|
||||
* server
|
||||
* client
|
||||
* server+client(?)
|
||||
* Server
|
||||
* Client
|
||||
* Server + Client (?)
|
||||
|
||||
- Encryption
|
||||
* Recovery
|
||||
|
||||
Algos:
|
||||
-Encrypt / auth: RSA, EC
|
||||
-Integrity: SHA-1,SHA-2,SHA-3
|
||||
|
||||
Network Zone:
|
||||
- External (public certificates)
|
||||
- DMZ
|
||||
- Internal
|
||||
- Core
|
||||
|
||||
All above should be issued per application or generally applications should
|
||||
leverage main user certificate
|
||||
|
|
|
@ -1,33 +0,0 @@
|
|||
UC1. Bootstraping itself
|
||||
UC2. Issuing new certificates
|
||||
UC2.1 Key Generation + Archival
|
||||
UC2.2 Signing external CRL's
|
||||
UC3. Revoking existing keys (CRL)
|
||||
UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs)
|
||||
UC3.2? DeltaCRL
|
||||
UC4. Monitoring
|
||||
UC5. Backup
|
||||
UC5.1 Backup verification
|
||||
UC6 High availability (cluster)
|
||||
UC6.1 Adding/decomissioning new Root CA node to PKI cluster
|
||||
UC6.2 Adding/decomissioning new CA node to PKI cluster
|
||||
UC6.3 Adding/decomissioning new Monitor
|
||||
UC7 RA
|
||||
UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?)
|
||||
UC Agent(?) to request/renew certificates from end device
|
||||
UC ICC deployment agent (for issuing member cards)
|
||||
UC Renewing member certificate / lost password (other 2 members is enough,
|
||||
no KC need to be involved)
|
||||
UC ICC for servers (how to secure?)
|
||||
UC Agent(?) to fetch CRL
|
||||
UC Enrollment agent for stupid devices (ansible/salt)
|
||||
|
||||
|
||||
SR1. CA Private key is never under control of single user or device (SPOF)
|
||||
SR2. Low level verification if CA is issuing only end-user certificates
|
||||
SR2.1 Policy constraints with certificate depth for CA
|
||||
SR3. Auditing
|
||||
SR3.1 Non repudative audit log (merkle trees)
|
||||
SR4 Adding new KC
|
||||
SR4.1 Revoking KC
|
||||
SR5 Mass revoke/renew certificates
|
|
@ -0,0 +1,62 @@
|
|||
UC1. Bootstraping itself
|
||||
UC2. Issuing new certificates
|
||||
UC2.1 Key Generation + Archival (encryption certs)
|
||||
UC2.2 Signing external CRL's
|
||||
UC2.3 End user certificates
|
||||
UC2.4 Applications
|
||||
UC2.4.1 Device certificates
|
||||
UC2.4.1.1 Servers
|
||||
UC2.4.1.1.1 Linux
|
||||
UC2.4.1.1.2 Hypervisors
|
||||
UC2.4.1.1.2.1 Kubernetes
|
||||
UC2.4.1.1.2.1.1 POD
|
||||
UC2.4.1.2 Network devices
|
||||
UC2.4.1.3 HS Access
|
||||
UC2.4.2 Dedicated user certificates (if main user certificate is not suitable)
|
||||
UC2.4.3 Other certificates (?)
|
||||
UC2.5 Certificate templates
|
||||
UC2.5.1 Device certificate templates
|
||||
UC2.5.2 End user certificate templates (US CAC format preferred)
|
||||
UC2.5.3 Other certificates (?)
|
||||
UC3. Revoking existing keys (CRL)
|
||||
UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs)
|
||||
UC3.2? DeltaCRL
|
||||
UC4. Monitoring
|
||||
UC5. Backup
|
||||
UC5.1 Backup verification
|
||||
UC5.2 Backup of encryption certificates
|
||||
UC6 High availability (cluster)
|
||||
UC6.1 Adding/decomissioning new Root CA node to PKI cluster
|
||||
UC6.2 Adding/decomissioning new CA node to PKI cluster
|
||||
UC6.3 Adding/decomissioning new Monitor
|
||||
UC7 RA
|
||||
UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?)
|
||||
UC8 Enrollment
|
||||
UC8.1 Agent(?) to request/renew certificates from end device (a'la certbot)
|
||||
UC8.2 ICC deployment agent
|
||||
UC8.2.1 for member cards
|
||||
UC8.2.2 for devices
|
||||
UC8.2.2.1 support device migration between hosts
|
||||
UC8.2.3 Enrollment agent for stupid devices (ansible/salt)
|
||||
UC8.3 Manage certificates issued by external CA
|
||||
UC8.3.1 Notify about expiry
|
||||
UC8.3.2 Manage renewal (if possible) & redeploy (letsencrypt)
|
||||
UC9 Certificate renewal
|
||||
UC9.1 Renewing member certificate / lost password (other 2 members is enough,
|
||||
no KC need to be involved)
|
||||
UC9.2 Plain renewal - use plain cert authentication, to ask for renewal
|
||||
UC9.2.1 Consider signing / encryption certs without auth extensions
|
||||
UC10 Agent(?) to fetch CRL
|
||||
UC11 List of all certificates
|
||||
UC11.1 Certificate status from whole infrastructure on demand
|
||||
UC12 Support for PKCS#11 interface
|
||||
|
||||
SR1. CA Private key is never under control of single user or device (SPOF)
|
||||
SR2. Low level verification if CA is issuing only end-user certificates
|
||||
SR2.1 Policy constraints with certificate depth for CA
|
||||
SR3. Auditing
|
||||
SR3.1 Non repudative audit log (merkle trees with pbkdf2)
|
||||
SR3.2 COINKS?
|
||||
SR4 Adding new KC
|
||||
SR4.1 Revoking KC
|
||||
SR5 Mass revoke/renew certificates
|
Loading…
Reference in New Issue