forked from hellasgrid/hellasgrid-ca-cp-cps
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchapter6_technical_security_controls.tex
159 lines (92 loc) · 6.15 KB
/
chapter6_technical_security_controls.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
\chapter{TECHNICAL SECURITY CONTROLS}
\section{Key pair generation and installation}
\subsection{Key pair generation}
Key pairs for RAs and subscribers must be generated in such a way that private key is not known by any other than the owner of the key pair. Each subscriber must generate his/her own key pair.
\subsection{Private key delivery to subscriber}
The HellasGrid CA does not generate private keys on behalf of subscribers and hence does not deliver private keys.
\subsection{Public key delivery to certificate issuer}
The subscriber's public key must be transferred to the HellasGrid CA in a way that ensures that it has not been altered.
\subsection{CA public key delivery to relying parties}
The HellasGrid CA certificate can be downloaded from the \href{http://www.grid.auth.gr/pki/hellasgrid-ca}{HellasGrid CA} or the \href{http://www.tacar.org}{TACAR} web sites.
\subsection{Key sizes}
%TODO: [Key sizes] look: 1. http://technet.microsoft.com/en-ca/library/cc751157.aspx 2. https://wiki.mozilla.org/CA:MD5and1024 3. http://www.cabforum.org/documents.html In general after 31-12-2010 all EE certificates must be at least 2048 bits long
\begin{enumerate}
\item{The minimum key length for an End Entity certificate is 1024 bit. HellasGrid CA recommends the use of 2048 bits long private keys.}
\item{The minimum length for the HellasGrid CA private key is 2048 bits.}
\end{enumerate}
\subsection{Public key parameters generation and quality checking}
HellasGrid CA enforces checks to ensure quality of the submitted public keys. These checks are either done automatically on certificate request or manually by the CA/RA personnel on certificate request approval and signature procedure. These checks include (but not limited to) the following:
\begin{enumerate}
\item{Usage of small exponent number (<65537)}
\item{Usage of signature algorithm vulnerable to CVE-2008-5077}
\item{Usage of known week Debian OpenSSL keys}
\end{enumerate}
\subsection{Key usage purposes (as per X.509 v3 key usage field)}
\paragraph{CA Certificate:} The CA key can be used for CRL signing (cRLSign) and for certificate signing (keyCertSign)
\paragraph{User and Robot Certificate:} This type of certificate key can be used for data encipherment (dataEncipherment), session establishment (keyEncipherment) and message integrity (digitalSignature).
\paragraph{Service and Server Certificate:} This type of certificate key can be used for data encipherment (dataEncipherment), session establishment (keyEncipherment) and message integrity (digitalSignature).
\section{Private Key Protection and Cryptographic Module Engineering Controls}
\subsection{Cryptographic module standards and controls}
No stipulation.
\subsection{Private key (n out of m) multi-person control}
No stipulation.
\subsection{Private key escrow}
No stipulation.
\subsection{Private key backup}
The HellasGrid CA private key is kept in encrypted form in media storage as described in section \ref{sub:MediaStorage}. All media is located in safe places where access is restricted to authorized personnel only.
\subsection{Private key archival}
HellasGrid CA does not have access to the End Entity private keys and thus does not archive them.
\subsection{Private key transfer into or from a cryptographic module}
No stipulation.
\subsection{Private key storage on cryptographic module}
No stipulation.
\subsection{Method of activating private key}
See subsection \ref{sub:ActivationDataGenerationAndInstallation}
\subsection{Method of deactivating private key}
No stipulation.
\subsection{Method of destroying private key}
No stipulation.
\subsection{Cryptographic Module Rating}
No stipulation.
\section{Other aspects of key pair management}
\subsection{Public key archival}
No stipulation.
\subsection{Certificate operational periods and key pair usage periods}
All End Entity certificates signed by the HellasGrid CA have a maximum lifetime of 1 year.
The lifetime of the HellasGrid CA root certificate must be no more than 20 years and no less than 5 years.
\section{Activation data}
\subsection{Activation data generation and installation}
\label{sub:ActivationDataGenerationAndInstallation}
HellasGrid CA does not generate activation data on behalf of subscribers. It's upon the subscriber to generate a secure pass phrase, at least 12 characters long, in order to be used as activation data for his/her private key.
The pass phrase used to activate the HellasGrid CA private key is generated on the computer used for the CA signing operations and must be at least 15 characters long. Every 180 days the pass phrase is regenerated by one of the HellasGrid CA Operators.
\subsection{Activation data protection}
\begin{itemize}
\item{The subscriber is responsible to protect the activation data for his/her private key.}
\item{The HellasGrid CA uses a pass phrase to activate it's private key, which is known only by the HellasGrid CA Manager and the HellasGrid CA Operators. A copy of the pass phrase in written form is sealed in an envelope and kept in a safe. Access to the safe is restricted only to the HellasGrid CA Manager and Operators. Old activation data is destroyed according to current best practices.}
\end{itemize}
\subsection{Other aspects of activation data}
No stipulation.
\section{Computer security controls}
\subsection{Specific computer security technical requirements}
\begin{enumerate}
\item{The operating systems of CA/RA computers are maintained at a high level of security by applying all the relevant patches;}
\item{active monitoring is performed to detect unauthorized software changes;}
\item{CA systems configuration is reduced to the bare minimum;}
\item{the signing machine is a dedicated machine.}
\end{enumerate}
\subsection{Computer security rating}
No stipulation.
\section{Life cycle technical controls}
\subsection{System development controls}
No stipulation.
\subsection{Security management controls}
No stipulation.
\subsection{Life cycle security controls}
No stipulation.
\section{Network security controls}
\begin{enumerate}
\item{The CA signing machine is kept off-line;}
\item{CA/RA central machines other than the signing machine are protected by a firewall.}
\end{enumerate}
\section{Time-stamping}
No stipulation.