New Root
Authors: | Benedikt Heintel
Marcus Mängel Martin Gummi |
---|---|
Version: | 1.5.1 of 2014-09-11 |
Contents
Introduction
Prerequisites
No | Task | Responsibility |
---|---|---|
1 | Decide on Escrow and Recovery (see Section [cap:escrow]) | CAcert Committee |
2 | Decide on Roots Structure (see Section [cap:subroots]) | Policy Group |
3 | Decide on Roots Content (see Section [cap:content]) | Policy Group |
4 | Check, Correct, and Vote Security Policy (SP) to Policy | Policy Group |
5 | Check and Correct Security Manual | Critical Systems Administration Team Leader |
6 | Create Certificate Policy (CP) | Policy Group |
7 | Create Certificate Practice Statement (CPS) for each Sub Root | Policy Group |
8 | Assess Software Changes needed | Software Assessment Team Leader |
9 | Define Processes (see Section [cap:processes]) | Policy Group |
10 | Test Root Creation and Storage Process | Critical Team Leader |
11 | Create New Roots | Critical Team Leader |
12 | Test New Roots | Critical Team Leader |
13 | Early Root Distribution | Critical Team Leader |
14 | New Root Deployment | Critical Team Leader |
15 | Communications (Press Release, Blog Posts) | PR Officer |
16 | Decommission Old Roots | Critical Team Leader |
Table: New Roots Task List
[tab:tasklist]
Root & Sub Roots creation
Hardware & Software requirements
Stand-alone fresh installed Linux OS
Tripwire (logging tool for audit)
entropy generator (e.g. Perl script)
perl -e '$|++;(1 x$_)!~/^1?$|^(11+?)\1+$/&&print"$_ "while ++$_'
CD writer / smart card writer
Optional: Hardware crypto device (approx EUR 1000 each)
The OS Setup needs to be done with 4 eye principle or run from a Linux live disk. After use, the configuration files need to be saved and - if installed - the laptop wiped.
Root Key
Only a single Root certificate exists (z.2) which is kept offline (z.3). For the Root certificate (r) following applies: r : = r − 1.
Tool for root creation:
openssl (parameter definition)
- parameter:
- flags
- key-strength
- organisation info
- validation
- signature algorithm
- hash algorithm
Script
- script should be used for creation; script need to test
- Root ID = ID + 1
Sub Roots
r recursively identically generated as r − 1, signed with r − 1.
Root Structure
- root [offline] [root certificate]
- unassured [intermediate certificate]
- Client (SSO)
- SSL
- personal [offline] [intermediate certificate]
- Client (SSO)
- Encrypt
- Sign (+ Code Signing)
- SSL
- entity [offline] (e.g. organisation) [intermediate
certificate]
- Client (SSO)
- Encrypt
- Sign (+ Code Signing)
- SSL
- new features [offline] [intermediate certificate]
- unassured [intermediate certificate]
each certificate needs a CPS, containing specifications to CP.
Tools sub roots
See section [cap:hwsw].
Content of Roots
Regarding the content of Root Certs we follow the New Roots Task Force’s recommendations [8] with following deviations:
- PK Type: SHA-256
- Certificate Policies: Link to CP
Party members
- Critical System Administrators
- System Administrators
- Observer nominated by board shortly in advance to ceremony
- Open to public
The duty of the observer is to watch and document the process. There can be different observer at different sites. In any case, each action need to be performed by at least two people (SP9.2.2-d).
Escrow
To secure: Private Key, Secret (Password)
Private Key
Secret
Storage
We identified two possible ways for storage of keys and secret: I) with bank vault only or II) with members and bank vault.
- Two bank vaults (z.6, z.7) with each a set of key and secret, where each CD is stored in a separate sealed envelop. For each bank vaults nominate at least four people with access rights (z.4, z.5). Two persons are needed to get access to the vault (C.3.d). The vault needs to be physical located with a minimum distance of 100 km and at two different banks and in two different countries.
- Two bank vaults (z.6, z.7) with each a key and a group of members holding each the Secret (z.6, z.7). Access and location as in I).
Save storage needs to be verified at least every two years (z.8). Check needs to be done by two access persons and one observer.
Transport
Define Processes
Create Processes and Check Lists for
- (Sub) Root creation
- Bank vaults access (in/out/check)
- (Sub) Root revocation
- Disaster Recovery if vault/media gets destroyed
Initial Risk Analysis
Pros for bank vaults
- Fire security
- cheap (approx 35 EUR p.a. for 25 x 250 x 350 mm) - minimum rental 12 month
- tamper proof and around the clock monitored safes
- logged access
- access models (dual control) possible
Why only two - instead of four - bank vaults?
- Short Time to Recover (one pickup location for both key and secret)
- Cost (two are cheaper than four)
Why not two vaults in each bank?
- Additional Cost
- No enhanced security against theft or disasters
General Risks of Escrow
- Bank opening hours: On Weekends not possible to recover keysLikelihood: highSeverity: mediumAction: Avoid
- Find vaults with 24/7 access with dual control and upfront registration
- press release
- offer a root deactivation tool for Roots and Sub roots
- Fire or natural disaster outbreakLikelihood: lowSeverity: lowAction: Accept
- Unauthorised access to information where the vaults are locatedLikelihood: mediumSeverity: lowAction: AvoidClassify information and restrict access to vault No., access list, and exact location
- Poorly maintained access listsLikelihood: mediumSeverity: mediumAction: AvoidDuring office hand-over, the old Committee commits a list of new board members and access personal to the strongroom
- Maintenance work in both strongroomsLikelihood: lowSeverity: highAction: Accept
Risks of Escrow with vaults only
- Burglary into one bank’s vault compromises the keysLikelihood: lowSeverity: very highAction: MitigationDestruction of data (how to?)
- Unauthorized access by bank employers or accredited access holdersLikelihood: mediumSeverity: very highAction: Mitigation
- access only to checked, trustworthy personnel
- access only after presenting authorisation letter issued by committee or upfront registration by committee (bank need to be able to handle this)
Risks of Escrow with vaults and group of members
- Group of members unavailable in totalLikelihood: mediumSeverity: very highAction: MitigationBoard to tightly monitor status active group members; initialisation of secret hand over if one member leaves, deceases, or vanishes need to be established in timely manner
- Loss of secretLikelihood: highSeverity: very highAction: AvoidPolicy to be implemented on how secrets need to be stored, handled, and destroyed; Policy to be monitored in regular time intervals
- Extort secret from group memberLikelihood: lowSeverity: highAction: Accept
- Conflict of interest, if critical admins are part of the group of members: live system and recovery planLikelihood: mediumSeverity: mediumAction: AvoidAvoid use critical system admins for Escrow Group
Key Performance Indicators for Recovery
- Recovery in less than x hours (x to be defined)
- Access to vaults by at least two accredited person in 100% of all cases
- Access to data in 100% of all cases
[1] | https://wiki.cacert.org/Roots/NewRootsTaskForce |
[2] | https://wiki.cacert.org/Roots/Contents |
[3] | https://wiki.cacert.org/Roots/Structure |
[4] | https://wiki.cacert.org/Roots/EscrowAndRecovery |
[5] | cf. https://support.apple.com/kb/TS4133 |
[6] | cf. https://wiki.cacert.org/Roots/EscrowAndRecovery |
[offline] | (1, 2, 3, 4, 5, 6) offline: not connected to the internet |
[8] | https://wiki.cacert.org/Roots/Contents |