Root and Issuing CA Technical Operations Overview
11
Root and Issuing CA Technical Operations Overview As adoption of computers and the Internet has matured, so have users’ expectations for security. New regulations and changing attitudes towards corporate responsibility and data protection are driving most organizations to devote considerable attention to computer security. HydrantID provides digital identity and advanced authentication services to help organizations secure data and systems as well as ecommerce transactions. HydrantID services assist organizations to achieve industry best practices related to encryption and authentication while reducing operating complexity and costs. In today’s world of everything-as-a-service it’s easy to forget that PKI solutions were among the first ‘cloud’ services available in the market, well before the term Cloud existed in the context of computer services. Organizations all over the world have been buying trusted SSL certificates online since the mid-nineties. Arguably this PKI-based solution was the first security product to be widely sold and adopted globally by organizations of all sizes. A significant contributor to this success is the nature of PKI itself. As the name Public Key Infrastructure suggests, every digital certificate has a ‘public’ and a ‘private’ component. When utilizing cloud-based PKI solutions to protect servers and other corporate assets the only information that is sent and stored by our servers is the ‘public’ data contained in the certificate. Our customers retain the ‘private’ key and associated sensitive data within their own environments. PKI security was designed to only carry ‘public’ information and is the bedrock of the secure internet (HTTPS) used to protect millions of financial transactions every day. The HydrantID cloud based, commercial Certificate Authority (CA) provides managed PKI services to the enterprise and public sector in the Americas and Europe. Through our affiliate partner QuoVadis LTD., the company has operations in Switzerland, Holland, the UK, Germany and Bermuda. Secure PKI hosting facilities are located in the United States, Switzerland and Bermuda. HydrantID offers two Managed PKI models: A Private PKI (Private Root) for organizations that need full control over certificate policies and root key distribution; and the Dedicated Issuing CA (Shared Root) that provides a low-cost alternative for organizations that just need digital certificates to secure internal servers and other resources. Figure 1: Private PKI Hierarchy Figure 2: Dedicated ICA Hierarchy
Transcript of Root and Issuing CA Technical Operations Overview
RootandIssuingCATechnicalOperationsOverviewAsadoptionofcomputersandtheInternethasmatured,sohaveusers’expectationsforsecurity.Newregulationsandchangingattitudestowardscorporateresponsibilityanddataprotectionaredrivingmostorganizationstodevoteconsiderableattentiontocomputersecurity.HydrantIDprovidesdigitalidentityandadvancedauthenticationservicestohelporganizationssecuredataandsystemsaswellasecommercetransactions.HydrantIDservicesassistorganizationstoachieveindustrybestpracticesrelatedtoencryptionandauthenticationwhilereducingoperatingcomplexityandcosts.Intoday’sworldofeverything-as-a-serviceit’seasytoforgetthatPKIsolutionswereamongthefirst‘cloud’servicesavailableinthemarket,wellbeforethetermCloudexistedinthecontextofcomputerservices.OrganizationsallovertheworldhavebeenbuyingtrustedSSLcertificatesonlinesincethemid-nineties.ArguablythisPKI-basedsolutionwasthefirstsecurityproducttobewidelysoldandadoptedgloballybyorganizationsofallsizes.AsignificantcontributortothissuccessisthenatureofPKIitself.AsthenamePublicKeyInfrastructuresuggests,everydigitalcertificatehasa‘public’anda‘private’component.Whenutilizingcloud-basedPKIsolutionstoprotectserversandothercorporateassetstheonlyinformationthatissentandstoredbyourserversisthe‘public’datacontainedinthecertificate.Ourcustomersretainthe‘private’keyandassociatedsensitivedatawithintheirownenvironments.PKIsecuritywasdesignedtoonlycarry‘public’informationandisthebedrockofthesecureinternet(HTTPS)usedtoprotectmillionsoffinancialtransactionseveryday.TheHydrantIDcloudbased,commercialCertificateAuthority(CA)providesmanagedPKIservicestotheenterpriseandpublicsectorintheAmericasandEurope.ThroughouraffiliatepartnerQuoVadisLTD.,thecompanyhasoperationsinSwitzerland,Holland,theUK,GermanyandBermuda.SecurePKIhostingfacilitiesarelocatedintheUnitedStates,SwitzerlandandBermuda.HydrantIDofferstwoManagedPKImodels:APrivatePKI(PrivateRoot)fororganizationsthatneedfullcontrolovercertificatepoliciesandrootkeydistribution;andtheDedicatedIssuingCA(SharedRoot)thatprovidesalow-costalternativefororganizationsthatjustneeddigitalcertificatestosecureinternalserversandotherresources.
Figure1:PrivatePKIHierarchy Figure2:DedicatedICAHierarchy
2
HydrantIDalsodeliversEnterpriseTrustedCertificateServicesforprovidingSSL,SMIMEandotherpre-trustedcertificates.Youcanfindoutmoreabouteachoftheseservicesathttps://www.hydrantid.com.AllourPKIsolutionsprovidethenecessarydocumentation,set-upandon-goingCAoperationstofreeyourstafftofocusonyourcorebusiness.Weprovidescalable,secureandgeographically-distributedimplementationsforManagedPKI’sandleveragehighlysecureandauditedtechnicalfacilitiesandexpertisetodeliverallourservices.HydrantIDprovidesafixedannualsubscriptionfeefortheoperationofourPKIsolutions,witheachsubscriptiontailoredtocustomerrequirements.Allofourservicescanbeincludedinasinglesubscriptionandnewservicescanbeaddedatanytime.
Functionality,SecurityandUsabilityBoththeDedicatedIssuingCAandPrivatePKIofferingsshareacommonsetoffunctionalitythatonewouldexpectfromourworld-classservice:
• AllIssuingCAprivatekeysaregeneratedandmaintainedinFIPS140-2certifiedHardwareSecurityModules
• AllIssuingCAprivatekeysarereplicatedtoageographically-diversebackupsite• CRLpublishing• OCSPresponderserviceusingsoftware-basedsigningkeys• Trust/Linkcertificatemanagementwebportal• OptionalTrust/LinkEnterpriseWebServiceAPIforautomation• Built-insupportforthird-partykeyandcertificatemanagementsolutionssuchas
VenafiandSecardeo• Includes20SAN’spercertificate,moreavailableonrequest• Supportsmultiplecertificatepolicies/typesforsecuringinternalhosts(SSL/TLS,
wildcard,device,etc.)• SupportsmultipleAdministratorsandrightsdelegation• Nolimitonorganizations/departments• Nolimitonsub-domains• OngoingServiceandIndustryUpdates• 6-monthInternalProgramAssessment• Annualsupportandmaintenance
OurserviceusesPolicyTemplatestocontrolthetypesofcertificatesissuedtoyouraccount.Weprovidepre-configuredtemplatesthatcoverthemorepopulartypesofcertificates.Thesecanbeusedasastartingpointforfurthercustomizationtomeetyourbusinessneeds.MovinguptoourPrivatePKIofferingaddsthefeaturesnecessaryfororganizationsthatwantfullcontroloverbranding,policiesandcertificatehierarchy:
3
• Offlineprivaterootkey(s)andcertificate(s)• Scripted,recordedKeygenerationceremony• Offlinerootstorage-HSM,securityworldandcardsets,safeintwogeographically-
diverselocations• CustomCertificatePolicyandCertificatePracticeStatement(optional)• ExistingCertificatePolicyandCertificatePracticeStatementreviewandmapping• OCSPresponderserviceusingsoftwaresigningkeys(hardware-basedkeysare
optional)WeworkcloselywithourcustomerstodeterminethebestPKIarchitecturefortheirneeds.AspartofourPrivatePKIserviceweofferaworkshopthatisusedtodetermine:
• CANaming• CertificatePolicyrequirements• Scopeofcertificateusage• WebServicesConfiguration• Useracceptancetestingcriteria• Internalauditandreportingrequirements
TheresultsoftheWorkshopareusedtocreateacustomizedPrivateRootHierarchydocumentthatcoversthePKIhierarchydesign,branding,policyidentifiersandcertificatetypesrequiredtodeliverafully-functionalPKIservice.Thisbecomestheblueprintforgeneratingtheprivatekeysandassociatedcertificates.PrivatePKIServiceKeyGenerationandStorageThePrivatePKIRootCAkeysarecreatedduringaCAWebtrust-compliantkeygenerationceremonyattendedbyabusinessandtechnicalrepresentativeofyourcompany.Usingnon-networkeddedicatedequipment,thekeyceremonyisperformedinamaximumsecuritydigitalrecordsandmicrofilmstoragevaultlocatedinasolidgranitemountain.Thisvault,builttoDepartmentofDefensespecifications,isusedtosecurededicatedCustomerandHydrantIDsafescontainingtheHardwareSecurityModulesandassociatedactivationdata.On-goingstorageandmaintenanceactivitieslikeKeyandCertificateRollover,CRLgenerationandOCSPSigningcertificaterenewalareincludedinourserviceoffering.RootandIssuingKeyPortabilityThePrivatePKIRootCAwillbegeneratedonaWindowsServervirtualmachineanddedicatedThalesEdgeHSM.Uponterminationofthecontract,thesecomponentsandany“k-of-n”smartcardsandactivationdatawillbeprovidedtotheCustomerinasecuremanneragreeduponbybothparties.
4
TheIssuingCAprivatekeyswillbehostedonsharedHSM’s.Uponterminationofthecontract,thesekeyblobswillbemergedintoamigrationSecurityWorldandthe“k-of-n”smartcardsandactivationdatawillbeprovidedtotheCustomerinasecuremanneragreeduponbybothparties.KeySizesandAlgorithmSupportAlthoughourDedicatedICAandPrivatePKIofferingsarenotgovernedbyanindustrygroupwedoencourageourcustomerstofollowbestpracticesforkeysizeandhashingalgorithmchoices.Thiscurrentlyisabaselineof2048-bitkeysfordeviceandusercertificatesand4096-bitkeysforIssuingandRootCA’s.Wehavetheabilitytoissueawiderangeofkeysizesandhashalgorithmsforcaseswhereyourorganizationneedsacustomsolution.OurstandardCryptographicproviderisRSA#nCipherSecurityWorldKeyStorageProviderwhichiscompatiblewithSHA-256,SHA-384andSHA-512.Wealsosupport:Symmetricpublickeyalgorithms:RSA(1024,2048,4096),Diffie-Hellman,DSA,El-Gamal,KCDSA,ECDSA,ECDHSymmetricalgorithms:AES,ARIA,Camellia,CAST,DES,RIPEMD160HMAC,SEED,TripleDESHash/messagedigest:SHA-1,SHA-2(224,256,384,512bit)FullSuiteBimplementationwithfullylicensedEllipticCurveCryptography(ECC)includingBrainpoolandcustomcurvesBothPrivateandDedicatedPKIrootkeyswillbegeneratedonaThalesEdgeFIPS140-2Level3validatedHardwareSecurityModule(HSM).ThisHSMhelpstoenforcemultipersoncontrolforsensitiveprocesses,suchasconfiguringanewHSMmoduleoractivatingakeyforuse.Thisiscommonlyknownas“kofn”,orhavinga“quorum.”Thebasicpremiseofkofnistodividetheinteractionsneededtoaccessinformationamongmultipleentities.InthecaseofanHSMconnectedtoaCA,multiplesmartcardsneedtobeconnectedtotheHSMtogenerateoractivatetheuseoftheCAprivatekey.Thecardsortokencanthenbeseparated,distributed,andsecurelystoredtohelpenforcetheseprocesses.TheThalesSecurityWorldallowsforphysicallysplittingkeymanagementresponsibilities.Splitresponsibilityisawidelyacceptedcontrolwithinmostsecuritypolicies.Throughitsmulti-party“k-of-n”controlfunctionality,importantkeyfunctions,proceduresoroperationscanmandatethatmorethanonepersonisrequiredtoperformthesetasks.Instead,aquorumofkeyholders(the“k”inthe“k-of-n”)mustauthorizetheactionsoftheconsoleoperator.
5
Figure2:PrivateKeyProtectionandAccessControl
TheSecurityWorldconstructalsosupportsscalabilitybyprovidingasecureandtightlymanagedprocessforprovisioningidenticalIssuingCAkeystoadditionalThalesHSM’s.BackupsareaccomplishedbymakingcopiesoftheIssuingCAapplication“keyblob”andmovingthemtophysicallyandgeographically-diverselocations.TheSecurityWorldconstructensuresthatthe“keyblob”isworthlesswithoutthe“k-of-n”smartcardsandaproperly-initializedHSM.Thefollowingwasprovidedbythevendorforreference:KeyAccessandStorageAnapplication“keyblob”consistsofthekeymaterial,thekey’sAccessControlList(ACL),andacryptographicallystrongchecksum,allencryptedwitha3DESorAESkey.Inthecaseofacardset-protectedapplicationkey,the3DESorAESwrapperkeyusedisstoredviasecret-sharingacrosstheOperatorCardsetandisknownasaLogicalToken.Inthecaseofamodule-protectedapplicationkey,the3DESorAESkeyusedistheSecurityWorldModuleKey,storedintheHSM’snonvolatilememory.
6
Figure3:KeyStorage
TheSecurityWorldModuleKeyisitselfstoredinablobonthehostfilesystem;thekeydata,ACLandchecksumareencryptedwitha3DESorAESLogicalTokenstoredontheACS.ThisallowstheAdministratorCardHolderstoloadtheSecurityWorldModuleKeyintoadditionalHSMs.ThesecurityworldmodulekeycanbeloadedonbothdedicatedThalesnShieldHSMsandonThalesnetHSMs.ALogicalTokenremainsintheHSMandonthesmartcardsandisneverpassedtothehosteveninencryptedform.AdditionalencryptionoftheSharesofaLogicalTokenensuresthatthepassphrases(ifset)arerequiredtoassembletheSharesintotheoriginal3DESorAESkey,andinthecaseofOperatorCards,toensurethatthecardsetisusedonlyinHSMspossessingtheSecurityWorldModuleKey.OCS-protectedapplicationkeyswithRecoveryenabledarealsostoredinaRecoveryBlobalongsidethemainworkingblob.TheRecoveryBlobisencryptedusinganRSAkeypairknownastheRecoveryEncryptionKey.TheprivatehalfoftheRecoveryEncryptionKeyisagainstoredasablobprotectedbyaLogicalTokenstoredontheACS.ThisallowstheAdministratorCardHolderstoperformtherecoveryfromlostorunusableOperatorCardsetsasshownbelow.
7
Figure4:Accesstocryptographickeys
AccessingYourPKIServicesWeprovidetwoprimarywaystoconsumeourPKIofferings:
o Trust/LinkEnterpriseCertificatePortal-Weprovideaneasy-to-useweb-basedcertificateportalthatprovidesasingleinterfaceforyouraccountsetup,managementandreportingneedsforbothManagedPKIandTrustedSSLcertificatesinoneplace.Theportalisaccessedusinganystandardwebbrowseranddoesnotrequireanyadditionalclient-sidesoftware.Thisalsoprovidescustomerstheabilitytodistributetheadministrationofcertificatelifecyclesacrosstheirorganizationalwithcustomizableadministratorroles.WeprovideanAdministratorguidethatexplainstheaccountsettingsandabilitytodelegatespecificpermissionstootherAdministrators.
o CertificateAPI-ThisisaRESTfulWebServicesAPIforautomatingtherequest,issuanceandrevocationofdigitalcertificates.Thewebserviceconsistsof:
8
ACTION URI DESCRIPTION
POST /api/v1/certs Creates a new request, returning transactionId
PATCH /api/v1/certs/{transactionId} Revokes a given certificate
GET /api/v1/certs/{transactionId} Returns the certificate request details
GET /api/v1/certs/{transactionId}/status Returns the certificate status - Valid/Revoked
GET /api/v1/certs/{transactionId}/certificate Returns the issued certificate
GET /api/v1/certs/{transactionId}/info Returns detailed information about the issued certificate
TheHydrantIDCertificateAPIhasalsobeenintegratedbyothersecurityproductvendors.ThisenablestheircustomerstoaccessHydrantIDserviceswithoutanyadditionaldevelopmentwork.Twofeaturedsolutionsare:VenafiTrustforce-https://www.venafi.com/products/trust-force/trust-force-overviewVenafiastheImmuneSystemfortheInternet™,usesVenafiTrustForce™toautomatetheentirekeyandcertificatelifecycle,determiningwhichkeysandcertificatesareselfandtrusted,protectingthosethatshouldbetrusted,andfixingorblockingthosethatarenotbyblacklistingorautomaticallyreplacingvulnerablekeysorcertificates.Inaddition,organizationscaneliminateblindspotsfromencryptedthreatsbyautomatingthedeliveryoftrustedkeysforSSL/TLSdecryptionandthreatprotection.TrustForcealsoextendsitsautomatedcertificatemanagementandsecuritycapabilitiestoawiderangeofEnterpriseMobilityusecases,includingemailencryption,emailsigning,WiFi,VPN,browser,anddeviceauthentication.SecardeocertEP-https://www.secardeo.com/products/certep
9
TheSecardeocertEPCertificateEnrollmentProxysupportsmanualorautoenrollmentofcertificatestocomputersandusersinaWindowsDomainfromanon-MicrosoftCA.certPushenablestheautomateddistributionofuserkeystoallmobiledevicesinanenterprise.certEPoffersyouthefollowingbenefits:
• usageofaCAsoftwareorSaaSofyourchoice–independencefromMicrosoft
• isolationofCAfromproductionnetwork–protectyourPKIfromadvancedthreats
• highdegreeofautomation–minimizePKIoperationalcosts• useestablishedManagedPKIServices–performPKIdeploymentwithin
hours• manyCAssupportedwithcustomizableinterfaces–keepflexibilityfora
futuremigrationtoanotherCA• localkeyarchivalandrecoverybyKRAs-keepfullcontrolandprivacyfor
yourprivateencryptionkeys• autoenrollmentfromapublicCA–globallyacceptedS/MIMEcertificatesfor
yourusersWealsosupportanumberofcertificate-specificprotocolsforspecializedintegrationandautomationsupport.Theseareoutlinedinthediagrambelow.Pleasecontactyourrepresentativeforavailabilityandadditionalinformation.
10
Performance,AvailabilityandScalabilityCustomersofourPKIofferingsrelyontwoprimaryservicesforday-to-dayoperations:CertificateIssuanceandCertificateValidation.Certificateissuanceisamultithreadedservicewiththreeprimarystages:
• Requestsubmittal:IncomingcertificaterequestsfromourportalorAPIareacceptedbyarequestqueue.Thisprovidesanauto-scalingmethodtohandlehighly-variablepeaksincertificaterequestvolumes.Therequestqueuecanacceptinexcessof300certificaterequestspersecond.
• Requestprocessing:RequestsmaybesubjecttoavarietyofrulesprocessingbeforebeingsignedbytheCA(CertificateAuthority).Examplesarenameconstraints,policyenforcementandexternaldependenciesthatmustbeverifiedpriortothecertificatebeingissuedandreturnedtotherequestingcustomer.Thecomplexityofthecertificatetobegeneratede.g.keysize,numberofSAN(SubjectAlternativeName)fields,etc.,canalsoincreasetheissuancetime.Inpractice,themajorityofthisprocessingoccurswithinsecondsandtherequestisthensignedbytheappropriateCA.
• SignedCertificateReturn:Howthesignedcertificateisreturneddependsontherequestmethod.Forportalusers,anemailisgeneratedbyoursystemandsenttotheRequestorandotheraccountadministrators.Astatusindicatorisalsosetintheportal.ThecertificatemaynowbedownloadedinbothPEMandDERformats,aswellaswithoutorwithoutthefullcertificatechain.ForAPIusers,apollingmechanismisusedforAPI-generatedrequestsandthird-partyintegrations.Theseservicespollatfrequentintervalsanddownloadthecertificateassoonasitisavailable.
CertificatevalidationinformationisprovidedbyCertificateRevocationLists(CRL)andOnlineCertificateStatusProtocol(OCSP)servers.AllDedicatedICA’sandPrivatePKI’sareconfiguredtopublishaCRLeachtimeacertificateisrevokedandataspecifiedinterval.Theyarepublishedtoahostedlocationandcanbedownloadedasneeded.OCSPservicesprovidenearreal-timerevocationstatusinformationandisincludedinbothourserviceofferings.WealsosupportOCSPStaplingwhichallowsaserverprotectedbyacertificatetorequeststatusinformationandpassitontoconnectingclients.ThisgreatlyreducesWANtrafficforbusysitesandreducespageloadtimes. BothCRLandOCSPinformationmayservedoutoftheUnitedStates,Bermudaand/orSwissdatacentersonaround-robinDNSbasiswithmultipleserversineachlocation.Thisloadbalancingmethodensuresthatanyinterruptionatanylocationiscoveredbyanotherdatacenter.AsofDecember2015ouraverageOCSPresponsetimes(inseconds)are:FromPennsylvania-0.095
11
FromLondon-0.050 FromAmsterdam- 0.056 FromSanJose,CA- 0.165 FromPhoenix,AZ- 0.173 FromNewYork- 0.095 FromAruba/Italy-0.088 FromZurich,Switzerland-0.078 Incomingconnectionstotheseservicesareasharedresourceandaresizedtoprovideamplebandwidthforallcustomersonourplatform.CapacityismanagedbyHydrantIDandwillbeaddedasnecessarywithoutourcustomersincurringadditionalbandwidthcharges.WemaintainServiceLevelAgreementswithallourcustomerstoensurethatourIssuanceandValidationsystemsareavailableandresponsivewhenyouneedthem.HydrantIDoperatesamulti-locationSupportdesktoprovide24hour/7daysaweeksupportforsolvingoutagesandotherhigh-priorityissues.Acustomer-specificsupportgroupisestablishedinourticketingsystemandkeyHydrantIDcontactsforsupportissuesandescalationareprovidedatserviceinitiation.WesupporttheuseofS/MIMEforauthenticatedandencryptedcommunications,andmaintainalistofauthorizedcustomerrepresentativestoauthenticateservicerequestsandconfirmations.
Formoreinformationcontactquestions@hydrantid.comorvisitwww.hydrantid.com
