HEBCA – The Operating Authority July 2005 Dartmouth PKI Summit

2

Agenda• HEBCA Progress Update – What have we been

doing?

• HEBCA Operating Authority – What does it do? Where does it fit in?

• AirGap – Solving the offline CA intercommunication with high available online Directory problem (on a shoe string budget)

3

HEBCA Project Update

• What’s been done in last 6 months?– Policy Authority formed– A slew of documents (required for Audit sign-off prior to production

roll out) have been drafted• Update of Certificate Policy• Certificate Practices Statement• Certificate Profiles• Interoperability Guidelines• Criteria and Methods• Business Continuity and Disaster Recovery Plan• Base Memorandum of Agreement (MOA)• HEBCA Personnel Selection Procedures

– HEBCA Test infrastructure instantiated at Dartmouth– HEBCA Test cross-certified with the Prototype FBCA

4

HEBCA Project Update• What’s been done in last 6 months?

– Establishment of the HEBCA.ORG domain – Auditors for pre-operational compliance engaged– Technical Interoperability completed with FBCA– HEBCA Production infrastructure completed (imminent

deployment)• AirGap solution constructed & operational

– HEBCA/USHER Synergies project proposed, accepted and under way

– Presentations on HEBCA concepts, progress, and related projects or participation in panel discussions at 6 different industry conferences / workshops

– Participation in industry workgroups ( Path-Val, I-CIDM, FBCA CPWG, HEBCA PAWG, OSG TG-Sec, TAGPMA, HEPKI-TAG, IIWG, XAAWG )

5

HEBCA Project Update• Issues Encountered and Solutions Implemented

– Discovery of a vulnerability in the protocol for indirect CRLs

• Will now use Issuing CA to sign CRLs

– How to construct a high availability online service based on an offline infrastructure (to mitigate risk) all on a shoestring budget

• Our AirGap Solution was constructed for under $100 in parts

– FBCA requirement for US citizenship of “trusted roles” personnel prior to cross-certification

• Participation in industry collaborative process which has distilled a workable solution

6

HEBCA Operating Authority

• Organization

PAWG

7

HEBCA Operating Authority• The HEBCA OA is the organization that is responsible for the issuance of

HEBCA certificates when so directed by the HEBCA PA, the posting of those certificates and any Certificate Revocation Lists (CRLs) or Certificate Authority Revocation Lists (CARLs) into the HEBCA repository, and maintaining the continued availability of the repository to all parties relying on HEBCA certificates.

• Specific responsibilities of the HEBCA OA include:• Management and operation of the HEBCA infrastructure;• Management of the registration process; • Completion of the applicant identification and authentication process; and• Complying with all requirements and representations of the Certificate Policy.

• Key personnel from the Dartmouth PKI Laboratory were chosen as the HEBCA Operating Authority by the HEBCA PA under the direction of EDUCAUSE (the project sponsor).

• Scott Rea is the Director of the HEBCA OA and the designated OA Administrator in accordance with the HEBCA CP.

8

HEBCA Overview

• What does it look like?

9

AirGap • The Problem:

– Offline CA– High Availability online Directory– CRLs generation and publish every 6 hours– Dual access/authorization for private key

operations– Handling of after hours certificate revocation

requests– Limited resources

10

AirGap • The AirGap Solution:

– Asynchronous storage device for schlurping signed data between the CA and the Directory (technically no different to a floppy based sneaker net used in similar situations in industry e.g. FBCA)

– Storage is never connected to both devices at the same time – hardware enforces an “air gap”

– Periodic checking to see if storage device is available• Directory reads any new CRL and publishes it, posts a signed revocation

request when it is received

• CA reads any new revocation requests, verifies signature, creates new CRL, deletes request

– Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA in order to minimize risk

11

AirGap • Components:

– Sewell Manual Share USB Switch– 5V relay– 5V AC adapter– Power Timer– Crucial 1Gb Flash Disk– Cron jobs running on both connection end points– Signed objects passed back and forth

12

AirGap

13

AirGap • Benefits:

– Offline CA talking to an Online Directory automatically without bringing the CA online = reduced risk and reduced costs

– Potential replacement for 4 operators (2 folks, 2 shifts per day to manually move files back and forth) - $200K savings?

– Less work for Administrators due to automation of processes

– Reduced Audit? Audit process once and then periodic checking of logs vs detailed scrutiny of logs may be required for manual process

– Parts readily available, built for under $100

14

Discussion or Questions?

15

For More Information• HEBCA Website:

http://webteam.educause.edu/hebca/

Scott Rea - Scott.Rea@dartmouth.edu