RNP's ICP EDU Projects PKI software and hardware for the Brazilian research community Ricardo Felipe Custódio UFSC Ricardo Dahab UNICAMP Jeroen van de Graaf UFMG
RNP's ICP EDU Projects Joint effort UFSC Federal U. of Santa Catarina UFMG Federal U. of Minas Gerais LCC The Lab for Scientific Computing at UFMG UNICAMP State U. of Campinas (SP) LabSec The Computer Security Lab at UFSC LCA The Lab for Applied Crypto at UNICAMP RNP through its Working Group initiative. 2
RNP's ICP EDU Projects Three working groups 2003 2004 SW for certificate life cycle management 2004 2005 Hardware Security Module (HSM) 2005 2006 Private key management Total budget Aprox. R$ 300K ~ US$ 100K 5 faculty, 3 PhD, 10+ MSc and ugrad students See http://www.icpedu.labsec.ufsc.br 3
ICP EDU I Software suite for issuing, publication and revocation of digital certificates as well as management of certificate revocation lists. Three packages Certificate management system Public module Public directory Fully operational and tested. 4
ICP EDU II An HSM and accompanying software. Initially meant as CA HSMs (private key protection and usage). Evolved into a general purpose security module equipped with crypto hardware acceleration. The complete prototype package includes server and client software as well as OS for three experimental platforms. 5
HSM architecture PKI Mode A P L I C A T I O N S Management Interface Key Management OpenHSMd OpenSSL Engine Eng A Engine Eng C Crypto in Software Engine Eng B Crypto in Hardware Engine Software HSM Accelerator Mode Host Machine 6
A few shots 7
A few shots 8
Prototype 1 9
Prototype 2 10
ICP EDU II Hardware prototypes built and key management subsystems proposed in Jean E. Martina's MSc thesis at UFSC. Market hardware being concluded by Kryptus Technologies in Campinas. Security sensing systems (temperature, light, tampering). FIPS 140 2 level. 3 if a simpler version. Low to medium throughput. Final price in the PC range. 11
HSM specs Throughput: 10 100 RSA sigs/sec Key generation: 1/sec Symmetric encryption/hash: 1Mb/sec Algorithms Hash: SHA X, 3DESMAC, MD5, HMAC Symmetric: 3 DES, AES, Twofish, Serpent, RC4 Public key: RSA, ECC, DSA, DH Random number generation: 100+ kbps Real time clock OS: FreeBSD 12
ICP EDU III Personal management and use of private keys. Motivations Cost Flexibility Responsibility sharing Initially called a Virtual Smartcard, it is evolving into a general signing tool, integrated in everyday applications. Encryption and authentication are in the roadmap. 13
ICP EDU III Private key generation and sharing with authenticated server. Only RSA signing at first. May or may not use HSM in server side. In very early stages. Forecast delivery for late this year. 14
ICP EDU deployment Pilot projects in early stages of planning at UFSC, UNICAMP and UFMG. After that demand will rise sharply, also boosted by other national initiatives, income tax return the most visible. Should benefit from collaboration with groups working in authentication and authorization frameworks. 15
Related activities ICP EDU group is Working closely with RNP in its PKI related initiatives, as TAGPMA. Present in Brazil's national PKI (ICP BR) steering committee, representing the Brazilian Computing Society (SBC). 16
Related activities ICP EDU group is Present in ICP BR's effort to produce its own FIPS compliant PKI software and hardware. Part of an ongoing effort by ICP BR to disseminate the use of digital certification. 17
Thank you! 18