UNAMgrid Alejandro Núñez Sandoval anunez seguridad unam mx Rio

UNAMgrid Alejandro Núñez Sandoval anunez@seguridad. unam. mx Rio de Janeiro, Brazil, 03/27/06 F 2 F meeting, TAGPMA

UNAMgrid Certificate Authority • UNAM, is the National University of Mexico, UNAM is one of the biggest Universities in Mexico. • Student Comunity is more than 265, 000 students. • 70% research in Mexico is doing at UNAM.

UNAMgrid Overview • Actually the Super. Computing Deparment of UNAM is working on different grid projects, but these don’t include a robust CA (Globus). • Focus to UNAMgrid is R&D Community in the National University and around the country. • In first phase, the Supercomputing Deparment will be the principal “customer” to UNAMgrid services.

Other CA projects • FEA project, Firma Electrónica Avanzada – Electronic advanced signature • Provide certificates to all Comunity in Nacional University (students, academics, researchs). • RSA Solution. • UNAM-CERT Participate on this project 2 years ago. • Colaborate on the documents, security issues, etc.

UNAMgrid Today Supercomputing Deparment UNAMgrid CA Computer Security Deparment

UNAMgrid Today UNAMgrid CA Members: • Juan Carlos Guel UNAM-CERT Manager UNAMgrid. CA Manager • Alejandro Nuñez Technical Contact UNAMgrid • Israel Becerril Technical Contact UNAMgrid

UNAMgrid Certificate Authority • Services: – Management of PKI services – Web interface: http: //www. unamgrid. unam. mx/ – Information about CA project in UNAMgrid. – Information in spanish and english – Research in new technologies CA.

Name Space • The certificate subject name is based in X. 501 standard. • Three types of CN component: – People. – Hosts. – Services.

Name space examples – /C=MX/O=UNAMgrid. CA/O=organization/OU=organiz ational-unit/CN=subject-name • /C=MX/O=UNAMgrid. CA/O=dgsca/OU=super/CN=Juan Lopez – /C=MX/O=UNAMgrid. CA/O=organization/OU=orgunit/CN=host/host-dns-name • /C=MX/O=UNAMGrid. CA/O=dgsca/OU=super/CN=host/pki. super. unam. mx – /C=MX/O=UNAMGrid. CA/O=organization/OU=orgunit/CN=service/host-dns-name • /C=MX/O=UNAMGrid. CA/O=dgsca/OU=super/CN=ftp/ftp. s uper. unam. mx

Certificate & Key sizes • The certificates issued by UNAMgrid CA must not be used for financial transactions. • The subscriber key size at least 1024 bits. • The UNAMgrid CA key is 2048 bits length. – The CA certificate has a validity period of 10 years

UNAMgrid CA Architecture

UNAMgrid Certificate Life-cycle Re-new Request Revocation Expiration

Subscribe requirements • Read and adhere to the procedures described in this document. • Use certificate for the permitted purposes only. • Authorize procedures and conservation of personal data. • Generate a key pair (at least 1024 bits). • Selecting a strong passphrase. • Protecting the pass phrase from others. • Never sharing the private key with other users. • Notify to UNAMgrid CA in case of private key loss or compromise;

Certificate Revocation List • The subscriber has ceased to be a member associated from UNAMgrid. • Subscriber private key is lost o suspected to be compromised. • The private key of the UNAMgrid CA have been compromised or lost. • The CRL have a lifetime of 30 days. • A new CRL must be published inmediately after its issuance. • A new CRL at least 7 days before the expiration date or inmediately after having a revocation.

UNAMgrid CA Security • Physical access – restricted to authorized people. – Cameras. – Cops. • UNAMgrid CA is offline. (probes will be made with our research community) • Backup every night except on weekend and holidays. – DVD backup. • Auditing security process internal. • Incident report-procedure

UNAMgrid CA Status • Review in progress • Documents CP/CPS TAGPMA Committe. • Draft 0. 2 issue March 5, 2006 • Website UNAMgrid. • Technical Test with Open. CA.

UNAMgrid CA Further work • Spanish documents. • Open. CA test with our Research community (Mexico) • Risk assesment and contigency plans documents in progress. • RA test ( 1 Nuclear Science Department)

Thank you Questions?