RNP - Rede Nacional de Ensino e Pesquisa

português | español


 

 

About RNP | Partnership | Contact

 

Services | Backbone operation | Technologies | R&D | Networks | Qualification | Events

 

RNP > RNP News > 2006 News

RNP News 
 

RNP launches certificate authority root for the academic community

Pilot turns into service in 2007


In Campinas, November 10th, the launching of CA Root of ICP-EDU’s pilot took place. CA Root is the certificate authority of the public key infrastructure’s pilot project for RNP’s educational community (ICP-EDU). In the hierarchy of a public key infrastructure (PKI), CA Root stands as a top-ranked certificate. Below it, subordinate certificate authorities and registration authorities (RAs) are linked. The idea is to have a certificate authority root for the entire community of higher learning which guarantees that the certificate issued by the CA of one university be acknowledged by the others, thanks to the validation of the CA Root.

Lançamento da AC-Raiz piloto da ICP-EDU

ICP-EDU’s CA Root is unique. Its certificate, self-signed, is protected by cryptographic devices. The CA Root signs the certificates of the certifying authorities of their participant institutions and the ones operated by CA Operation Group (Gopac) – CA Mail and CA Test. Computer Science National Laboratory (LNCC), University of Campinas (Unicamp), Fluminense Federal University (UFF), Federal Universities of Minas Gerais (UFMG) and of Santa Catarina (UFSC), and RNP take part in the infrastructure of the CA Root. The beginning of the operation of CA Root is marked by a lot of procedures. They are documented in ceremonials, which describe all the steps for the generation of the cryptographic pair of keys, of the CA Root digital certificate and the Revoked Certificate List (RCL) of ICP-EDU’s pilot project.

The ceremonial is carried out in three stages. In stage 1, all equipments are configurated and groups of administrators, auditors and operators are formed. In stage 2, the pair of cryptographic keys, the digital certificate of the CA Root and the RCL are created in the presence of administrators and witnesses. Some steps of this stage are even photographed and videotaped. Finally, in stage 3, the archives of the records issued during the previous stages are analyzed, and a report on all performed activities is made and submitted to the approval of a Steering Committee. Once approved, the CA Root’s certificates, the RCL and the reports are published.

Etapa de geração da chave da AC-Raiz

The cryptography of the public key is a method that utilizes a pair of keys: a public key and a private one. The public key is freely distributed to all correspondents by e-mail and by other means, whereas the private key must be known only by its owner. In some algorithm of asymmetric cryptography, a message ciphered by the public key can only be deciphered by its correspondent public key. This method can be used to check authenticity and confidentiality.

Pilot project turns into service in 2007

The first working group (WG) formed to research public keys at RNP was created in 2003. At that time, in Brazil, just a few institutions invested in solutions integrated with public keys, and their main use was restricted to authenticate the users and webpage’s addresses (safe Web, very common at bank sites, for example). This first WG had already thought of creating a CA Root at RNP.

O professor Ricardo Custódio, da UFSC, coordenou a implantação da AC-Raiz

In the following year, a second WG focused their studies on the management of the use of the private keys in the servers that used the certificates issued by ICP-EDU. Intent on that, the WG invested in the development of a HSM, a Hardware Security Module, equipment that works like a “safe” for the storage and use of a private key. The private key never appears out of the HSM, and every transaction that requires its use is performed in a highly secure environment that it provides. Whereas the 2003 and 2004 WGs worried about key solutions for certificate authorities (CAs), the 2005 WG turned to the users’ private keys. The question posed was how to assure security and reliability of a user’s private key. The solution was the development of a virtual smart card- a cheap and safe alternative for university students, clerks and professors to be able to create a private key, store it and use it with security.

Inthese three years, the parameters of the PKI for the Brazilian academic sphere were created; the HSM was constructed and, finally, ICP-EDU’s pilot CA Root could start off. This pilot must be validated by the end of the year, when the intermediate certificate authorities will be in operation. In 2007, when the testing phase is over, CA Root will become another service provided for the whole community of Ipê network users: a national, academic, multigigabit infrastructure operated by RNP.

[RNP, 12.07.2006]

News index:
2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999

News search

 

See also:

Working Group

RNP News

Documents

Publications

01.19.2007

Copyright RNP

Rede Nacional de Ensino e Pesquisa

Rua Lauro Müller, 116 sala 3902

22290-906 Rio de Janeiro RJ

phone: 55 21 2102-9660

fax: 55 21 2279-3731