Published on Digi-Sign, The Certificate Corporation (http://www2.digi-sign.com)

Home > SAS 70 Key Ceremony

By Digi-Sign
Created Feb 25 2008 - 15:50

SAS 70 Key Ceremony

Introducing the SAS 70 Key Ceremony

PDF [1] For compliance reasons, certain CA systems must conduct a Key Ceremony before issuing any Digital Certificates. Trust Centres and Government projects are two examples where a key ceremony may be required in order to comply with local laws or international standards.

The entire Key Ceremony and is described in this manual. There are typically three phases of the Key Generation Ceremony and these are sub divided and described in the following sub sections:

Digi-CA™

PDF [2] The Root CA, that is at the top of the hierarchy of the CA environment, as well as Subordinate CAs residing on a lower level of the CA hierarchy, are created using the Key Ceremony. The Key Ceremony is conducted and supervised by the Key Ceremony Administrator with an optional support of Key Generation Ceremony Administrator and the procedure is carried out with the following primary responsibilities:

  • Generating Cryptographic Key Pairs
  • Creating properly named and configured CAs.
  • Creating CAs in a secure, auditable manner that can be trusted.
  • Providing ongoing CA support and maintenance.



To meet these responsibilities, the Key Ceremony Administrator is involved in every phase of the CA life cycle. The six phases of the CA life cycle are described in the following sub sections:

        1.Key Generation Ceremony

        2.Definition

        3.Preparation

        4.Creation

        5.Activation

        6.Maintenance

        7.Recertification

  • Key Generation Ceremony

    • During a Key Ceremony in which a CA is created, usually either new cryptographic key pair is generated and assigned to a new CA or alternatively a previously generated (pre-generated) key pair can be assigned to a new CA. Cryptographic key pairs are generated during a key generation ceremony, that itself can either be a separate event (i.e. previously performed Key Generation Ceremony or a Key Ceremony related to recertification of an existing CA) or a part of the entire Key Ceremony and the latter is described in this manual. There are typically three phases of the Key Generation Ceremony and these are described in the following sub sections:

          1.Key Access Component Card Set Configuration
          2.Key Pair Generation


Key Access

Key Access Component Card Set Configuration

PDF [2] During this phase of the Key Generation Ceremony, a new Key Access Component Card Set, commonly referred to as Operator Card Set, can be created and bound to a cryptographic device’s security infrastructure.

Depending on the organization preference and/or regulatory requirements, all of the generated keys (or alternatively only a specified subset of generated keys, subject to the type of CA that they will be assigned too) may require protection from unauthorized access and may also require encryption using an encryption key that is divided into a specified number of components. These are referred too as Secret Components and once created they are stored on Key Access Component Cards.

If you choose to protect any keys with a set of Key Access Component Cards, you will need to create the new Key Access Component Card Set using the features provided by your cryptographic device vendor (e.g. HSM or other device). This will usually require you to define the card set configuration, such as the total number of cards in a card set and a minimum number of cards required to access the key (if you enable this option), to recover any lost card of the card set (if you enable this option), to recover lost PIN codes, that protect access to each card (if you enable this option) and finally - to recover a private key itself (if you enable this option).

Before a card set can be created, a sufficient number of Card Holders, that is individual persons holding the Key Access Component Holder responsibilities, should be appointed and attend the ceremony. Choose your Card Holders carefully and wisely and ensure they meet Trusted Employee requirements and other personnel related policies within you or your customer’s organization.

Each Card Holder, will need to be supplied with a special smart card, provided by the cryptographic device vendor. During the process of creation of a new Key Access Component Card Set, each Card Holder will be requested to insert the card into the smart card reader interface connected directly to the cryptographic device and enter and confirm a new PIN code they wish to protect their cards with. They must memorize their PIN codes and also store these securely in a well protected place such as safe. Before the process is completed, the Key Ceremony Administrator will also need to enter a Name for the newly generated card set in order to be able to identify it when the particular card set is needed in future use.

Upon successful creation of the new Key Access Component Card Set, the event should be documented in the Key Ceremony Notes Document, that should clearly display the Name assigned to the new Key Access Component Card Set, full name of each Card Holder, their personal details allowing the company, for which the keys are generated for, to easily contact each Card Holder when needed, and finally - the serial numbers of the smart cards they hold. The Key Ceremony Administrator should also ensure, that each Card Holder signs a dedicated Key Access Component Holder Document (a separate document for each Card Holder), which lists all of the Cart Holder responsibilities, their personal details and the Serial Number of the Key Access Component Card they hold.

Key Generation

Key Pair Generation

PDF [2] During this phase of the Key Generation Ceremony, the necessary number of key pairs is generated, subject to the number of CAs that will be created during the Key Ceremony. All private keys are securely generated and saved in an encrypted format on a cryptographic device, most often a hardware device such as Hardware Cryptographic Module commonly referred to as HSM. Public key request files are also saved into a hard disk drive, CD disc, USB flash drive or a diskette.

At this stage, the key pairs are given a Common Name and as an option, a unique key identifier file is named and saved into a hard disk, USB flash drive or a diskette. These values identify the key and will allow the Key Ceremony Administrator to properly setup the cryptographic tools to access the key at a later stage of the Key Ceremony and in future frequent use if necessary.

In order to generate a key pair on a cryptographic device, a command prompt based
cryptographic device support software in combination with Digi-CA™ Cryptographic Toolkit can be used. Subject to your or your customer preference, or regulatory requirements as well as supported algorithms by the Digi-CA™ PKI System and the cryptographic device in use, the Key Generation Administrator needs to ensure, that he has correctly defined the following values describing the type and the size of each private and public key pair:

          a. Key Generation Algorithm [i.e. RSA]

          b. Key Size provided as an integer number of bits [i.e. 2048]



Ensure, that these values are known to the Key Generation Administrator in advance and that your own or your customer’s company understands their meaning, usage limitations and security risks in respect to the current cryptographic security norms and standards [3] for commercial use.

If you intend to protect a particular key with a set of Key Access Component Cards, ensure all Key Access Component Holders are present at the ceremony, have their cards ready for use and confirm that they remember or have access to the PIN codes necessary to read data on the cards. If an Key Access Component Card Set key protection feature is enabled during this phase, configured number of Card Holders will be requested to insert the card into the smart card reader interface connected directly to the cryptographic device and enter the PIN code they used to protect their cards with. Once the last required card is loaded, the cryptographic device will automatically generate the requested key data based on the specified key type algorithm and bit size and output relevant data such as certificate request containing the associated public key and as an option, a unique key identifier file to an appointed location on a hard drive disk, CD disc, USB Flash Drive or a diskette.

At the end of the key generation process, you need to ensure, that the event is documented in the Key Ceremony Notes Document and, that it clearly displays that keys are not only correctly associated with a specific company, for which the key or keys are generated for but also correctly associated with the CA, for which these were generated for. For example, ACME Certification Authority could be assigned to 2048 bit RSA PrivateKey1, etc.

After the Key Ceremony, the CA Operator uses the .x509 certificate file, generated during the ceremony, to map the private key stored on the cryptographic device to the new CA infrastructure.

The above process for generating keys can be completed using a cryptographic device working in a production environment and it does not disrupt the operations of other CAs maintained in your Digi-CA™ PKI System environment. This also enables the CA Operator to bring new CAs online easily, without taking existing CAs offline.

Using Key Generation Ceremony, a new key pair is generated whenever a new Root or Subordinate CA is created. Typically, firstly a Root CA is created and used to sign any new Level 1 Subordinate CA in the CA hierarchy and so on.

Definition

PDF [2] During the definition phase of the CA, the Key Ceremony Administrator coordinates and supervises work to define the CA, how to name it, how to use it, what type of hierarchy to choose, and other attributes and requirements of the CA and associated PKI [4] environment. This can be done by using the Preset Certificate Specification Template provided in Appendix II.

There are several other items that must be considered when defining the Key Ceremony and these are explained in the following sub sections:

            1. Naming Document

2. Key Map

3. Key Access Component Holders

4. Key Ceremony Script

5. Video Recording

6. Archive Collateral


Naming Document

PDF [2] The naming document must be completed for all new CAs. Information provided in the naming document precisely describes the CA you are creating for your own organization or for your customer. Because this document is a critical tool in the creation of the CA, it is imperative that the parameters identified in the naming document are carefully defined. The Digi-Sign’s Digi-CAST2™ Consulting Team can support the Key Ceremony Administrator and work with the customer to correctly set these parameters.

Important Note: The Key Ceremony Administrator is responsible for generating the Naming Document and ensuring that its is signed by appropriate representatives or by the customer, to whom the CA is generated for.

The naming document is a critical tool used to prepare for a Key Ceremony. With the naming document in hand, the ceremony is scheduled, the Key Ceremony Script is written and the ceremony attendees are decided upon. The naming document consists of four sections and space for the customer signature (see Appendix II: Preset Certificate Specification template). The information in each section differs, depending on the CA type and unique customer specifications. The typical two types of CAs you create in key ceremonies are:

  • Root CA, which is the top level CA of the new CA hierarchy and signs lower level CAs within the hierarchy.
  • Subordinate CA, which is part of the CA hierarchy with Root CA residing on top of it.



Elements of the naming document are different for each of these CAs. These differences are summarized in the following table:

IMAGE


Naming Document Sections

Four sections of the Naming Document

PDF [2] The four sections of the Naming Document are explained in the following sub sections:

            Section I- New Issuing Authority Organization

Section II- Operational Period

Section III - Distinguished Name

Section IV - Certificate Format & Extensions


  • Section I – New Issuing Authority Organization

    • This section lists the name, address and country of operation of the New Issuing Authority and is the organization that the CA will be generated for.

  • Section II – Operational Period

    • This section identifies the validity period showing the integer value representing the number of years, for which the particular CA is going to operational. The value is subsequently used to calculate the CA expiration date subject to the real date and time value of CA generation event, provided as UTC.

  • Section III – Distinguished Name

    • This section specifies the Distinguished Name [DN] of the New Issuing Authority (new CA) and the Superior Issuing Authority (higher level CA, commonly referred to as the signer and the issuer), that is issuing the new CA, if applicable. There are two sections to the DN section of this element of the Naming Document and these are described in the following sub sections:

          Name of Superior Issuing Authority

          Name of New Issuing Authority


    • Name of Superior Issuing Authority

      • This section lists the Distinguished Name of the Superior Issuing Authority. The Superior Issuing Authority is the CA, that signs the new CA certificate. The Superior Issuing Authority is also referred to as the issuer and the signer. The Superior Issuing Authorities for the types of CAs you may want to generate are as follows:

      • For a new Root CA, where there is really no Superior Issuing Authority and the Root CA certificate is self-signed, the Superior Issuing Authority Distinguished Name must exactly match the New Issuing Authority Distinguished Name.
      • For a new Subordinate CA, where the Superior Issuing Authority is either a Root CA or another Subordinate CA of a higher level, the Superior Issuing Authority Distinguished Name must match the Distinguished Name of:

        • a. for Level 1 Subordinate CAs, the Root CA

        b. for Level N Subordinate CA, lower than Level 1, a Subordinate CA of a Level higher
        than N (levels are to be interpreted in a reversed counting order)

      In each of the above instances, the value of the Superior Issuing Authority Distinguished Name must always match the value of the Distinguished Name of the CA that actually signs the new Subordinate CA certificate.


      The Distinguished Name of the Superior Issuing Authority is defined using the following attributes:

              • CA Email Address (E) – as an option
              • Organizational Name (O)
              • Organizational Unit Name (OU)
              • Common Name (CN)
              • Locality (L) – as an option
              • State or Province (S) – as an option
              • Country Name (C)

      Important Note: The country name attribute should be chosen from a list of registered country names, with associated country codes, as defined by the ISO 3166 standard.

Name of New Issuing Authority

PDF [2] The second part of this section lists the Distinguished Name of the New Issuing Authority. The New Issuing Authority is the new CA that you create. There are several common attributes that may be required or optional subject to your preferred choice and regulatory requirements:

    • The Email Address (E) attribute is optional and may represent a valid RFC822 email address, which can be used by certificate subscribers, associated parties, other third parties and legal bodies for S/MIME based communication with the organisation maintaining the CA infrastructure.


    • The Organizational Name (O) attribute must be an Organizational Name. This attribute is your own or your customer’s full and complete company name as registered within applicable national authorities.


    • The Organizational Unit (OU) attribute must be an Organizational Unit Name, to which the CA maintenance has been assigned to.


    • A second OU attribute may be defined and can refer to a Repository Location, where usually all legal documentation, such as Certificate Practice Statement [5] and CP are stored, and is available to the public community.


    • The Common Name (CN) attribute is the nickname for your or your customer’s new CA. For example, it could be ACME Individual Subscriber CA.


    • The Locality Name (L) attribute is optional and represents the City or Town, where your own or your customer’s company is located in. The value of this attribute – if provided – must match the information provided to the appropriate national authorities at the time of the company registration.


    • The State or Province attribute (S) is also optional and represents the State or Province or other name of a recognized area, where your or your customer’s company is located in. The value of this attribute – if provided – must match the information provided to the appropriate national authorities at the time of the company registration.


    • The country name (C) attribute should be chosen from a list of registered country names, with associated country codes, as defined by the ISO 3166 standard and should represent the country in which your or your customer’s company is registered and operates in.



  • Section IV – Certificate Format & Extensions

    • This section specifies the extensions included in the certificate, that define how it is used and also points to the correct CPS that the new Certificate complies with.

    Important Note: The CPS for the CA must include a description of how the CAs are created and formatted.

Key Map

PDF [2] To track the assignment of pre-generated Keys, a Key Map is maintained and updated before and after every Key Ceremony you conduct (see Appendix III for a sample Key Map template). This file contains the following information that is explained in the sub sections below:


1 Issue Date

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the date of the Key Ceremony and precise UTC time of assignment is entered in this field.


2 Private Key and Cryptographic Device

This field identifies the cryptographic device and the pre-generated (or generated at the beginning of this ceremony) private key residing within your cryptographic device. The device is usually identified by a unique device serial number that the device vendor has assigned to it. If provided by the vendor of your device, you may also enter the integrity key identifier value, that provides an increased level of device identity assurance. As next items in this section, you enter the Common Name and optionally a unique key identifier file name and the checksum byte string of the identifier file for your pre-generated key stored within the cryptographic device. As a last item in this section and if the additional Key Access Component Card based protection was enabled for the generated key, you enter the Name of the Key Access Component Card Set, which was used to protect access to the key. When the key pair is assigned to a new CA, these values will be cross-checked by the appointed Key Ceremony Attendees, to ensure they match the real values, that the Key Ceremony Administrator is using during the ceremony key related activities.


3 Subject DN

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the Distinguished Name [DN] of the new CA is entered in this field of the spreadsheet.


4 Issuer DN

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the DN of the Issuing CA is entered in this field of the spreadsheet.


5 req File

This is the name of the file containing the public key and the certification [3] request generated during the Key Ceremony. The request file assigns the CA to a pre-generated key.


6 .x509 File

This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a certificate for the new CA is created and once this is done the name of the certificate file is entered in this field of the spreadsheet.


7 Validity Period

This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a validity period will be assigned to the new CA and is entered here once completed.

Key Map

PDF [2] To track the assignment of pre-generated Keys, a Key Map is maintained and updated before and after every Key Ceremony you conduct (see Appendix III for a sample Key Map template). This file contains the following information that is explained in the sub sections below:


3.11.2.2.1 Issue Date

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the date of the Key Ceremony and precise UTC time of assignment is entered in this field.


3.11.2.2.2 Private Key and Cryptographic Device

This field identifies the cryptographic device and the pre-generated (or generated at the beginning of this ceremony) private key residing within your cryptographic device. The device is usually identified by a unique device serial number that the device vendor has assigned to it. If provided by the vendor of your device, you may also enter the integrity key identifier value, that provides an increased level of device identity assurance. As next items in this section, you enter the Common Name and optionally a unique key identifier file name and the checksum byte string of the identifier file for your pre-generated key stored within the cryptographic device. As a last item in this section and if the additional Key Access Component Card based protection was enabled for the generated key, you enter the Name of the Key Access Component Card Set, which was used to protect access to the key. When the key pair is assigned to a new CA, these values will be cross-checked by the appointed Key Ceremony Attendees, to ensure they match the real values, that the Key Ceremony Administrator is using during the ceremony key related activities.


3.11.2.2.3 Subject DN

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the Distinguished Name [DN] of the new CA is entered in this field of the spreadsheet.


3.11.2.2.4 Issuer DN

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the DN of the Issuing CA is entered in this field of the spreadsheet.


3.11.2.2.5. req File

This is the name of the file containing the public key and the certification [3] request generated during the Key Ceremony. The request file assigns the CA to a pre-generated key.


3.11.2.2.6 .x509 File

This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a certificate for the new CA is created and once this is done the name of the certificate file is entered in this field of the spreadsheet.


3.11.2.2.7 Validity Period

This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a validity period will be assigned to the new CA and is entered here once completed.

Key Access Component Holders

PDF [2] A CA’s private key is a valuable item because its possessor may activate the CA at any time. To protect against any misuse, Key Access Component Card Sets are created and are required to access the private key.

These Card Sets are formed with a defined number of Key Access Component Cards, that are protected with PIN numbers and store encryption key elements [components] necessary to decrypt the private key and gain access to it in order to bring it into online state inside the cryptographic device. Individuals, that posses the Key Access Component Cards used to protect particular keys are called Key Access Component Holders and the organization that owns the CA must track and record accurate information about Key Access Component Cards and Key Access Component Holders so that a complete list maintained at all times.

  • Key Ceremony Script

    • It is essential, that the Key Ceremony produces an unbroken evidentially path demonstrating that every aspect of the certificate generation process occurred in accordance with methods and procedures that comply with regulatory requirements and relevant standards [3]. A sample Key Ceremony Script is available in Appendix IV but be careful to note that this is a sample only and a unique Script should be written for the specific environment, Certificate Practice Statement [5] and CP.

    Sufficient evidentially material must be generated to demonstrate, should such a demonstration be required by law, that proper practices were followed during the ceremony. For this reason, every Key Ceremony is conducted from a written script. To achieve a high degree of confidence, each ceremony step must be witnessed, documented, and certified.

    The specific benefits of using scripts to perform the ceremony include:

    • An increased likelihood that potential errors are identified during a dry run, rather than during the ceremony.
    • The ability to use scripts as reference documents in planning future ceremonies.
    • The support that scripts provide that engenders the trust by end users.
    • The audit trail that scripts provide.

    Important Note: Conduct a practice run any time a new step is introduced and practice this before the actual Key Ceremony. The dry run provides confidence that everything will work on the day of the ceremony. During the practice run, use the naming document and script that have been prepared for the actual Key Ceremony. It is recommended to use test smart cards and hardware that will not be used during the actual Key Ceremony.

  • Video Recording

    • For auditing purposes, Key Ceremonies are recorded by video and sound. The video recording should continuously capture the Operator Cards, Key Access Holders and the ceremony proceedings. Therefore the personnel must be seated to the left or right of the hardware used during the ceremony. All actions and personnel should be visible at all times.

    Once completed, the video recording should be stored with the other Archive Collateral in the Archive Folder.

Archive Collateral

PDF [2] The Key Ceremony Administrator ensures that every Key Ceremony and every ceremony related activity is secure and auditable. This means that there must be an unbroken evidentially path demonstrating that your Certificate system is operated in accordance with the methods and procedures described in your organization’s Certificate Practice Statement [5]. In addition to the witnessed script, video record of key ceremonies and logging protocols provide further documentation of the CA creation process. Each of these is explained in the following sub sections:

Archive Folder

An Archive Folder must be compiled for every Key Ceremony. The folder should include the Naming Document, the witnessed Key Ceremony Script, the Key Access Component Holder Documents, the Attestation Letters and the Key Map. After the ceremony, the Archive Folder is stored in the secure storage area. This Folder and the video recording provide the primary record of all key ceremonies performed by the organization.

The Archive Folder documents the Key Ceremony and provides evidence of the secure manner in which the CA was created. The Archive Folder is divided into three parts as described in the following sub sections:

            1.Naming Document

            2.Key Map

            3.Key Access Component Holder Documents

            4.Attestation Letter


  • Naming Document

    • The Naming document(s) is associated with the CA(s) that were generated using the Key Ceremony Script that was initialed by the witnesses. The Naming Document and Key Ceremony Script are described earlier in this section.

  • Key Map

    • The Key Map document is associated with the CA(s) that were generated using the Key Ceremony Script that was initialed by the witnesses. The Key Map and Key Ceremony Script are described earlier in this section.

  • Key Access Component Holder Documents

    • There is one Key Access Holder Component Document used for each Key Access Component Holder (a dedicated Card Holder within a defined Key Access Component Card Set, that protects access to the private key stored on a cryptographic device), that provides photographic identification of each Key Access Component Holder. The document also contains the date, the name of the CA, the Card Set Name, Card Serial Number, Private Key Common Name and the Key Access Component Holder’s responsibilities as they relate to card he holds. During the distribution event, at the end of the Key Ceremony, all the Key Access Component Holders sign each page of their respective Key Access Component Holder Document to indicate they understand their responsibilities. The document is dated and is initialed by the Key Ceremony Administrator and cross signed by the Notary, or equivalent public official. A sample Key Access Component Holder Document can be seen in Appendix V.

  • Attestation Letter

    • Every step of the Key Ceremony Script is verified by the witnesses and each page of the Script is initialed as it is completed during the ceremony. At the end of the Key Ceremony, the witnesses then sign the Attestation Letter to provide further documentation that the published procedures were followed. The Attestation Letter is dated and initialed by the Key Ceremony Administrator and cross signed by the Notary, or equivalent public official to certify the signatures on the Letter. See the sample Attestation Letter is in Appendix VI.

Preparation

PDF [2] Once everything is defined and understood the preparation for the Key Ceremony can be considered. This involves preparing the people that will attend, the keys that will be generated and the documentation that is required. These are explained in the following sub sections:

            3.11.2.1 Key Ceremony Attendees

            3.11.2.2 Notary Public or Equivalent


    • Key Ceremony Attendees

      • In preparing for the Key Ceremony, personnel from your Customer’s organization must attend. It is essential to remember at all times that Digi-CA™ is a security product. Throughout the entire Key Ceremony and beyond, every action must occur in a manner that conveys that care has been taken to ensure the highest possible level of security.

    • Notary Public or Equivalent

      • A notary public is an official, public witness whose job it is to identify people who are about to sign a document and to witness that signing. A properly credentialed notary public or some person who is authorized by local law to serve as an official, public witness, observes the witness(es) signing the Attestation Letter and then certifies the witnesses’ signatures.



Creation

Once everything necessary to define and prepare for the new CA is completed, the CA is created in a Key Ceremony. This is a set of formal and highly secure procedures that creates a CA. The Root CA should be stored securely and remain in offline state, while Subordinate CAs can be put online for frequent use. There are a number of actions, that should occur on the day of the Key Ceremony and they are explained in the following sub sections:

            1.Key Access Component Retrieval

            2.Pre-Check

            3.Briefing

            4.Ceremony

            5.CA Creation

            6.Conclusion

            7.Post-Check


Access Component

Key Access Component Retrieval

PDF [2] Key Access Component Retrieval is only required if you are using existing Key Access Components from a previous Key Ceremony and this is decided when the Ceremony Script is being written. Existing Key Access Components are needed each time a CA is being created from a previously generated key, if the key was access protected. The Key Access Component Holders must then be present so that the Key Ceremony Administrator and the Key Access Component Holders can enter the safe room together and retrieve the required smart cards containing Key Access Components (key elements necessary to decrypt the private key and bring it online). The Key Access Component Holders will provide their smart cards as required during the Key Ceremony.


Pre-Check

A final check of the Key Ceremony room should be undertaken prior to the arrival of the attending personnel. This could include assisting with the recording equipment, arranging seating and other activities but should always include a check, that the following items are present, will function properly and are usable:

          • Archive Book
          • Key Ceremony Administrator script
          • Key Ceremony Witness script
          • Key Access Components
          • Workstation or a Server
          • Entry/Exit Log (see Appendix VII)



Briefing

Before the ceremony, the Key Ceremony Administrator, or a Digi-Sign Digi-CAST2™ consultant, meets with the attendees and explains what a Key Ceremony is and what will be occurring during the ceremony. The briefing will include:

          • The steps and processes used in creating a CA.
          • The security requirements for the CA (and why they are important).
          • Answer any questions from the participants.



Ceremony

The actual Key Ceremony has several vital components that must be understood by everyone that attends the ceremony. There are four parts to the ceremony and the following sub sections explain the components:

            1.Key Ceremony Introduction
            2.Key Ceremony Script Adherence
            3.Key Ceremony Events
            4.Key Ceremony Conclusion


Introduction

Key Ceremony Introduction

PDF [2] On the day of the ceremony, many people become involved in making the ceremony a success. The following identifies the tasks performed on the ceremony day, the time frame, the responsible party, and other participants involved in each task. The following table shows the responsibilities on the day of the Key Ceremony:

Time Frame Task Responsible Party Other Participants
30 minutes-1 hour before ceremony begins Key Access Component retrieval, Video camera setup Key Ceremony Administrator Key Access Component Holders, access personnel, Videographers
15 minutes before ceremony Final check of the ceremony room Key Ceremony Administrator
15 minutes before ceremony Customer briefing Digi-CAST2™ Consultant or Key Ceremony Administrator Customer
Start of ceremony Ceremony introduction Key Ceremony Administrator Key Ceremony Administrator, Key Access Component Holders, and other ceremony participants
During ceremony Create the customer’s CA(s) Key Ceremony Administrator Key Access Component Holders, witnesses, and customer (optional)
End of ceremony Ensure that all ceremony material is properly distributed Key Ceremony Administrator Key Access Component Holders and access personnel
Immediately after ceremony ends Ensure that the archive book and appropriate key management files are updated and stored Key Ceremony Administrator Access personnel Notary Public

After entering the room, follow these steps:

  • Place the archive book on the Inventory table.
  • Put the script on the table next to the workstation that will be used.
  • Lay out all the storage media so it is visible to the fixed camera.
  • Ensure that the Entry/exit Log Book is accessible to everyone.

Upon successful completion of the final check, the ceremony room is ready for the ceremony participants. Next, make sure all the participants are present and in their proper location. The participants should be arranged as follows:

  • Position the videographer(s) behind the cameras.
  • Seat witnesses next to the workstation where they can verify each step performed.
  • Position the notary public or equivalent official and any other ceremony observers where they do not obstruct the view of the Key Access Holders and witnesses.

    • In preparing to start the ceremony, remember that you represent an organization in which your users must place a high degree of trust. To confirm that their trust in your organization is well placed, your every action must convey the preparation and care taken to ensure the highest possible level of security.

    The introduction part of the Key Ceremony is not a scripted event. It is the responsibility of the Key Ceremony Administrator or Digi-Sign Digi-CAST2™ Consultant, to ensure that everyone in attendance understands what is happening at each stage of the ceremony.

    At the onset of the ceremony, the Key Ceremony Administrator introduces the participants and sets the stage for the ceremony, covering the following points:

  • Point out main features of the ceremony room. Explain that the ceremony facility is equipped with the workstations and other equipment that will be used in the Key Ceremony. And that the hardware includes smart cards, the HSM and the server with the Digi-CA™ installed.
  • The Key Ceremony Administrator explains, that various commands and actions will be executed to perform the functions required for the ceremony. Remind the participants, that a function of the ceremony is to produce sufficient evidentiary materials to demonstrate, that proper practices are followed throughout the ceremony. Therefore, each ceremony step is witnessed, documented, and attested to.
  • To provide additional documentation, ceremonies are videotaped and the Key Ceremony Administrator should explain, that the video(s) will always focuses on the Key Access Holders, smart cards and the other ceremony proceedings. Remind everyone, that the videotape records proprietary processes and copies of the recordings are not provided to anyone.



Script Adherence

PDF [2] The Key Ceremony is a formal procedure in which the CA is created. The security of the procedure must be auditable and evidentially. The ceremony script is the most important tool to ensure compliance [3] with established security procedures. When each ceremony step is documented, witnessed and attested to, you have created your organization’s strongest proof against claims of non-compliance or security compromise. For this reason, the script must be followed exactly as it is written.

During the Key Ceremony, the script will be read aloud for each step. Reading the script aloud helps the ceremony participants follow along, but more importantly, it provides a verbal narrative to accompany the video recording of the event. As each step is completed, the section of the script for that step is initialed by the witnesses.

Important Note: Situations that cause temporarily digression from the script may arise. Any such digression must be thoroughly documented, so that these situations do not compromise the security of the process.

To properly document digressions, notations are made in the script that describe the problem, when it occurred, and what was done to fix the problem. The script is initialed by everyone in attendance.

If the ceremony is particularly long, the participants can take a break from the proceedings. If this occurs, the script has a notation added indicating the time of the break. Another notation indicating the time the proceedings resumed is also made in the script. During the entire break, two trusted employees must remain in the room. The videographers continue recording throughout the break.


Key Ceremony Events

Following the ceremony introduction, the scripted steps to create the CA begin. The script is followed exactly so that the witnesses can initial each and every step as it is performed. The following sub sections describe the ceremony activities that will be in the script:

            1.Initializing Event

            2.Generating Event

            3.Signing Event

            4.Distribution Event


Initialising Event

PDF [2] The initializing event must be built into the script when creating a Root CA or when conducting a Key Generation Ceremony. In the Initializing Event, the Key Access Component Card Set is created (Key Access Component Cards). The Initializing Event provides critical security to protect the private key assigned to the new CA. This event is of paramount importance during the ceremony, and these procedures must be adequately documented in the script.

  • Generating Event

    • When generating request files or keys, the Key Ceremony Administrator must build a generating event into every script prepared. In the generating event, the Cryptographic Operation Control Software (Cryptographic Device Support software and Digi-CA™ PKI [4] Toolkit) generates a request file. At this stage, the Key Access Component Holders provide their smart cards and these are used to activate the offline (previously generated) private and public key pair, that will be assigned to the new CA.

    The Key Access Component Cards allow the activation of the private key within the cryptographic device and enable the device to generate the request file. The request file assigns that key pair to the certificate of the new CA. The Key Map file identifies the Common Name of the pre-generated key, which is to be associated with the new CA.

    The Common Name of the pre-generated key also identifies the CA type. This information enables the Cryptographic Operation Control Software to generate an accurate request file with support of the cryptographic device.

  • Signing Event

    • There must be a signing event in every prepared script, except for Key Generation Ceremony scripts. In the signing event, the Key Access Component Cards are used to activate the signer (the superior issuing authority). The signer is determined by the PKI hierarchy into which the new CA fits:

    • Certificates for Root CAs are self-signed


    • Certificates for Subordinate CAs are signed by the the Root CA or a Subordinate CA of a higher level within the CA hierarchy.


    These Key Access Component Cards enable the signer to sign the certificate of the CA being created. The script should identify the new Distinguished Name, the validity dates, and the extension settings that are provided in the Naming Document. During the ceremony, this information is entered before directing the Cryptographic Operation Control Software to sign the Certificate.

  • Distribution Event

    • The Key Ceremony script must also document the following steps in the distribution event:

    • 1.Distribute the newly created Key Access Component Cards to the Key Access Component Holders.
    • 2.Witnesses sign Attestation Letters indicating that they read the script, observed the ceremony and attest, that the ceremony was performed as described in the script.
    • 3.Key Access Component Holders sign the Key Access Component Holder Document indicating, that they have read, understand and agree to follow the duties and responsibilities of a Key Access Component Holder and that they have witnessed the signature of all the other Key Access Component Holders.
    • 4.Direct the notary or equivalent official, public witness to notarize (certify signatures on) the witnesses’ Attestation Letters.


Key Ceremony Conclusion

PDF [2] The Key Ceremony script then lists the steps that will be performed at the conclusion of the ceremony. Before anyone leaves the room all copies of the signed Key Ceremony Script, the Key Access Component Holder Documents, the Attestation Letters and the Video Recordings must be placed in the Archive Folder and sealed.

At this point, the CA is created but it is not yet activated. This is the next event that occurs after the Key Ceremony and is the CA Activation event.

  • Key Activation

    • After a CA is created, it is ready to be put online by the Digi-Sign Digi-CAST2™ Installation Team. This is done by using the certificate repository folder, that contains the files created during the Key Ceremony. For each CA, a request file (.req) and a certificate (.x509) file are generated. The request file (.req), identifies which pre-generated key pair is assigned to the new CA. The certificate (.x509) file is a binary encoding of the Digital Certificate [6] associated with the new CA. Both of these files include a copy of the public key.

    After the Key Ceremony, the request file and the .x509 file are saved to the certificate repository folder maintained on the computer system. The Digi-CAST2™ Installation Team will then complete the process and bring the new CA online.

  • Key Maintenance

    • Once a CA is put online, it must be maintained. Maintenance activities include archiving CA material in a secure storage area, reactivating the CA in the event of a hardware failure, and tracking revoked and suspended certificates. If there is any possibility that the integrity of the individual CA is no longer verifiable, then the integrity of the entire PKI hierarchy to which it belongs is threatened. Reasons for compromise could include violation of the Certificate Practice Statement [5] by the customer, incorrect CA parameters, or loss or misuse of the CA private key. If any of these occur, your organization is responsible for revoking the CA certificate in order to maintain the integrity of the PKI hierarchy.

    Important Note: If a CA’s certificate is revoked during the maintenance phase that CA cannot be re-certified.

  • Key Recertification

    • Every CA is assigned a validity period. During this period, the CA can issue end entity Certificates. A CA cannot issue a certificate with a validity period that extends beyond its own expiration date. End entity certificates typically have a validity period of one year. Consequently, a CA must be re-certified a minimum of one year before its expiration date. Recertification occurs in a separate Key Ceremony. Fir this reason, your organization must appoint a Key Ceremony Administrator and this/these person(s) must participate in the original Key Ceremony conducted by the Key Ceremony Administrator. Using all of the above collateral and experience, this new Key Ceremony Administrator assumes responsibility for tracking the validity periods of all created CAs and for notifying the appropriate personnel when it is time to re-certify a CA.

Samples & Templates

Text needed here

Specification

Preset Certificate Specification Template

PDF [2] The first component in ensuring a properly configured CA is the naming document. Its formal title is the New Issuing Authority Naming Application. This document contains the information necessary to properly configure a CA:

  • Name of the organization responsible for the new CA.
  • Validity period (or operational period) of the new CA.
  • Distinguished Name of the issuing CA.
  • Subject Distinguished Name of the new CA.
  • Certificate extensions and other certificate content information.



After the Digi-CAST2™ Consultant and the customer have defined the Customer’s CA, the
Digi-CAST2™ Consultant will give you a copy of the completed naming document that has
been signed by both the Digi-CAST2™ Consultant and the Customer. You will use the information in the naming document to create the CA. Detailed information about the naming document is available in Chapter 4, "Key Ceremony Preparation".

Key Ceremony Script

1.Purpose

    PDF [2] We have a requirement, that the generation of new RSA keys and creation of new Certification Authorities (CAs) must be witnessed by a third party auditor and appointed witnesses. We must therefore generate fresh keys which have been witnessed in the prescribed manner and use these keys to create new Certification Authorities (CAs).

    The keys we generate today will be new keys, having no existing keys residing on the HSM device we are about to use during this ceremony. There are therefore no existing keys residing in the HSM device should this note be relevant to any party participating in this ceremony.



2.Background

    We use the nCihper Hardware Security Module devices, model: netHSM 500. These devices are certified to FIPS 140-2 level 2 and 3, and level 3 configuration was chosen for the HSM device we are about to use today during this ceremony.

    It is important to note, that the Key Generation and Certificate Signing operations occur entirely within the HSM device which uses a FIPS 140 approved pseudo random-number generator, which is seeded periodically from a random bit-value accumulator fed with an unpredictable input from an electronic noise source.

    The prime number generator used in RSA key pair generation is entirely within the HSM and is covered by FIPS 140.



3.Key Generation and Certificate Signing Control Software

    Cryptographic Operation Control software: HSM device Support Software and Digi-CA™ PKI [4] System, were both written so that together provide the following capabilities:

    1. Instruct an HSM device to "wipe" all keys from its storage.
    2. Instruct an HSM device to generate [n] x 4096 bits RSA key pairs.
    3. Instruct an HSM device to generate [n] x 2048 bits RSA key pairs.
    4. Instruct an HSM device to write those key pairs in an encrypted format to hard disk.
    5. Create and split the private key encryption keys into encrypted sets, stored on individual PIN protected smart cards, such that the private keys could be accessed, reconstructed and re-imported to a (new) HSM device only using any 3 of the 5 cards from a defined card sets.
    6. Copy the encrypted private key to separate removable media for backup purposes. This process is accomplished using the [Red Hat Enterprise Linux 5.0] operating system tools rather than the Cryptographic Operational Control Software.
    7. Instruct an HSM device to Load or Import encrypted RSA key pairs from hard disk.
    8. Instruct an HSM device to mark all private keys held within itself as non-exportable. This is a default limitation when HSM device is configured to operate in FIPS 140-2 level 3 mode.
    9. Combine 3 (of the original 5) smart cards of private key encryption key fragments (components) to produce and encrypt a set of keys on the HSM device.
    10. Instruct HSM device to load a private key and sign a new certificate data.



The software and the procedures were tested to ensure, that the keys were valid, and that the import and export procedures were working as required.

The source code was examined to ensure that its operation was correct.

Key Map Template

PDF [2]


Issue
Date


Device Serial

Subject Dn

Issue Dn

.req
File

.509
File


Validity Period

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Initialization Event

Key Access Component Card Set Configuration

    1. PDF [2] An IBM compatible computer (hereafter referred to as "the computer") was set up in a room providing strict personnel access control, security camera monitoring [and electronic isolation from any computer networks].

    2. The computer has a hard disk which has been pre-prepared with a fresh installation of a [Red Hat Enterprise Linux, version 5.0] operating system, the requisite HSM driver, nToken authentication PCI device, HSM device Support Software and the
    Digi-CA™ PKI System, both acting as the Cryptographic Operation Control Software. The software was tested for correct operation prior to the Key Ceremony by using an HSM reserved for backup purposes.

    3. The Key Access Component Cards are going to be distributed to appointed Key Access Component Holders during a later event of this ceremony. It is however important to note, that Key Access Component Holders are the only holders possessing PIN codes necessary to access the data stored on these smart cards. Before this step can be completed, each appointed Key Access Component Holder must now write down their new PIN code on a dedicated PIN paper sheet and put the PIN paper sheet with the written PIN code into an envelope, indicating their full personal name. Each envelope is to be placed on the Inventory Table and remain not sealed for the duration of the entire Key Ceremony. All attending Witnesses must ensure, that Key Access Component Holders are inserting their PIN Code paper sheets into correct envelopes, that indicate their full personal name.
    Key Ceremony Administrator should now place a sufficient number of empty Key Access Component Cards on top of the envelopes containing PIN Code paper sheets. It is important to note, that the video camera should constantly record all activities related to access to the Key Access Component Cards and envelopes containing PIN Code paper sheets.

    The Key Ceremony Administrator is now going to note the new Name for the newly configured Key Access Component Card Set, the Serial Number of each Key Access Component Card, that is about to be used and the details of each Key Access Component Holder (below) in this script. All attending Key Ceremony Witnesses must ensure, that the date entered into the script, the full personal name of each Key Access Component Holder and the Serial Number of the Key Access Component Card they are about to use is correct. They also must place their signature where indicated (below) in this section of the script.

            Date: …………………………………………

            Key Access Component Card Set
            Name: …………………………………………………………………………………………………………………

            Key Access Component Holder #1
            Full Name: …………………………………………………………………………………………………………………
            Card Serial Number: ……………………………………………………………………………………………

            Key Access Component Holder #2
            Full Name: …………………………………………………………………………………………………………………
            Card Serial Number: ……………………………………………………………………………………………

            Key Access Component Holder #3
            Full Name: …………………………………………………………………………………………………………………
            Card Serial Number: ……………………………………………………………………………………………

            Key Access Component Holder #4
            Full Name: …………………………………………………………………………………………………………………
            Card Serial Number: ……………………………………………………………………………………………

            Key Access Component Holder #5
            Full Name: …………………………………………………………………………………………………………………
            Card Serial Number: ……………………………………………………………………………………………


Witnessing Attendees’ Signatures

  • 4. PDF [2] The first HSM device (designated #1) was removed from production and connected to the computer prior to this ceremony and the event was monitored and supervised by an appointed company’s Head of Security.

    • The Cryptographic Operation Control Software is now about to be used to cause the numbered (in section 3 above) operations to occur in the following sequence: 5.

    During this phase of the Key Generation Ceremony, a new Key Access Component Card Set is created and bound to our HSM device security infrastructure. The card set configuration we choose is as follows:

        a. Total number of smart cards in a card set: 5

        b. Minimum number of smart cards required to access the private key: 3

        c. Minimum number of smart cards required to recreate any lost smart card: 3

        d. Minimum number of smart cards required to recover lost PIN codes: 3

        e. Minimum number of smart cards required to recover a private key: 3



    During this step, one of the HSM Security Administrators present at the ceremony will be requested by the Key Generation Ceremony Administrator to insert his Administrator’s Smart Card into the smart card reader interface of the HSM device in order to authorize the creation of a new Key Access Component Card Set. This is required by the HSM device, which operates in FIPS 140-2 level 3 modes.

    Further during step, each appointed (in previous step) Key Access Component Holder will be requested to actively participate in the ceremony. The Key Generation Ceremony Administrator will require each Key Access Component Holder to separately follow the steps below:

        a. Access their PIN envelope, that were previously placed on the Inventory Table

        b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet

        c. Confirm to memorize their PIN code

        d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table

        e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device

        f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter and confirm their memorized PIN Code.

        g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.
        The above sequence of steps will be repeated for each appointed new Key Access Component Holder.
        All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step.


  • 5. The previous step left the HSM device #1 configured for use with our newly configured Key Access Component Card Set, commonly referred to as Operator Card Set.

    • The new card set will be subsequently used during this ceremony to encrypt and protect access to relevant private keys we are about to generate. The encryption key elements [components] are now stored on each PIN protected Key Access Component Card, which will be required to access newly generated and access protected private keys at any time.

  • 6. The Key Access Component Card Set Configuration is now declared complete.


Controls

PDF [2] During the Key Access Component Card Set Configuration, at least two people from the Key Ceremony Attendees list of personnel were present at all times. No other personnel were permitted access to the room. The Cryptographic Operation Control Software required a PIN code to be entered before the software could communicate with any smart card (holding encryption key component [Key Access Component Card]) used during the Key Access Component Card Set configuration.

5.Generation Event

  • 5.1 Key Generation Ceremony
      • 1. An IBM compatible computer (hereafter referred to as "the computer") was set up in a room providing strict personnel access control, security camera monitoring [and electronic isolation from any computer networks].

      2. The computer has a hard disk which has been pre-prepared with a fresh installation of a [Red Hat Enterprise Linux, version 5.0] operating system, the requisite HSM driver, nToken authentication PCI device, HSM device Support Software and the Digi-CA™ PKI [4] System, both acting as the Cryptographic Operation Control Software. The software was tested for correct operation prior to the Key Generation Ceremony by using an HSM reserved for backup purposes.

      3. The first HSM device (designated #1) was removed from production and connected to the computer prior to this ceremony and the event was monitored and supervised by an appointed company’s Head of Security. The Cryptographic Operation Control Software is now about to be used to cause the numbered (in section 3 above) operations to occur in the following sequence:

      9, 2, 4, 3, 4, 6, 6, 6.

      During this step, the Key Generation Ceremony Administrator will capture and store any relevant informational output produced on the computer screen by the Cryptographic Operation Control Software in the Key Map Document.

      Also during this step, the Key Generation Ceremony Administrator will require any 3 (three) Key Access Component Holders from the previously created Key Access Component Card Set, to separately follow the steps below:

          a. Access their PIN envelope, that were previously placed on the Inventory Table

          b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet

          c. Confirm to memorize their PIN code

          d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table

          e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device

          f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter their memorized PIN Code.

          g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.
          The above sequence of steps will be repeated for the number of Key Access Component Holders that are selected by the Key Generation Ceremony Administrator.
          All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step.

Controls & Generation Events

Key Generation Ceremony

  • 4. PDF [2] The previous step left the HSM device #1 configured for use with our newly generated keys.
      • The encrypted private keys are now stored securely within an encrypted key repository on the hard disk within the computer, as well as on the removable media. Only the HSM device holding decryption keys for the particular key repository is able to decrypt the repository data. Further decryption process is also required to bring keys to an online state. The latter applies to particular keys, that we protected with additional encryption key during the key generation phase.

      The encryption key elements [components] are stored on several PIN protected smart cards, herein referred to as "Key Access Component Cards", which are required to access these keys at any time. The smart cards are currently visible on the Inventory Table and during the later phase of this ceremony will be distributed to the Key Access Component Holders, who are the only holders possessing PIN codes necessary to access the data stored on these smart cards.

      We note, that there is no need to delete our encrypted keys from the hard disk within the computer as these keys are strongly encrypted by the HSM device and additional encryption key, that was divided into key elements (components) within a key set. If the key repository data was stolen, it would be useless without the HSM decryption key and additional encryption key elements (components) distributed to Key Access Component Holders inside the PIN protected Key Access Component Cards. The encrypted keys stored within the repository are in offline state and the computer with the hard drive storing the encrypted repository data will be kept safe in an isolated room with strict personnel and network access controls in place as well as video camera monitoring maintained 24 hours per day throughout the year.


  • 5. We will now generate checksum bytes, that will uniquely identify the encrypted private key data stored both on the hard disk and on the backup media disks.
      • For this purpose, we will use an Operating System tool [sha1sum]. The Key Ceremony Administrator will now sequentially, using the Key Map Document, read the file names and file system paths for each generated private key, generate the checksum bytes calculated on private keys stored inside the repository as well as on the backup media and note the checksum byte strings (below) in this script.

      All witnesses attending this part of the ceremony must ensure, that the date entered into this script is correct and the checksum values presented on the computer screen upon sequential execution of the checksum calculation commands, that are performed on private key data stored inside the repository as well as on the backup media, and the values written below by the Key Ceremony Administrator, exactly match. They also must place their signatures where indicated (below) in this section of the script.

          Date: …………………………………………

          Key 1
          Common Name: ………………………………………………………………………………………………………
          Checksum: …………………………………………………………………………………………………………………

          Key 2
          Common Name: ………………………………………………………………………………………………………
          Checksum: …………………………………………………………………………………………………………………

          Key N
          Common Name: ………………………………………………………………………………………………………
          Checksum: …………………………………………………………………………………………………………………
          Witnessing Attendees’ Signatures:

Generation Events

Key Generation Ceremony

  • 6. PDF [2] The removable media disks holding backup copies of our keys will now be separated placed into sealed envelopes and sent to be held at separate bank deposit facilities immediately after this ceremony.
      • We note, that each media disk was removed from this computer sequentially for storage purposes in each of the indicated storage facilities.


  • 7. The Key Generation Ceremony is now declared complete.


Controls

    During the Key Generation Ceremony, at least two people from the Key Ceremony Attendees list of personnel were present at all times. No other personnel were permitted access to the room. The Cryptographic Operation Control Software required a PIN code to be entered before the software could communicate with any smart card (holding encryption key component [Key Access Component Card]) used during the Key Generation Ceremony.


6. Signing Event

  • 6.1 Root CA Signing
      • 1. An IBM compatible computer (hereafter referred to as "the computer") was set up in a room providing strict personnel access control, security camera monitoring [and electronic isolation from any computer networks].


      2. The computer has a hard disk which has been pre-prepared with a fresh installation of a [Red Hat Enterprise Linux, version 5.0] operating system, the requisite HSM driver, nToken authentication PCI device, HSM device Support Software and the
      Digi-CA™ PKI [4] System, both acting as the Cryptographic Operation Control Software. The software was tested for correct operation prior to the Key Ceremony by using an HSM reserved for backup purposes.


      3. The hard disk installed in the computer contains an encrypted key repository, from which we will load necessary private keys into a securely protected operational memory of our HSM device.


      4. The first HSM device (designated #1) was removed from production and connected to the computer prior to this ceremony and the event was monitored and supervised by an appointed company’s Head of Security. The Cryptographic Operation Control Software is now about to be used to cause the numbered (in section 3 above) operations to occur in the following sequence: 10.

      During this step, the Key Ceremony Administrator, using the Cryptographic Operation Control Software, will create new self-signed Root CA Certificate and assign it to a dedicated private key that was previously generated during this ceremony.

      To complete this process, the Key Ceremony Administrator will use a Naming Document, that contains the details of the new Root CA Certificate we are about to sign, to create a certificate profile configuration file, containing various certificate related information such as: Subject Distinguished Name, Validity Period, Signature Algorithm, Certificate Serial Number and Certificate extensions. The certificate profile configuration file will be used by the Cryptographic Operation Control Software to create the new Root CA certificate.

      All attending Witnesses must ensure, that the certificate details entered into the certificate profile configuration file by the Key Ceremony Administrator, match the details contained in the Naming Document used during this ceremony. The new Root CA Certificate details must be taken from the section of the Naming Document specifically dedicated for the correct Root CA, for which the Root CA Certificate is created.

      Key Ceremony Administrator will capture and store during this step any relevant informational output produced on the computer screen by the Cryptographic Operation Control Software in the Key Map Document.
      Upon directing the Cryptographic Operation Control Software to sign the new Root CA Certificate, the dedicated private key will need to be loaded to the HSM securely protected operational memory.


Component Holders

Root CA Signing

PDF [2] 4. Since the private key we are about to use is encrypted and access protected, the Key Ceremony Administrator will require any 3 (three) Key Access Component Holders from the previously created Key Access Component Card Set, to separately follow the steps below:

    a. Access their PIN envelope, that were previously placed on the Inventory Table

    b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet

    c. Confirm to memorize their PIN code

    d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table

    e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device

    f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter their memorized PIN Code.

    g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.

The above sequence of steps will be repeated for the number of Key Access Component Holders, that are selected by the Key Ceremony Administrator.

All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step.

Furthermore, all Witnesses must ensure, that the correct private key is used during this step. This can be achieved by cross-checking whether the private key identifier file name along with the file system path, are both entered correctly by the Key Ceremony Administrator in the command prompt. These must match the private key details stored in the Key Map Document. The private key should be dedicated for use only with the new Root CA we created today hence the cross-check.


5. The previous step left the private key used to sign the newly created Root CA Certificate offline. It also permanently associated that private key with the new Root CA we created.


6. The Root CA Signing is now declared complete.

Subordinate CA Signing

    1. PDF [2] An IBM compatible computer (hereafter referred to as "the computer") was set up in a room providing strict personnel access control, security camera monitoring [and electronic isolation from any computer networks].


    2. The computer has a hard disk which has been pre-prepared with a fresh installation of a [Red Hat Enterprise Linux, version 5.0] operating system, the requisite HSM driver, nToken authentication PCI device, HSM device Support Software and the Digi-CA™ PKI [4] System, both acting as the Cryptographic Operation Control Software. The software was tested for correct operation prior to the Key Ceremony by using an HSM reserved for backup purposes.


    3. The hard disk installed in the computer contains an encrypted key repository, from which we will load necessary private keys into a securely protected operational memory of our HSM device.


    4. The first HSM device (designated #1) was removed from production and connected to the computer prior to this ceremony and the event was monitored and supervised by an appointed company’s Head of Security. The Cryptographic Operation Control Software is now about to be used to cause the numbered (in section 3 above) operations to occur in the following sequence: 10.

    During this step, the Key Ceremony Administrator, using the Cryptographic Operation Control Software, will create new Subordinate CA and assign it to a dedicated private key that was previously generated during this ceremony. The newly created Subordinate CA will be signed by the Root CA that was created earlier during this ceremony.

    To complete this process, the Key Ceremony Administrator will use a Naming Document, that contains the details of the new Subordinate CA we are about to sign, to create a certificate profile configuration file, containing various certificate related information such as: Subject Distinguished Name, Validity Period, Signature Algorithm, Certificate Serial Number and Certificate extensions. The certificate profile configuration file will be used by the Cryptographic Operation Control Software to create the new Subordinate CA certificate.

    All attending Witnesses must ensure, that the certificate details entered into the certificate profile configuration file by the Key Ceremony Administrator, match the details contained in the Naming Document used during this ceremony. The new Subordinate CA Certificate details must be taken from the section of the Naming Document specifically dedicated for the correct Subordinate CA, for which the Subordinate CA Certificate is created.
    Key Ceremony Administrator will capture and store during this step any relevant informational output produced on the computer screen by the Cryptographic Operation Control Software in the Key Map Document.

Key Access Component Holders

  • PDF [2] Upon directing the Cryptographic Operation Control Software to sign the new Subordinate CA Certificate, the private key of the Root CA will need to be loaded to the HSM securely protected operational memory.
      • Since the private key of the Root CA we are about to use is encrypted and access protected, the Key Ceremony Administrator will require any 3 (three) Key Access Component Holders from the previously created Key Access Component Card Set, to separately follow the steps below:

        a. Access their PIN envelope, that were previously placed on the Inventory Table

        b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet

        c. Confirm to memorize their PIN code

        d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table

        e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device

        f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter their memorized PIN Code.

        g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.



      The above sequence of steps will be repeated for the number of Key Access Component Holders, that are selected by the Key Ceremony Administrator.

      All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step. Furthermore, all Witnesses must ensure, that the correct Root CA private key is used during this step. This can be achieved by crosschecking whether the private key identifier file name along with the file system path, are both entered correctly by the Key Ceremony Administrator in the command prompt. These must match the Root CA private key details stored in the Key Map Document. The correct Root CA private key should be used hence the crosscheck.


  • 5. The previous step left the Root CA private key used to sign the newly created Subordinate CA Certificate offline.

    • It also permanently associated an existing private key, that was generated earlier during this ceremony with the new Subordinate CA we created.

  • 6. The Subordinate CA Signing is now declared complete.


      • Controls

      During the Signing Event, at least two people from the Key Ceremony Attendees list of personnel were present at all times. No other personnel were permitted access to the room. The Cryptographic Operation Control Software required a PIN code to be entered before the software could communicate with any smart card (holding encryption key component [Key Access Component Card]) used during the Signing Event.

Distribution Event

  • Key Access Component Card Distribution
      • PDF [2] During this phase of the ceremony, the Key Ceremony Administrator will request each Key Access Component Card Holder to place their Key Access Component Cards in their PIN envelopes place the envelopes sealed on the Inventory Table.


  • Key Access Component Holder Document Signing
      • During this phase of the ceremony, the Key Ceremony Administrator will request each Key Access Component Holder to sign the Key Access Component Holder Document indicating, that they have read, understand and agree to follow the duties and responsibilities of a Key Access Component Holder and that they have witnessed the signature of all the other Key Access Component Holders.


  • Key Map Document Signing
      • During this phase of the ceremony, all attending Witnesses will sign the Key Map Document indicating, that this was the actual document used during the ceremony and it was completed with accordance to the script.


  • Naming Document Signing
      • During this phase of the ceremony, all attending Witnesses will sign the Naming Document indicating, that this was the actual document used during the ceremony with accordance to the script to create our new CA hierarchy.


  • Attestation Letter Signing
      • During this phase of the ceremony, all attending Witnesses will sign Attestation Letters indicating, that they read the script, observed the ceremony and attest, that the ceremony was performed as described in the script.


  • Key Ceremony Script Signing
      • During this phase of the ceremony, all attending Witnesses will sign the Key Ceremony Script document indicating, that this was the actual document used during the ceremony w to create our new CA hierarchy.


  • Signature Certification
      • During this phase of the ceremony, the Key Ceremony Administrator will direct the official representative of the Government, to notarize (certify signatures on) the witnesses’ Attestation Letters.


Conclusion

8. Key Ceremony Conclusion

  • PDF [2] All copies of the signed Key Ceremony Script are now going to be placed in the Archive Folder.
  • All copies of Attestation Letters are now going to be placed in the Archive Folder.
  • All copies of Key Access Component Holder Documents are now going to be placed in the Archive Folder.
  • The Key Map Document is now going to place in the Archive Folder.
  • The Naming Document is now going to place in the Archive Folder.
  • The camera operator will now stop the recording and all Video Recordings are now going to be placed in the Archive Folder.
  • The Archive Folder is now going to be sealed.
  • The Head of Security will now take the sealed Archive Folder and place it in a safe in a dedicated access protected cabinet.
  • The Head of Company’s Security will now direct all Key Access Component Holders to take their envelopes containing PIN Code paper sheets and Key Access Component Cards and place these securely in a safe in separate access protected cabinets.
  • All hardware equipment, including the HSM device and the computer will be taken from this room after this ceremony and installed back in the production environment in a dedicated access protected and video camera monitored room.
  • After the ceremony is complete, the Digi-Sign Digi-CAST2™ installation team will proceed to the CA Activation event, which will be monitored and supervised by the Head of Company’s Security. The CA Activation Event is not a part of this ceremony and may be performed at a different date.
  • The Key Ceremony is now declared complete.



9. Key Ceremony Attendees Present

Name Title Company Signature

[This page printed blank to allow notes to be made]

Component Holder Document

Appendix V – Key Access Component Holder Document

PDF [2] I am:

    CA Organization Shareholder’s Name:

    _______________________________________________________________________
    CA Owner Organization Name:

    ___________________________________________________________
    CA Owner Organization’s Address:

    ___________________________________________________________
    CA Owner Organization’s Telephone Number:

    ___________________________________________________________

        Passport:
        ID Card:
        Other (specify___________)
        No:____________________


I confirm that I am in receipt of the following Component(s):

Description Details:

_________________________________________________________________________

_________________________________________________________________________


I confirm that:

      I have understand that I am an official Component Receipt Shareholder.

      I must keep my Component information secret.

      I will only reveal my Component information at scheduled Key Ceremony events.

Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.

Signature: ___________________________________ Date: ____________________


I attest that:

      I have validated the identity of this Key Access Component Holder

      Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.

      Notary Signature: _____________________________ Date:____________________

Attestation Letter

Appendix VI – Attestation Letter

PDF [2] I am:

      A Certified Public Notary
      An Attorney
      An Official Public witness


    Name:

    _______________________________________________________________________

    Organization Name:

    ___________________________________________________________

    Organization Address:

    ___________________________________________________________

    Telephone Number: ___________________________________________________________


    Professional License and/or Association Number(s):_________________________

This letter of attestation is being provided on behalf of the following entity:

    CA Owner Organization’s Name:

    ________________________________________________________________

    CA Owner Organization’s Address:

    ________________________________________________________________

    CA Owner Organization’s Telephone Number:

    ________________________________________________________________



I attest that:

      I have read the attached Key Ceremony Script
      I have verified the identity of the Digi-CAST2™ Key Ceremony Administrator
      I have validated the identity of each witness attendee
      I have validated the identity of each shareholder attendee
      I have validated the identity of each observer attendee
      I have observed the Key Ceremony
      I have observed all the attendees of the Key Ceremony
      The Key Ceremony was performed as described in the attached Script
      I have certified the signed Component Receipt Documents
      I have certified the sealed Archive Folder



Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.

Signature: ___________________________________ Date: ____________________

Notary Signature: _____________________________ Date: ____________________


Appendix III – Entry/Exit Log

      CA Owner Organization’s Name:

      ________________________________________________________________

      CA Owner Organization’s Address:

      ________________________________________________________________

      CA Owner Organization’s Telephone Number:

      ________________________________________________________________


Source URL: http://www2.digi-sign.com/compliance/key%20ceremony/index

Links:
[1] https://www.digi-sign.com/downloads/download.php?id=digi-ca-admin-pdf
[2] http://www2.digi-sign.com/downloads/digi-ca-admin-manual
[3] http://www2.digi-sign.com/compliance/introduction
[4] http://www2.digi-sign.com/public+key+infrastructure
[5] http://www2.digi-sign.com/repository/certificate+practice+statement
[6] http://www2.digi-sign.com/digital+certificate