Context
PARSEC is in the process of evolving via a research and development funding linked to the stimulus plan and BPI France (more details here https://parsec.cloud/retour-sur-notre-projet-parsec-event-horizon-laureat-de-laap-national-sur-les-technologies-innovantes-cyber/).
With this in mind, PARSEC is now compatible with key management infrastructures (PKI), and offers several enrolment procedures to facilitate synchronization with enterprise directory infrastructures (LDAP/AD) for easy deployment.
The enrolment stage
Parsec enrollment is a key step (see https://parsec.cloud/sas-single -authentification-string/) where sensitive cryptographic secrets will be exchanged.
This step is performed synchronously between a guest and an administrator. It is necessary that both parties are connected at the same time and that they communicate via a third party channel to ensure that the exchange channel is secure and to certify the identity of the enrollee.
Itis via this peer-to-peer mechanism that we build in a chain of trust.
This step can become laborious when parsec is deployed on a large scale because it requires as many enrollments as users, but more importantly, the users must be connected at the same time as the administrator. On the other hand, it offers strong security guarantees, as this system is completely independent and does not require a certification body (for enrolment or even for establishing secure channels).
Use of a PKI.
In order to facilitate the invitation procedure and to allow enrolment via smart card IGC, or via enterprise directory, it is necessary to delegate part of the tasks and security guarantees performed during enrolment by SAS code to a certificate and PKI key management infrastructure.
PKI enrollment should be as close as possible to the SAS code procedure, which allows:
- establish a secure channel
- certify the user's identity via a third-party channel
- to allow the exchange of keys and cryptographic secrets in a secure way (user key, root public key of the organization...)
The PKI infrastructure must now be considered as trusted. This infrastructure allows to certify and validate user profiles thanks to the use of certificates (type X509)
Certification authority.
This infrastructure is external to the PARSEC project and is considered as a trusted infrastructure. The certification authority allows to issue certificates to users. These certificates contain cryptographic keys (which can be used to sign data) as well as the identity of the user (cannot be modified).
This certification authority is also able to produce files allowing to validate the certificates and to ensure the origin and the authenticity of the certificates (file for a validation authority)
Validation authority
The role of the validation authority is to verify the certificates used to submit an enrollment request. Administrators of a PARSEC organization now take on the role of the validation authority, checking enrollment requests against the identity information contained in the certificates. In addition, the administrator has access to the validation files provided by the certificate authority to check the validity of the certificates (and ensure that they are from the correct authority).
Asynchronous enrolment procedure
From a user point of view, the enrolment procedure is as follows:
- A new user decides to submit an invitation request to join a PARSEC organization. He uses his certificate and sends the request
- The request is stored in the PARSEC metadata server
- A PARSEC administrator sees all requests to join the organization. The certificates of the requests are validated (validation authority) on the administrator's workstation with the information from the certification authority.
- If the certificate for a request is valid, the administrator can accept (and specify the role) or deny the request.
- The new user logs in later and sees that his request has been accepted. He can now use his certificate to identify himself
The encryption and user signature keys are always generated by Parsec on the client machine. The certificates are only used to verify the identity of the user, sign the requests, and certify the origin of the request (verification performed later via SAS code by connecting the guest to the administrator through a third party channel). The administrator also has a certificate, which allows the guest to ensure that the information transmitted to him comes from an administrator registered on the same PKI. The administrator can therefore also sign the enrolment responses and guarantee that the information transmitted to the guest is correct.
Conclusion
It is now possible to couple Parsec with PKIs to simplify the enrollment process. The PKI must provide X509 certificates that are used to secure enrollment and guarantee the identity of the actors. The certificates can be stored on smartcards (smart cards or USB tokens used in government departments). This new enrolment does not require a guest and an administrator to be connected at the same time, Parsec now stores all enrolment requests and allows them to be validated asynchronously.
Both enrollment procedures can co-exist within the same organization, so it is always possible to enroll someone synchronously, without a trusted third party (the PKI).
