Context
PARSEC is currently in the midst of a major expansion, thanks to research and development funding from the French government's stimulus package and BPI France (more details here https://parsec.cloud/retour-sur-notre-projet-parsec-event-horizon-laureat-de-laap-national-sur-les-technologies-innovantes-cyber/).
With this in mind, PARSEC is now compatible with key management infrastructures (PKI), and offers several enrolment procedures to facilitate synchronization with enterprise directory infrastructures (LDAP/AD) for easy deployment.
The enrolment stage
Parsec enrolment is a key stage (see https://parsec.cloud/sas-single -authentification-string/) where sensitive cryptographic secrets are exchanged.
This step is carried out synchronously between a guest and an administrator. It is necessary for both parties to be connected at the same time and to communicate via a third-party channel, to ensure that the exchange channel is secure and to certify the identity of the enrolled person.
Itis via this peer-to-peer coiling mechanism that a chain of trust is built.
This step can become laborious when parsec is deployed on a large scale because it requires as many enrollments as users, but more importantly, the users must be connected at the same time as the administrator. On the other hand, it offers strong security guarantees, as this system is completely independent and does not require a certification body (for enrolment or even for establishing secure channels).
Use of a PKI.
To facilitate the invitation procedure and enable enrolment via smart card or corporate directory, it is necessary to delegate some of the tasks and security guarantees performed during SAS code enrolment to a PKI certificate and key management infrastructure.
PKI enrolment should be as close as possible to the SAS code procedure, which enables..:
- establish a secure channel
- certify the user's identity via a third-party channel
- secure exchange of cryptographic keys and secrets (user key, organization's public root key, etc.)
PKI infrastructure must now be considered as trusted. This infrastructure enables user profiles to be certified and validated using certificates (type X509).
Certification authority.
This infrastructure is external to the PARSEC project, and is considered a trusted infrastructure. The certification authority issues certificates to users. These certificates contain cryptographic keys (which can be used to sign data) and the user's identity (which cannot be modified).
This certification authority is also able to produce files allowing to validate the certificates and to ensure the origin and the authenticity of the certificates (file for a validation authority)
Validation authority
The role of the validation authority is to verify the certificates used to submit an enrolment request. Administrators of a PARSEC organization now take on the role of validation authority, checking enrolment requests against the identity information contained in the certificates. In addition, the administrator has access to the validation files supplied by the certification authority to check the validity of the certificates (and make sure they come from the right authority).
Asynchronous enrolment procedure
From the user's point of view, the enrolment procedure is as follows:
- A new user decides to submit an invitation request to join a PARSEC organization. He uses his certificate and sends the request
- The request is stored in the PARSEC metadata server
- A PARSEC administrator sees all requests to join the organization. The certificates of the requests are validated (validation authority) on the administrator's workstation with the information from the certification authority.
- If the certificate for a request is valid, the administrator can accept (and specify the role) or deny the request.
- The new user logs in later and sees that his request has been accepted. He can now use his certificate to identify himself.
The encryption and user signature keys are always generated by Parsec on the client workstation. Certificates are only used to verify the user's identity, sign requests and certify the origin of the request (verification carried out later via SAS code by connecting the guest to the administrator via a third-party channel). The administrator also possesses a certificate, enabling the guest to be sure that the information transmitted to him really does come from an administrator registered on the same PKI. The administrator can also sign enrolment responses, guaranteeing that the information transmitted to the guest is correct.
Conclusion
Parsec can now be coupled with PKIs to simplify the enrolment process. The PKI must supply X509 certificates, which are used to secure enrolment and guarantee the identity of players. Certificates can be stored on IGC-type smartcards (smart cards or USB tokens used by government departments). This new enrolment system no longer requires a guest and an administrator to be connected at the same time, as Parsec now stores all enrolment requests and enables them to be validated asynchronously.
Both enrolment procedures can co-exist within the same organization, so it's always possible to enrol someone synchronously, without a trusted third party (PKI).
