1. National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney (jbasney@illinois.edu) jbasney@illinois.edu Adam Slagell (slagell@illinois.edu) slagell@illinois.edu Feb. 9, 2012

2. Need for another NCSA CA New Blue Waters system requires two- factor authentication (a new requirement at NCSA) Certificates accepted for Blue Waters login must come from a CA that also uses two- factor authentication Existing software only supports all-or-nothing CA trust (versus checking policy OIDs) IGTF accreditation required for XSEDE interoperability Not all Blue Waters users are XSEDE users (and vice versa)

3. Familiar CA architecture Same as existing NCSA SLSC CA but uses RSA SecurID tokens instead of Kerberos passwords Same user database and operational environment RSA PINs same complexity as Kerberos Tokens from new manufacturing process, post RSA breach

4. Familiar identity vetting process NCSA staff vetted through employee database PIs who are getting allocations are few and carefully vetted >70% of these come from NSF directly through the PRAC process Verified address through NSF Fastlane Other PIs either come through a peer-review process for Great Lakes Consortium (www.greatlakesconsortium.org) or are special NCSA collaborators NCSA sponsors must verify addresses For UIUC allocations, we have verified addresses through HR system There are no unsponsored projects or unsolicited requests for allocations In all cases, we have verified addresses for the PIs (~100 over the system’s lifetime, 20-40 initially)

5. How RSA tokens are delivered Two options: In person By postal mail

6. Getting tokens in person Must show government ID (e.g., state driver’s license) to NCSA allocations staff NCSA activates token and binds to NCSA account Users are also given their initial PIN, which is used in case they want to change their passcode, reset the token, or activate the replacement token

7. PIs getting tokens by postal mail Once a sponsor or a committee (e.g., PRAC or GLPC) decides to give a new account, the PI is sent an email Email has a link with a nonce that can be clicked once and expires in 1 week The PI clicks on the link which presents them with the PI agreement and user AUP which they must accept The token and initial PIN is mailed to the verified address PIs must save their initial PIN if they ever want to reset the token or change their passcode The PI receives the token and uses the initial PIN to activate it and set a passcode NCSA sends email to the PI alerting them of activation and passcode changes

8. Other users getting tokens by postal mail We delegate user identity vetting to PIs (like with other NCSA CAs) Once PIs have tokens, they can request tokens for additional users through a web portal PI provides user’s name & email address NCSA sends email with a unique one use URL (expires in 1 week) to the new user to begin the account creation process User clicks on link to accept AUP and submit postal address NCSA sends email to the PI containing a URL for verifying the user’s information PI must log in to the portal with RSA token PI must verify the user’s postal address to prevent mistakes and interceptions (e.g., wrong John Smith) of the original email Once the PI validates the address, the token is mailed to the user The user follows the same steps as the PI to activate the token A confirmation email is sent to the user upon successful activation

9. Ready for CP/CPS and Operational Review https://security.ncsa.illinois.edu/CA/ CP/CPS in RFC 3647 format CA certificate, signing policy file, CRL Example user certificate CA DN /C=US/O=National Center for Supercomputing Applications /OU=Certificate Authorities/CN=Two Factor CA EEC DNs (same as other IGTF accredited NCSA CAs) /C=US/O=National Center for Supercomputing Applications /CN=FirstName LastName Serial# OIDs 1.3.6.1.4.1.4670.100.4.8 (NCSA Two Factor CA) 1.2.840.113612.5.2.2.3 (Short-Lived Credential Services) 1.2.840.113612.5.2.3.2.1 (Identity Vetting by a Trusted Third Party) 1.2.840.113612.5.2.3.1.2 (Key material held in files)