Bootstrapping SCION CP PKI¶
This user guide focuses on bootstrapping the cryptographic material that is required to create a Trust Root Configuration (TRC). The target audience is representatives of voting members or Root Certificate Authorities (CA) of the ISD.
Tip
Use the TRC Ceremony Builder to create a script for the TRC signing ceremony and its preparation.
We start with some background information on the TRC and its participants. Refer to the requirements for the necessary actions during the TRC signing ceremony. You can also refer to the voting member or CA checklist to quickly verify that you have the necessary requirements in place.
Background¶
Relying parties in the SCION Control Plane PKI anchor their trust in the TRC of an ISD. The TRC contains information about the ISD parameters, the Root Certificates of all the trusted CAs of the ISD, and the voting certificates that are used to verify TRC updates.
When founding a new ISD, the voting members and Root CAs need to take part in a TRC base signing ceremony and create the TRC.
Roles in the TRC¶
A TRC contains cryptographic material for two of participants roles in an ISD:
Role |
Description |
|---|---|
Voting Member |
Represent the governance of the ISD. They are responsible for creating TRC updates, e.g., to change core ASes, change the set of Root CAs, or change any other ISD parameter. |
Certificate Authority |
Responsible for issuing and renewing the AS certificates of the participants in the ISD. Commonly, we distinguish between primary CAs which are responsible for issuing the initial AS certificate of a new participant, and secondary CAs which are only responsible for renewing the AS certificates. |
Certificates in the TRC¶
The following three types of certificates appear in the TRC:
Type |
Role |
Purpose |
|---|---|---|
regular-voting |
Voting Member |
Authenticate vote in a regular TRC update |
sensitive-voting |
Voting Member |
Authenticate vote in a sensitive TRC update |
cp-root |
Certificate Authority |
Authenticate CA certificates, which are used to create AS certificates |
Private Keys¶
Every certificate contains the public key of a private key that the participant owns. These certificates are used to verify the signatures that are created with the corresponding private key. The occasions where access to the private key is required depends on the key type:
Type |
Who |
Access |
|---|---|---|
regular-voting |
Representative of voting member |
During TRC signing ceremony (to show proof-of-possession for new keys, and cast votes) |
sensitive-voting |
Representative of voting member |
During TRC signing ceremony (to show proof-of-possession for new keys, and cast votes) |
cp-root |
CA Service |
When issuing a new CA certificate |
The differentiation between voting keys and CA keys is important. The voting keys are only used during the TRC signing ceremony and preparation thereof, i.e., when creating the initial base TRC or when creating subsequent TRC updates. Between these ceremonies, the access to the voting keys is not required, and most likely should be restricted as much as possible to prevent misuse. The root key on the other hand is used to issue new CA certificates, which is done on a regular basis. It most likely should be available to a service that is responsible for issuing new CA certificates periodically.
Important
The SCION Control Plane PKI currently only supports the following EC curves for the private keys: P-256, P-384, and P-521. Make sure to use one of these curves when creating the private keys.
Requirements¶
The root, regular voting and sensitive voting certificates are self-signed. There are multiple ways to create these certificates, either with openssl, with step, or with the dedicated scion-pki tool.
In this document, we will focus on the scion-pki tool, as it is the most
convenient way to create the certificates.
Voting Member¶
As a voting member, you will need to show proof-of-possession of both your regular and sensitive voting keys during the TRC signing ceremony. You will need the following to participate in the ceremony:
A sensitive voting key (asymmetric signing key with EC P-256, P-384 or P-521) that is stored in a secure key storage backend.
A regular voting key (asymmetric signing key with EC P-256, P-384 or P-521) that is stored in a secure key storage backend.
A copy of the regular voting certificate that contains the public key of your regular voting key.
A copy of the sensitive voting certificate that contains the public key of your sensitive voting key.
Access to an amd64 Linux machine with the
scion-pkitool installed during the ceremony.Ability to create a signature with your private keys during the ceremony.
If you choose to use a cloud-based KMS to store your private keys, this implies that you have access to the cloud based KMS during the ceremony. E.g., your machine has access to the internet, and you have an account with the correct permissions to access the KMS.
Installation¶
Download the tool from cloudsmith.
curl -1sLf -O 'https://dl.cloudsmith.io/public/anapaya/public/raw/versions/latest/scion-pki'
Furthermore, you will need to install the
step-kms-plugin and make it
available on your PATH for the scion-pki tool to discover it. You can either
build it from source, or download a pre-built binary from
cloudsmith.
curl -1sLf -O 'https://dl.cloudsmith.io/public/anapaya/public/raw/versions/latest/step-kms-plugin'
You can test that the step-kms-plugin is available by running the following command:
scion-pki kms version
This should succeed and print the version of the step-kms-plugin.
Key Storage¶
The private keys for the self-signed certificates must be protected well. They hold significant power over the ISD, as they are used to sign the TRC updates (voting keys) or sign the CA certificate (root key). With the scion-pki tool, the private keys can be stored in one of multiple secure keys storage backends.
Type |
Description |
|---|---|
Cloud based KMS |
Safely store the private key in a cloud-based KMS (e.g., AWS KMS, Google Cloud KMS, Azure Key Vault) |
PKCS #11 HSM |
Safely store the private key in a PKCS #11 compatible HSM. |
YubiKey PIV |
Safely store the private key in a YubiKey PIV. |
There are tradeoffs between the different key storage backends. The cloud-based KMS is more convenient and easier to set up. Access can be protected with the familiar IAM policies. We think it is a good choice in most cases, when configured properly.
The cloud based KMS commonly also support different tiers of key storage. From the very basic software protected private key, to a more advanced HSM protected private key.
Independent of the key storage backend, we leverage the
step-kms-plugin in our
scion-pki tool to use the private keys for signing certificates.
The following table shows the parameters that are required for the three most
common cloud-based KMS. The parameters are passed to the scion-pki tool via
the --kms and --key parameters, e.g., when creating a new certificate using
scion-pki certificate create or creating a signature on a TRC using scion-pki trc sign.
Type |
KMS |
Key |
|---|---|---|
AWS KMS |
|
|
Azure Key Vault |
|
|
Google Cloud KMS |
|
|
Check out the following guides for more information on how to set up your KMS of
choice to work with the scion-pki tool.
Additional Information¶
Check out the following docs for more information on TRC ceremonies and the cryptographic material that is used in the SCION Control Plane PKI.
Link |
Description |
|---|---|
High-level description of TRC signing ceremony |
|
Tool to build script for a participant in the TRC signing ceremony. |
|
Specification for the TRC and voting certificates. |
|
Specification for the control plane PKI certificates. |