Compute Canada

Certificate Authority

HPCVL Earns Status as a Certificate Authority

HPCVL has added more value to its resources with its recent designation as a Certificate Authority. HPCVL will issue digital certificates to manage identities for the HPCVL Secure Portal.

A certificate authority issues and manages digital certificates. The certificates are issued by HPCVL once it verifies the information provided by the individual or organization requesting digital certificates. HPCVL stores these digital certificates in a Lightweight Directory Access Protocol (LDAP) database to manage identities and control access to information through the web portal that it manages. The establishment of the Certificate Authority is integral to the goals of the lab, providing convenient global access to users while protecting sensitive research and other data accessible through the Secure Portal.

The Certificate Authority can also be used by other third parties who may require security services such as digital signatures and data encryption for their own portals or other desktop applications.

In October 2004, HPCVL's Certificate Authority was issued during its Root Key ceremony with help from the professional services and software from Entrust, Inc., a world leader in securing digital identities and information. The ceremony was witnessed by Deloitte and Touche to assure under audit that the Root Key pairs generated during the event were created in accordance with HPCVL's plan of procedures (Certificate Policy version 1.0) while conforming to industry-held best practices. You may read the Certificate Policy here (PDF). Witnessing activities included video recording of the procedures, personnel checks, access control of the room used to conduct the ceremony, sign-off of the script that included all key stroke entries made during the ceremony, and approval of custody controls of all cryptographic materials. The ceremony also included a review of HPCVL's physical security procedures in place to protect the integrity of the keys that were being generated.

What are Digital Certificates?

A digital certificate is signed by the Certificate Authority so that a recipient can verify that the certificate is trusted. Digital certificates contain a variety of identification information and the certificate holder's public key used for encrypting messages and digital signatures.

Encryption is the process of obscuring information to make it unreadable without special knowledge; the sender encrypts the message using the recipient's public key. The recipient then decrypts the message with their own private key. Once the sender has encrypted the message with the recipient's public key no one can decrypt it without access to the recipient's private key, not even the sender.

A communication has the attribute of 'non-repudiation' if it is protected against a successful dispute of its origin, submission, delivery, or content. The steps for non-repudiation differ than those used for encrypting a message. The sender signs the message using their own private key and the recipient upon receipt uses the sender's public key to access and verify the contents of the message. Non-repudiation is achieved through the use of the sender's private key. No one but the sender must have access to the sender's private key so we can be assured of the identity of the sender. Non-repudiation also ensures that the transaction took place and over a period of time has not been tampered with or altered in anyway.

There are two types of digital certificates:

  1. Personal certificates : these certificates are used to give visitors access to certain parts of a website while restricting other areas. A personal certificate can be used, for example, to allow users access to information, or to send secure email regarding accounts.
  2. Server certificates : Server certificates allow web visitors to provide personal information in secure manner, without worrying about tampering or the interception of data. Server certificates are used when web visitors provide private data such as credit card numbers, addresses or other confidential information.

Entrust TruePass Provides End to End Security

HPCVL's partnership with Entrust, an established public key infrastructure provider, offers users a secure portal that protects intellectual property through the use of data encryption and digital signatures. Entrust TruePass, integrated with the Secure Portal, provides a secure interface to computing resources, along with technical support and the ability to share information. For researchers who work under compliance legislation, the portal offers authentication and the ability to adhere to a range of privacy acts.

Entrust TruePass provides end to end web security, which ensures that data sent over the internet is protected in both directions through use of encryption and allows researchers to access their data through the portal from any location. Researchers can enter data and digitally sign these transactions and be assured of audit trails should they be working under compliance legislation where this is required. The software provides a tightly integrated Secure Identity Management Solution that promotes a proactive approach to security while providing accountability and privacy for online transactions and information.

Although HPCVL is currently providing digital certificates for its own portal, HPCVL can also provide similar services for other groups, such as, universities and hospitals, wishing to access and share data in a secure environment.