ICPEdu: the authenticity of the electronic documents within the reach of the Brazilian public universities

The development of ICPEdu started from the RNP R&D call in 2003.

After the Web Conference and CAFe, our series about RNP services with origin in the R&D program will now change focus to digital security, more specifically, the Public Key Infrastructure (PKI). It provides the means to preserve the confidentiality, the authenticity, the integrity, the unimputability and the auditability of electronic documents, transactions, access to resources, etc. 

We will tell you how the idea to create ICPEdu, surged; it enables the user organizations to issue digital certificate of the SSL (Secure Sockets Layer) type, and soon, it will enable issuance of personal certificates.

A bit of history
Back in 2002 and 2003, the federal government wanted to produce HSM (Hardware Security Module) to replace the equipment used at that time by SPB (Brazilian Payment System), linked to newly born ICP-Brasil. The technology of the equipment in question was foreign and proprietary, which made any attempt of independent audit difficult, in addition to being a threat to the national sovereignty. Then, the government started the João de Barro project, which should design and produce a prototype of this equipment.

The professors Ricardo Custódio (UFSC), Ricardo Dahab (Unicamp) and Jeroen van de Graaf (UFMG)  were invited to participate in João de Barro. Instead of this project, they decided to accept the challenge to build a national HSM for another one, a little less ambitious, to respond the RNP R&D program launched more or less at the same time. Thus, ICPEdu was born with the mission to design and produce HSm together with the software to manage the digital certificates life cycle, which included the HSM software and that of the certifying authorities that used it. The initial purpose of the infrastructure was to become the certifying authority of the Brazilian scientific-educational system at higher level.

The project was divided into two WGs of consecutive calls by RNP.

1 - Research and development of high-security hardware to manage the life cycle of the certifying authorities´ cryptographic keys.

Results obtained:

  1. Project and development of ASI-HSM in partnership with Kryptus, a startup from Campinas;
  2. Creation of AC-Raiz of ICPEdu;
  3. ICPEdu pilot in several Brazilian universities and research centers;
  4. Due to some trouble, the João de Barro project was not completed and the federal government ended up adopting ASI-HSM developed by WG.

2 - Research and development of systems to manage the life cycle of digital certificates.

Results obtained:

  1.  ICPEdu Certificate Management System (SGCI);
  2. Qualification of RNP and partners on digital certificates and applications;
  3. Issuance of  ICPEdu digital certificates;
  4. Electronic document signature (Secure e-mail).

Later, the  ICPEdu project was continued with:

3 - Integration of ICP-EDU with the RNP identity federation CAFe.

  • Development of the SAEC system (Automatic Certificate Issuance System) of ICP-Edu. It is a modification of SGCI to obtain data from CAFe automatically for issuance of digital certificates.

Looking at these topics with so many results, it even seems that the route was easy to trace. On the contrary. The faced obstacles were so big that the route had to be recalculated several times.

Creating a digital certificate culture
“At that time, there was little experience and expertise about digital certification and applications in Brazil, especially little knowledge about encrypted hardware for ACs (PKI). Thus, in addition to the technological qualification, a lot of time and energy were invested in the creation of the digital certificate culture as lectures, courses and preparation of regulatory documents, such as the digital certification policies and practices.  Some of these challenges were overcome with adoption of ICPEdu certificates in some institutions, mainly, UFSC, where the ICPEdu safe room is situated”, professors Ricardo Custódio (UFSC) and Ricardo Dahab (Unicamp) remind.

Years have passed and currently, there is sufficient experience for the Brazilian science and technology institutions to adopt digital certification via ICPEdu in mass; however, the professors mentioned the main barrier to be overpassed. “This adoption faces economic and cultural competition from the ready-to-use solutions, always quicker and cheaper to implement, but not in the final long-term cost, especially if we consider the technological dependence due to the lack of qualification of the user community”, they explain.

Regarding the technical difficulties faced during the development, one of the biggest was created by the company Netscape, a North-American computer service company, broadly operating during the surge of the internet.

“ICP is a complicated technology. I thought that as it was encrypted, it would read the data in six weeks, but it took one year. Why? We have to go a little back in the history of the internet to understand. It surged around 96 and the strong company was the company Netscape, and they perceived that it you have a TICP/IP protocol, there is not any security. So, they created one protocol above, the one to browse does no see that there is a certificate, but there is and they created the first version of the SSL protocol. The problem is that they used the X500 certificate standard, which was a monster that never worked, and none of addressing modes have anything to do with TCP/IP.  It never worked. Above that, they created X509. So, X500 died, but because of SSL, X509 remained alive and this brought a lot of problems. We had to understand a lot of things just to understand what was going on. This was one of the difficulties we faced. Despite of them, I am very happy when I remember the project, it was very nice. For me, RNP is an example of something that works in Brazil”, the Dutch professor at UFMG Jeroen van de Graaf says.

The future of the service
For the developers, ICPEdu is in perfect condition to keep evolving, becoming an environment to promote services for electronic signature of remote electronic documents. They believe that the certificate concept can be made transparent for the users, who will simply sign their documents digitally, and in case they don´t have a digital certificate, it will be issued automatically.

In addition, the domain and the control on the technology brings other numberless strategic benefits. “For example, new forms of authentication and other technologies enabled by progress in cryptographic techniques, which require certification services, could have been tested and incorporated interdependently by research laboratories and scientific institutions with no need of prior approval or complicated negotiations with large companies. ICPEdu was born to serve the scientific community, in its general meaning. This has driven us since the very beginning”, professors Custódio and Dahab.