Citadel Key Escrow


Overview

Key Escrow is tiCrypt's (tiCrypt is a software that operates within Citadel) way of protecting the recovery process of lost keys in the system. The user's private key is cryptographically split into three parts, and parts of it are sent to different escrow group key users for recovery. In tiCrypt, escrow users are separated into groups; each group receives only 1 part of the escrowed key. This is done to avoid collusion between users of the same group. 

Citadel Account Recovery Procedure

An important concept in the tiCrypt architecture is the idea of role separation of duties. Each role plays a unique part in the system. Roles of Key Escrow functions are described below: 

Escrow Users

Escrow users are responsible for recovering lost private keys for regular Citadel users. These users are outside of the system. The table below contains the three groups of escrow users. Escrow users are selected one user from each group. 

Escrow Group 1Escrow Group 2Escrow Group 3
Jed MarshVineeta BhardwajChristopher Tengi
Elizabeth AdamsElizabeth HoltzSteve Niedzwiecki
Curt HillegasDavid SherryStephanie Ayers

Site Key Administrator

The Site Key Administrator is used for offline certification of escrow groups and escrow users. Site Key Administrator is outside of the system. Robert Knight (knight@princeton.edu) is a Site Key Administrator for Citadel at Princeton. 

Escrow User Notes

Escrow Login

  1. On your computer locate tiCrypt application
  2. Select Escrow on the main login page

Graphical user interface, application, WordDescription automatically generated

  1. Upload your escrow key on the webpage (drag and drop works as well)
  2. Enter the password associated with the key escrow key.
  3. Select Login

Escrow User Creation Process

The workflow process for adding the Escrow User is as follows:

  1. If you haven't done so already, install the tiCrypt connector by following the instructions in this article. 
  2. Register to become escrow users by selecting the drop “Escrow” drop-down option on the Citadel login page. From there, click “Register.”

  1. The escrow Users will be prompted to register their account by providing basic user account information and indicating which Escrow Group they will belong to.  NOTE: If you are unsure of which Escrow Group you should register for please contact a system administrator. 

  1. Next, the user will be prompted to download the private escrow key and the unsigned certificate. NOTE: A notification asking to download multiple files will appear. The Escrow User should click allow for this instance.

 

  1. The escrow users email their unsigned certificate to the Site Key Administrator. The file name looks like
create-escrow-user(‘USER NAME”).csr.json
  1. The site Key Administrator signs the request and sends the newly signed certificate to System Administrator.
  2. The system Administrator adds signed escrow user certificate to Citadel.

Recovering Key Escrow Process

  1. The Administrator will select three Escrow user members, one escrow user from each group, and designate the Escrow User who will restore the private key. Each Escrow User will share the key parts with that user. 
  2. Launch tiCrypt Connect Application on your computer. If you don't have it loaded, follow the instructions in this article to install it on your computer.
  3. Update to the latest software version by clicking Update when prompted. Note: It is essential to run on the newest software version. 
  4. Click the play icon for the Citadel Deployment to launch the main login page.
  5. Select the dropdown menu from the main login page to change the Login from tiCrypt to Escrow. 
  6. Upload the Escrow User private key, enter the password, and click Login. Make sure to use the escrow user private key as it differs from the Citadel private key.
  7. In the list of users, select the user for which to recover their key. 

Graphical user interface, applicationDescription automatically generated

  1. Share the critical parts with the designated Escrow User by clicking the share button next to their name.

Graphical user interface, text, application, TeamsDescription automatically generated

  1. Once the designated Escrow User has all three key parts, the 'Recover Key' button becomes clickable.

Graphical user interface, applicationDescription automatically generated with medium confidence

  1. When prompted, the Designated Escrow user clicks Recover Key and creates a new password for the recovered private key. 
  2. After setting the password, the recovered private key will automatically download to the designated Escrow User's local workstation. 
  3. The private key and password can now be shared separately and securely with the user (if account recovery was requested).

NOTE: The account is still protected by NetID two-factor authentication. If account recovery were not made on behalf of the user, NetID credentials would need to be shared for the administration to gain account access. 

Site Key Administrator Notes

System Admins and Sub-Admins do not have access to the site key interface, nor are they able to digitally sign certificates. The site key must be countersigned by the Tera Insights (author of tiCrypt software) key and placed in the correct configuration file to use the site key and certificate interface. This site key is used to sign certificates that will get passed into tiCrypt. The site key interface is an offline tool that enforces digital signatures and prevents these signatures from being forged.

Create a Sitekey

  1. Launch tiCrypt application on your computer.
  2. Navigate to the site key creation page 

Graphical user interface, application, WordDescription automatically generated

  1. Select the escrow user link on the main tiCrypt login page
  2. Select Create site key on the escrow login page. NOTE: The link will redirect to a registration page similar to the tiCrypt user registration page.
  3. On this page, the public-private site key pair is created, a password to encrypt the private key is required, and terms are listed that must be accepted. 
  4. Save the Private key. This private key is not recoverable after leaving the registration page and should be stored accordingly. Acceptable locations are LastPass, University-supported Google Drive, or OneDrive folders.
  5. To use this site key, the public part of the key must be digitally signed by Tera Insights and then stored on the server. This operation is only performed once (during the system's initial setup). Important: Until the public key is countersigned by Tera Insights and placed in the system, the site key cannot be used to sign any certificates.

Upload Unsigned Certificates

Graphical user interface, application, WordDescription automatically generated

  1. Click on the upload button in the top right corner of the interface OR drag and drop certificate(s) on the interface. 
  2. Select Escrow User request certificate to upload and sign

Sign Certificates

  1. Select the certificate(s) you want to sign by clicking on the associated checkbox.
  2. Enter the site key password to decrypt the site key.
  3. Select sign to complete the process. NOTE: All signed certificates appear in the Signed Certificates panel after signing.

Edit Certificates

  1. Select a certificate you want to edit
  2. Click on the edit option and change the information associated with the certificate.

Export Certificates

  1. In the Signed Certificated panel, click on the download icon.
  2. This will download all of the signed certificates to your computer. From here, please share any of the certificates as needed.

Escrow Groups

The Site Key Administrator can create or edit escrow groups. At Princeton, three escrow groups are created - Escrow Group 1, Escrow Group 2, and Escrow Group 3. The escrow group members are responsible for recovering the lost keys of Citadel users. 

The workflow process for creating the Escrow Group is as follows:

  1. The Site Key Administrator generates escrow group certificates
  2. The Site Key Administrator signs the escrow group certificates with the site key
  3. The Site key Administrator emails the signed escrow group certificate to a member of the System Admin group
  4. A member of the System Admin group adds them to Citadel using the certificate Management Tools.

Escrow User Creation Process

The workflow process for adding the Escrow user is as follows:

  1. Register to become escrow users by selecting the drop "Escrow" drop-down option on the Citadel login page. From there, the Escrow User will click "Register".

Graphical user interface, applicationDescription automatically generated

  1. The Escrow User will be prompted to register their account by providing basic user account information and indicating which Escrow Group they will belong to. NOTE: Please instruct the Escrow User with the Escrow Group Name they should join. 
  2. Next, the user will be prompted to download the private escrow key and the unsigned certificate.
     NOTE: A notification asking to download multiple files will appear. The Escrow User should click allow for this instance. 


Graphical user interface, applicationDescription automatically generated 

  1. Instruct the Escrow User to email their unsigned certificate to the Site Key Administrator. The file name looks like this:
    create-escrow-user('USER NAME").csr.json
  2. The Site Key Administrator signs the request and sends the newly signed certificate to System Administrator.
  3. System Administrator adds signed escrow user certificate to Citadel. 

Escrow User Deletion Process

The workflow process for deleting Escrow User is as follows:

  1. A Citadel Admin navigates to Escrow Users within the Management tab of Citadel. 
  2. The Citadel Admin clicks the red “delete” icon for the Escrow User you wish to issue a deletion request.  

  1. The deletion request certificate will download onto the local machine.
  2. Email the certificate to the Site Key Administrator for signing. NOTE: Signing the certificate follows the same steps as Escrow User certificate signing.  
  3. Once the Site Key Administrator signs and emails back the deletion request, the Citadel Admin will place the request into Citadel via the ‘Signed Escrow Actions’ tab.