On 10/5/2014 6:16 PM, Paul Hoffman wrote:
On Oct 5, 2014, at 2:50 PM, Tomofumi Okubo <tomofumi.okubo@gmail.com> wrote:


What you suggested is simply lowering the security level for
convenience as you did not suggest compensating controls.

It wasn't "for convenience", it was to enable us to have a wider choice of HSMs that meet our needs. For example, one of our possible needs is "have HSMs from a variety of manufacturers", which is something you proposed just the other day. Another possible need is "have an HSM that uses the signing algorithm we want", given that there are some people who want to move towards modern elliptic curve signatures in the future.


Instead you
just suggested removing controls as it is overlapping with existing
ones.

I did not propose "removing controls": I proposed meeting specific requirements ourselves if IANA can do it better. If the tamper evidence provided by the additions in the Level 2 part of an HSM's FIPS-140 certification is as good as, or not even as good as, what is provided by IANA's design (the tamper-evident bags), then it is not an actual control. The same is true for Level 3 and Level 4, I believe. I'm not sure, so I'm asking for others who know the specifics of how the levels are met *in HSMs* to comment.

The following table is taken directly from the FIPS 140-2 doucment.

The most important piece you get with Level 4 of this is that when tamper is detected, zeroization is performed.  L4 devices are designed to the Roach Motel standard - keys check in but they never check out.

I'm responding behind a number of other responses.  WRT to your original comment,  the only thing you get if you remove HSM protections and keep the tamper stuff is a knowledge that you're *really* screwed when the tamper seal is broken.

If the tamper seals are defeated (e.g. the key material is removed from the tamper bag and copied and returned), you don't even know that...  Then there are all the possible slight of hand scams that can take place - cf http://en.wikipedia.org/wiki/Pigeon_drop for one example.







IMHO, it is better to have tamper evidence (level2) and tamper
resistance (level3) at the HSM level.

Why? This is a serious question. Why rely on the tamper evidence and tamper resistance of a system when you can add better functionality for both, which is what IANA is already doing?

The answer to this is that a tamper event causes destruction of the key material.  Tamper evidence or tamper resistance does not by itself give you any assurance with respect to the underlying key material.



I personally think the
environmental controls (level4) might be too much but it is true that
it has controls that protects the cryptographic key from different
type of attacks.

In the case of the HSMs that IANA uses, what specific attacks are those? I would be somewhat surprised if the same controls weren't required for Level 1, but you are more familiar with how HSMs meet the FIPS-140 requirements.

See the above table.  A software module can be certified as L1 (and I believe one of the mozilla pseudo-PKCS11 software modules is so certified).  It really provides no protection against cloning or extraction of the key material.

Mike


--Paul Hoffman
_______________________________________________
ksk-rollover mailing list
ksk-rollover@icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover