[dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

Robert Kisteleki robert at ripe.net
Tue Oct 16 12:52:09 UTC 2012


Hi,

(Blowing the dust off of an old hat of mine...)


On 2012.10.16. 12:34, Shane Kerr wrote:
>> i keep wondering about the use of hsms in dnssec and rpki signing.  i
>> suspect that the threat model is not well thought out.
> 
> The only attack that I could see an HSM protecting against is an
> insider stealing the keys without being detected, like Alexander
> mentioned. The idea is that a motivated attacker could in principle
> make a copy of the keys - but not if they are stored in an HSM.

The attacker's point is not to *steal* the key, but to *sign* something with
it; most likely a hash or such. If I can inject a hash-to-be-signed into the
to-be-signed queue, then I won, I don't really care about the key itself.
Sure, if I actually have a copy of the key, then it's way easier :-) but as
you say, HSMs can prevent that.

> Also note that there are possible weaknesses with even an HSM, depending
> on how backups are made. These can be worked around with procedure and
> extra layers of security (cameras, access logs, ...).

It's possible to come up with bad escrow mechanisms, which leave the key
vulnerable. That's just bad engineering, it's got nothing to do with HSMs.
However, a properly designed procedure with enough support from the HSM will
defend against this.

Robert




More information about the dns-operations mailing list