<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">Apologies for duplicates. I am forwarding on this announcement we posted to our Root DNSSEC announcement list.</div>
<div class=""><br class="">
</div>
<div class="">kim<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class=""><b class="">Subject:
</b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class=""><b class="">Replacement of Root KSK Hardware Security Modules</b></span></div>
<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">
<br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">ICANN today posted a summary of its planned HSM Replacement Project for the Root KSK online at <a href="https://www.icann.org/news/announcement-3-2015-03-23-en" class="">https://www.icann.org/news/announcement-3-2015-03-23-en</a></div>
<div class=""><br class="">
</div>
<div class="">Here is the text:</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><b class="">Overview</b></div>
<div class=""><br class="">
</div>
<div class="">As part of securely maintaining the Root Zone Key Signing Key (KSK), ICANN utilizes specialized devices known as Hardware Security Modules (HSMs). These HSMs store the private key material for the Root Zone KSK, and are powered by batteries that
have a limited lifespan. While the batteries are currently in good condition and have an expected shelf life of 10 years, the manufacturer warrants the first five years of operation. Out of an abundance of caution, ICANN is planning to replace the existing
units during 2015 after five years of service.</div>
<div class=""><br class="">
</div>
<div class=""><b class="">Background</b></div>
<div class=""><br class="">
</div>
<div class="">The Domain Name System Security Extensions (DNSSEC) provides a way for software to validate that Domain Name System (DNS) data has not been modified during Internet transit. This is done by incorporating public key cryptography into the DNS hierarchy
to form a chain of trust originating at the root zone.</div>
<div class=""><br class="">
</div>
<div class="">In accordance with its role as IANA Functions Operator, ICANN is the Root Zone Key Signing Key Operator performing the function of securely generating and storing the Root Zone KSK. ICANN uses HSMs to store the KSK. HSMs are secure crypto-processors
that manage cryptographic keys and perform cryptographic operations while providing physical protection of the private keying material through tamper evident mechanisms. ICANN has two duplicate HSMs for each secure ICANN Key Management Facility (KMF) — one
facility on the U.S. East Coast and another facility on the U.S. West Coast. In the event that one HSM or KMF should fail, the other redundant devices and locations would be available for use. Beyond these options there are further recovery procedure details
that are documented in the KSK Disaster Recovery and Business Continuity Plan.</div>
<div class=""><br class="">
</div>
<div class="">Unlike many other electronic devices, the battery for an HSM is typically built into the unit and cannot be replaced individually. The batteries in these HSMs have a life expectancy of 10 years from the manufacture date, with the manufacturer
warranty covering five years of support from the date of first use. </div>
<div class=""><br class="">
</div>
<div class=""><b class="">Replacement Process</b></div>
<div class=""><br class="">
</div>
<div class="">The HSMs currently in production were first used in 2010. With the warranty period ending, and as a conservative approach to the battery’s expected lifetime, ICANN intends to bring into service new HSMs during calendar year 2015. The contents
of the existing HSMs will be imported into the new HSMs, which can perform the same functions as the existing set. This process will be performed during quarterly events at the KMFs known as key signing ceremonies. Scripts will be written to include the commissioning
of new HSMs during regularly scheduled key signing ceremonies in 2015.</div>
<div class=""><br class="">
</div>
<div class="">ICANN plans to augment the existing four HSMs with an additional four HSMs such that the new HSMs are placed into parallel production with the 2010 HSMs for a transitional period to guarantee the security and availability of KSK operations. </div>
<div class=""><br class="">
</div>
<div class="">Once the relevant parties are confident that the new HSMs are functioning correctly and the continuity of KSK operations will not be compromised, a secure method of decommissioning and destroying the existing modules will be designed to adhere
to the most current industry specifications. </div>
<div class=""><br class="">
</div>
<div class=""><b class="">Key Risks</b></div>
<div class=""><br class="">
</div>
<div class="">The following list represents the key identified risks and their mitigations:</div>
<div class=""><br class="">
</div>
<div class="">Risk: All four production HSMs fail to perform cryptographic operations due to a battery failure thus impacting the continuity of operations.</div>
<div class="">Mitigation: There are currently four duplicate HSMs, plus additional backups that can be activated by the disaster recovery process. The failure rate of a battery in a single HSM is easily mitigated by the redundancy resulting from the three other
HSMs. The expected shelf life of the battery is around 10 years, and each unit reported their battery condition as good. That said given the similar production dates, it is possible that the batteries in all HSMs could fail around the same time. To maintain
the continuity of operation and mitigate the risk of all HSMs ceasing to function, we consider it prudent to perform the HSM replacement in 2015 and use HSMs with differing battery lot and production dates.</div>
<div class=""><br class="">
</div>
<div class="">Risk: The new production HSMs do not function correctly when powered up for the first time.</div>
<div class="">Mitigation: As part of installing the new HSMs, acceptance testing will be performed to verify the function of the units prior to the ceremonies in which they are put into production. For a period after the new HSMs are placed into service, the
existing HSMs will continue to be stored in the secure facilities allowing for more options for remediation in the case of new HSM failure.</div>
<div class=""><br class="">
</div>
<div class="">Risk: All new production HSMs share a common defect.</div>
<div class="">Mitigation: It is possible that if all four HSMs are from the same production batch, they may have common flaws (such as bad battery composition) that would compromise the redundancy in place. To mitigate this risk, ICANN worked with the vendor
to ensure the HSM units are comprised of models with different manufacture dates and contain batteries that were built in different production runs.</div>
<div class=""><br class="">
</div>
<div class=""><b class="">Questions and Answers</b></div>
<div class=""><br class="">
</div>
<div class="">Q1: Why do the HSMs need to be replaced, and not just the batteries?</div>
<div class="">A1: While the HSMs can be reconditioned with new batteries, they must be returned to the vendor to perform that procedure. ICANN will replace the HSMs, rather than recondition the units, to ensure the cryptographic key material does not leave
the secure Key Management Facilities.</div>
<div class=""><br class="">
</div>
<div class="">Q2: How does this project involve a future rollover of the Root KSK?</div>
<div class="">A2: This project is distinct from the project to replace the existing Root KSK with a new Root KSK (known as a “rollover”). HSM issues relating to the rollover will be considered by the Root KSK Rollover Design Team.</div>
<div class="">Separation of the HSM replacement project from a Root KSK rollover is considered beneficial to allow time for the Rollover Design Team to fully develop their approach without being influenced by operational pressures relating to HSM replacement.</div>
<div class=""><br class="">
</div>
<div class="">Q3: What consideration was made in selecting the replacement HSMs?</div>
<div class="">A3: ICANN procured the most recent HSM model, the AEP Keyper Plus, from the vendor used to provide the HSMs that are currently in production. This model meets FIPS 140-2 Level 4 security certification, which is a requirement for the Root KSK in
the IANA Functions contract. This model also allows for the importing of the Root KSK from the older models without needing to regenerate the Root KSK. The newer HSM model was selected rather than the current HSM model in ICANN’s production model as the expected
lifetime of support from the vendor is greater.</div>
<div class=""><br class="">
</div>
<div class="">Q4: How many trusted community representatives are needed to replace the HSMs?</div>
<div class="">Q4: ICANN has determined that three trusted community representatives is the minimum number needed to export the root KSK from the existing production devices, and import them into the new devices. This process does not require generation of a
new set of “SO” and “OP” cards, and therefore does not require the entire set of Cryptographic Officers to be present. The existing Recovery Key Share Holders’ credentials will continue to work with the new HSMs.</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">With kindest regards,</div>
<div class=""><br class="">
</div>
</div>
</div>
<div class="">
<div class="">Kim Davies</div>
<div class="">Director, Technical Services</div>
<div class="">ICANN</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>