Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
Thanks to all users that have contributed to this discussion. The info/links/opinons provided have been most usefull, it is a great list. Paul Fraser ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
On Wed, Jan 8, 2014 at 11:54 PM, ianG i...@iang.org wrote: On 9/01/14 02:49 AM, Paul F Fraser wrote: Software and physical safe keeping of Root CA secret key are central to security of a large set of issued certificates. Are there any safe techniques for handling this problem taking into account the need to not have the control in the hands of one person? Any links or suggestions of how to handle this problem? The easiest place to understand the formal approach would be to look at Baseline Requirements, which Joe pointed to. It's the latest in a series of documents that has emphasised a certain direction. (fwiw, the techniques described in BR are not safe, IMHO. But they are industry 'best practice' so you might have to choose between loving acceptance and safety.) Is there a better reference for safe or a place that has commentary on the 'best practice' weaknesses? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
On 9/01/14 18:05 PM, Peter Bowen wrote: On Wed, Jan 8, 2014 at 11:54 PM, ianG i...@iang.org wrote: On 9/01/14 02:49 AM, Paul F Fraser wrote: Software and physical safe keeping of Root CA secret key are central to security of a large set of issued certificates. Are there any safe techniques for handling this problem taking into account the need to not have the control in the hands of one person? Any links or suggestions of how to handle this problem? The easiest place to understand the formal approach would be to look at Baseline Requirements, which Joe pointed to. It's the latest in a series of documents that has emphasised a certain direction. (fwiw, the techniques described in BR are not safe, IMHO. But they are industry 'best practice' so you might have to choose between loving acceptance and safety.) Is there a better reference for safe I'm not aware of one. You probably have to invent your own process. You might do worse by looking at what Dan pointed at: Steve Bellovin: Nuclear Weapons, Permissive Action Links, and the History of Public Key Cryptography, USENIX, 2006. http://www.usenix.org/events/usenix06/tech/mp3/bellovin.mp3 http://www.usenix.org/events/usenix06/tech/slides/bellovin_2006.pdf http://64.233.169.104/search?q=cache:_gevj9vbdqsJ:www.usenix.org/events/usenix06/tech/slides/bellovin_2006.pdf or a place that has commentary on the 'best practice' weaknesses? Pointing out weaknesses in best practices is not best practices. You're either in or your out. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
Peter Bowen wrote: On Wed, Jan 8, 2014 at 11:54 PM, ianG i...@iang.org wrote: On 9/01/14 02:49 AM, Paul F Fraser wrote: Software and physical safe keeping of Root CA secret key are central to security of a large set of issued certificates. Are there any safe techniques for handling this problem taking into account the need to not have the control in the hands of one person? Any links or suggestions of how to handle this problem? The easiest place to understand the formal approach would be to look at Baseline Requirements, which Joe pointed to. It's the latest in a series of documents that has emphasised a certain direction. (fwiw, the techniques described in BR are not safe, IMHO. But they are industry 'best practice' so you might have to choose between loving acceptance and safety.) Is there a better reference for safe or a place that has commentary on the 'best practice' weaknesses? The short answer is 'no'. As a first comment replace CA certificate Secret Key by root CA private signature key [used to sign certificates] because 1) you want to trust (or establish trustworthiness for) a CA *entity*, 2) you might wish to have some continuity if the CA entity replaces its signature key pair, and 3) a secret key might refer to some other type of key. If you understand the fundamentals, you may see that the root DNSSEC signature key (handled by ICANN/IANA, see https://www.iana.org/dnssec ) requires indeed the exact same type of protections. Documents were circulated prior to the launch of the DNSSEC service for the DNS root zone that disclosed a lot of design decisions that are now embedded in the details of KSK ceremonies. I got the feeling that ICANN employees are nowadays in the public-relations mood when questioned (more or less consciously by the person asking a question who may have been absent when call for comments were made). I would suggest that the DNSSEC deployment at the root would be a good case study for IT security management, from an historic perspective. The primary source documents, and the conclusion of such case study, could be helpful to you but ... ... if you want to do it right (and since the resources -- money, personnel, organizational trustworthiness, immediate attention from a community of experts -- available to ICANN aren't available to you), you may need to revise your understanding of underlying principles (hint: don't start by reverse engineering the PKCS#12 specifications). You may want to do it best practice and there you go. Good luck -- - Thierry Moreau ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
On Thu, Jan 9, 2014 at 7:51 AM, Thierry Moreau thierry.mor...@connotech.com wrote: I would suggest that the DNSSEC deployment at the root would be a good case study for IT security management, from an historic perspective. The primary source documents, and the conclusion of such case study, could be helpful to you but ... I'd actually look at DNSSEC as something of an antipattern. They ostensibly seem to be using One Key To Rule Them all and a Shamir-like secret sharing scheme. This makes less sense to me than a multisignature trust system / threshold signature system with n root keys and a threshold t such that we need t of n signatures in order for something to be considered signed. While I'm sure they took great care to airgap and delete the DNSSEC root key from the computer it was generated on, that's an unnecessary risk that simply doesn't have to exist. Furthermore a multisignature trust system makes it easy to rotate the root keys: if one is compromised you simply sign a new root key document with t of n signatures again, listing out the newly reissued public key. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
On Thu, Jan 09, 2014 at 10:36:23AM -0800, Tony Arcieri wrote: I'd actually look at DNSSEC as something of an antipattern. They ostensibly seem to be using One Key To Rule Them all and a Shamir-like secret sharing scheme. This makes less sense to me than a multisignature trust system / threshold signature system with n root keys and a threshold t such that we need t of n signatures in order for something to be considered signed. While I'm sure they took great care to airgap and delete the DNSSEC root key from the computer it was generated on, that's an unnecessary risk that simply doesn't have to exist. Furthermore a multisignature trust system makes it easy to rotate the root keys: if one is compromised you simply sign a new root key document with t of n signatures again, listing out the newly reissued public key. -- Tony Arcieri A talk from 29C3 explains the DNSSEC root key generation process: An overview of secure name resolution http://mirror.netcologne.de/CCC/congress/29C3/mp4-h264-HQ/29c3-5146-en-an_overview_of_secure_name_resolution_h264.mp4 http://youtu.be/eOGezLjlzFU if you prefer YouTube. -- staticsafe ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
Tony Arcieri wrote: On Thu, Jan 9, 2014 at 7:51 AM, Thierry Moreau thierry.mor...@connotech.com mailto:thierry.mor...@connotech.com wrote: I would suggest that the DNSSEC deployment at the root would be a good case study for IT security management, from an historic perspective. The primary source documents, and the conclusion of such case study, could be helpful to you but ... I'd actually look at DNSSEC as something of an antipattern. They ostensibly seem to be using One Key To Rule Them all and a Shamir-like secret sharing scheme. This makes less sense to me than a multisignature trust system / threshold signature system with n root keys and a threshold t such that we need t of n signatures in order for something to be considered signed. While I'm sure they took great care to airgap and delete the DNSSEC root key from the computer it was generated on, that's an unnecessary risk that simply doesn't have to exist. Furthermore a multisignature trust system makes it easy to rotate the root keys: if one is compromised you simply sign a new root key document with t of n signatures again, listing out the newly reissued public key. I guess a multisignature trust system requires some algorithm support beyond RSA and ECC signature schemes pushed by NIST, and thus would have been rejected on the (questionable) basis of lack of support in the DNS software culture and the (political) basis of lack of NIST approval. But yes! That is the type of suggestion/innovation that someone might look at while revisiting the fundamentals of root signature key management. Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, QC, Canada H2M 2A1 Tel. +1-514-385-5691 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
On Thu, Jan 9, 2014 at 11:08 AM, Thierry Moreau thierry.mor...@connotech.com wrote: I guess a multisignature trust system requires some algorithm support beyond RSA and ECC signature schemes pushed by NIST, and thus would have been rejected on the (questionable) basis of lack of support in the DNS software culture and the (political) basis of lack of NIST approval. Not at all. You can use any digital signature scheme you want. Give the data you want signed to each of the participants and they can add their signature. It's not much different than the digital equivalent of a paper document signed by multiple parties. Verifiers merely ensure there's t signatures present on a given piece of data before treating it as valid. An example of a system using this approach is The Update Framework: http://freehaven.net/~arma/tuf-ccs2010.pdf See section 6.2: Multi-Signature Trust. There are also multisignature Bitcoin addresses: http://bitcoin.stackexchange.com/questions/3718/what-are-multi-signature-transactions -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
On 2014-01-09, Paul F Fraser wrote: Software and physical safe keeping of Root CA secret key are central to security of a large set of issued certificates. Are there any safe techniques for handling this problem taking into account the need to not have the control in the hands of one person? Any links or suggestions of how to handle this problem? In addition to what Joe sent, you may also be interested in the CertiPath certificate policy: https://www.certipath.com/policy-management-authority/policy-documents Best regards, Timo ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
Den 9 jan 2014 00:56 skrev Paul F Fraser pa...@a2zliving.com: Software and physical safe keeping of Root CA secret key are central to security of a large set of issued certificates. Are there any safe techniques for handling this problem taking into account the need to not have the control in the hands of one person? Any links or suggestions of how to handle this problem? regards Paul Fraser Hardware Security Modules are common. Kind of like smartcards (the chip on your bank card), but big and fast, and usually supporting far more protocols. Designed to be very hard to hack or otherwise extract the keys from. On the algorithmical level, there is Secure Multiparty Computation plus Shamir's Secure Sharing Scheme, such that you need a group of chosen period to work together to use the key to decrypt and sign things, while not revealing the private key to anybody. The people who developed the Speedz (spelling?) protocol is marketing a service for this. - Sent from my phone ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
Paul Fraser asked: #Software and physical safe keeping of Root CA secret key are central to #security of a large set of issued certificates. # #Are there any safe techniques for handling this problem taking into account the #need to not have the control in the hands of one person? # #Any links or suggestions of how to handle this problem? See Section 16.6 of the Certificate and Browser Forum Baseline Requirements at https://www.cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf For devices certified for FIPS 140 at level 3, check out http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm and then search that web page for the appropriate level For Common Criteria EAL 4 or higher, start with http://www.commoncriteriaportal.org/products/ Regards, Joe ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Techniques for protecting CA Root certificate Secret Key
On 9/01/14 02:49 AM, Paul F Fraser wrote: Software and physical safe keeping of Root CA secret key are central to security of a large set of issued certificates. Are there any safe techniques for handling this problem taking into account the need to not have the control in the hands of one person? Any links or suggestions of how to handle this problem? The easiest place to understand the formal approach would be to look at Baseline Requirements, which Joe pointed to. It's the latest in a series of documents that has emphasised a certain direction. However, it is not the only answer. The best way to describe it is that it is 'best practices' for the CA industry, and once you achieve that way, you're on the path to being inculcated. If that's your goal, the BR is your answer. As you don't say much about your problem space is, it's difficult to answer your real question: what are safe techniques for handling root CA keys? (fwiw, the techniques described in BR are not safe, IMHO. But they are industry 'best practice' so you might have to choose between loving acceptance and safety.) iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography