Hi, (Blowing the dust off of an old hat of mine...)
On 2012.10.16. 12:34, Shane Kerr wrote: >> i keep wondering about the use of hsms in dnssec and rpki signing. i >> suspect that the threat model is not well thought out. > > The only attack that I could see an HSM protecting against is an > insider stealing the keys without being detected, like Alexander > mentioned. The idea is that a motivated attacker could in principle > make a copy of the keys - but not if they are stored in an HSM. The attacker's point is not to *steal* the key, but to *sign* something with it; most likely a hash or such. If I can inject a hash-to-be-signed into the to-be-signed queue, then I won, I don't really care about the key itself. Sure, if I actually have a copy of the key, then it's way easier :-) but as you say, HSMs can prevent that. > Also note that there are possible weaknesses with even an HSM, depending > on how backups are made. These can be worked around with procedure and > extra layers of security (cameras, access logs, ...). It's possible to come up with bad escrow mechanisms, which leave the key vulnerable. That's just bad engineering, it's got nothing to do with HSMs. However, a properly designed procedure with enough support from the HSM will defend against this. Robert _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
