[ksk-change] FIPS-140 levels

Michael StJohns msj at nthpermutation.com
Mon Oct 6 19:55:37 UTC 2014

On 10/5/2014 6:16 PM, Paul Hoffman wrote:
> On Oct 5, 2014, at 2:50 PM, Tomofumi Okubo <tomofumi.okubo at gmail.com> wrote:
>> What you suggested is simply lowering the security level for
>> convenience as you did not suggest compensating controls.
> It wasn't "for convenience", it was to enable us to have a wider choice of HSMs that meet our needs. For example, one of our possible needs is "have HSMs from a variety of manufacturers", which is something you proposed just the other day. Another possible need is "have an HSM that uses the signing algorithm we want", given that there are some people who want to move towards modern elliptic curve signatures in the future.
>> Instead you
>> just suggested removing controls as it is overlapping with existing
>> ones.
> I did not propose "removing controls": I proposed meeting specific requirements ourselves if IANA can do it better. If the tamper evidence provided by the additions in the Level 2 part of an HSM's FIPS-140 certification is as good as, or not even as good as, what is provided by IANA's design (the tamper-evident bags), then it is not an actual control. The same is true for Level 3 and Level 4, I believe. I'm not sure, so I'm asking for others who know the specifics of how the levels are met *in HSMs* to comment.

The following table is taken directly from the FIPS 140-2 doucment.

The most important piece you get with Level 4 of this is that when 
tamper is detected, zeroization is performed.  L4 devices are designed 
to the Roach Motel standard - keys check in but they never check out.

I'm responding behind a number of other responses.  WRT to your original 
comment,  the only thing you get if you remove HSM protections and keep 
the tamper stuff is a knowledge that you're *really* screwed when the 
tamper seal is broken.

If the tamper seals are defeated (e.g. the key material is removed from 
the tamper bag and copied and returned), you don't even know that...  
Then there are all the possible slight of hand scams that can take place 
- cf http://en.wikipedia.org/wiki/Pigeon_drop for one example.

>> IMHO, it is better to have tamper evidence (level2) and tamper
>> resistance (level3) at the HSM level.
> Why? This is a serious question. Why rely on the tamper evidence and tamper resistance of a system when you can add better functionality for both, which is what IANA is already doing?

The answer to this is that a tamper event causes destruction of the key 
material.  Tamper evidence or tamper resistance does not by itself give 
you any assurance with respect to the underlying key material.

>> I personally think the
>> environmental controls (level4) might be too much but it is true that
>> it has controls that protects the cryptographic key from different
>> type of attacks.
> In the case of the HSMs that IANA uses, what specific attacks are those? I would be somewhat surprised if the same controls weren't required for Level 1, but you are more familiar with how HSMs meet the FIPS-140 requirements.

See the above table.  A software module can be certified as L1 (and I 
believe one of the mozilla pseudo-PKCS11 software modules is so 
certified).  It really provides no protection against cloning or 
extraction of the key material.


> --Paul Hoffman
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141006/f88e3646/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ahgddcbe.png
Type: image/png
Size: 93469 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141006/f88e3646/ahgddcbe-0001.png>

More information about the ksk-rollover mailing list