[ksk-rollover] ceremonies in April, and managing things less critical and the KSK.
S Moonesamy
sm+icann at elandsys.com
Sun Apr 5 17:30:28 UTC 2020
Hi Michael,
At 06:39 PM 04-04-2020, Michael Richardson wrote:
>https://www.iana.org/dnssec/dps/zsk-operator/dps-zsk-operator-v2.0.pdf says:
>
>5.2.2. Private key (m-of-n) multi-person control
> Verisign has implemented technical and procedural mechanisms that
> require the participation of multiple trusted individuals to perform
> sensitive cryptographic operations. Verisign uses "Secret Sharing"
> to split the activation data needed to make use of a RZ ZSK private
> key into separate parts called "Secret Shares" which are held by
> trained and trusted individuals called "Shareholders." A threshold
> number of Secret Shares (m) out of the total number of Secret Shares
> created and distributed for a particular HSM (n) is required to
> activate a RZ ZSK private key stored on the module. The threshold
> number of shares needed to sign a root Zone File is 3. It should be
> noted that the number of shares distributed for disaster recovery
> tokens may be less than the number distributed for operational HSMs,
> while the threshold number of required shares remains the same.
> Secret Shares are protected in accordance with this DPS.
>
>---
The document which you cited is for the Root Zone Maintainer (Verisign).
>I think that the HSM keeps the private key (RSA) encrypted.
>The key that is used to do this encryption (probably AES256) is the thing
>that is secret-split among the n-shareholders. I understand that m=3.
>
>It says "a particular HSM", so does this mean that the encryption key
>used to encrypt the private RSA key is different in different HSMs (at
>different locations), and a *different* m people are required to activate it?
>
>I would think that the different HSM would synchornize the encrypted copy of
>the private key, and thus the split secret would be the same n pieces.
>Of course, the key could be moved to another HSM by the initial m-of-n
>people, it could be *re*-encrypted to n' pieces and some other m' people
>required. The n and n' people could completely or partially overlap.
There are four HSMs. Any one of them can be used for a KSK Ceremony.
>{BTW: When I read the KSK ceremony script, at:
>
>https://data.iana.org/ksk-ceremony/40/20200216-KC40-Ceremony_Script_Annotated.pdf
>
>I see that the KSR arrives on a smartcard.}
A Flash Drive is inserted in Step 5 (Page 14). The KSR is on it.
>It seems that the secrets which are split up are kept in the/a safe, using a
>safety deposit box, and it is further in a tamper resistant bag.
>The TCR retains the key to the safety deposit box. Am I correct that the
>secret split never leaves the room, so "m" TCRs can not actually reconstruct
>she key on their own? I'm unclear what kind of media the secret is stored
>on, but I understand it plugs straight into the HSM, not the control laptop.
The secret spit never leaves the room. The Crypto Officers cannot
reconstruct the key on their own.
>(BTW: I recognize that I'm reading KSK and ZSK documents at the same time)
>
>I was surprised at the lack of references in the dps documents to any theory
>about how this process was created. This is what I am looking for: a
>palette of ways to make key ceremonies for a variety of different threat
>levels.
I suggest looking at NIST SP 800-57.
Regards,
S. Moonesamy
More information about the ksk-rollover
mailing list