[ksk-rollover] ceremonies in April, and managing things less critical and the KSK.

S Moonesamy sm+icann at elandsys.com
Sun Apr 5 17:30:28 UTC 2020

Hi Michael,
At 06:39 PM 04-04-2020, Michael Richardson wrote:
>https://www.iana.org/dnssec/dps/zsk-operator/dps-zsk-operator-v2.0.pdf says:
>5.2.2. Private key (m-of-n) multi-person control
>  Verisign has implemented technical and procedural mechanisms that
>  require the participation of multiple trusted individuals to perform
>  sensitive cryptographic operations. Verisign uses "Secret Sharing"
>  to split the activation data needed to make use of a RZ ZSK private
>  key into separate parts called "Secret Shares" which are held by
>  trained and trusted individuals called "Shareholders." A threshold
>  number of Secret Shares (m) out of the total number of Secret Shares
>  created and distributed for a particular HSM (n) is required to
>  activate a RZ ZSK private key stored on the module. The threshold
>  number of shares needed to sign a root Zone File is 3. It should be
>  noted that the number of shares distributed for disaster recovery
>  tokens may be less than the number distributed for operational HSMs,
>  while the threshold number of required shares remains the same.
>  Secret Shares are protected in accordance with this DPS.

The document which you cited is for the Root Zone Maintainer (Verisign).

>I think that the HSM keeps the private key (RSA) encrypted.
>The key that is used to do this encryption (probably AES256) is the thing
>that is secret-split among the n-shareholders.  I understand that m=3.
>It says "a particular HSM", so does this mean that the encryption key
>used to encrypt the private RSA key is different in different HSMs (at
>different locations), and a *different* m people are required to activate it?
>I would think that the different HSM would synchornize the encrypted copy of
>the private key, and thus the split secret would be the same n pieces.
>Of course, the key could be moved to another HSM by the initial m-of-n
>people, it could be *re*-encrypted to n' pieces and some other m' people
>required.   The n and n' people could completely or partially overlap.

There are four HSMs.  Any one of them can be used for a KSK Ceremony.

>{BTW: When I read the KSK ceremony script, at:
>I see that the KSR arrives on a smartcard.}

A Flash Drive is inserted in Step 5 (Page 14).  The KSR is on it.

>It seems that the secrets which are split up are kept in the/a safe, using a
>safety deposit box, and it is further in a tamper resistant bag.
>The TCR retains the key to the safety deposit box.  Am I correct that the
>secret split never leaves the room, so "m" TCRs can not actually reconstruct
>she key on their own?   I'm unclear what kind of media the secret is stored
>on, but I understand it plugs straight into the HSM, not the control laptop.

The secret spit never leaves the room.  The Crypto Officers cannot 
reconstruct the key on their own.

>(BTW: I recognize that I'm reading KSK and ZSK documents at the same time)
>I was surprised at the lack of references in the dps documents to any theory
>about how this process was created.   This is what I am looking for: a
>palette of ways to make key ceremonies for a variety of different threat

I suggest looking at NIST SP 800-57.

S. Moonesamy 

More information about the ksk-rollover mailing list