[ksk-rollover] ICANN to generate new KSK

Michael StJohns msj at nthpermutation.com
Fri Mar 1 20:34:28 UTC 2024 

Hi - comments inline


On 2/29/2024 2:50 PM, Andres Pavez wrote:
>
> Hi Mike,
>
> Thales Luna USB G7 HSM is a standalone hardware cryptographic module. 
> The cryptographic module is contained in its own enclosure that 
> provides physical resistance and tamper-evidence. Any tampering that 
> might compromise a module's security is detectable by visual 
> inspection of the physical integrity of a module.
>
> Within the plastic enclosure, a hard opaque epoxy covers the circuitry 
> of the cryptographic module. Attempts to remove this epoxy will cause 
> sufficient damage to the cryptographic module so that it is rendered 
> inoperable.
>
My ideal is that damage to the cryptographic module renders the key 
material unrecoverable and its unclear that 'inoperable module ' ~= 
'unrecoverable key material'.  From the description of the module, I 
would assume that the key material is stored in persistent flash or 
similar storage.  It appears from the HSM description that an unpowered 
unit has no means to wipe its persistent storage.

Most similar systems (e.g. smart cards) do something like encrypting the 
keys under a PUF or a per device generated global key, but its possible 
that, with enough dollars, an attacker could either cause the device to 
emit the key, or make the key usable in some fashion.

Other HSMs in the same field (e.g. the Luna K7) support the erasure of 
this key encryption key on tamper. I'm kind of curious why you settled 
on this model rather than something with a bit more active protection.  
Here's the public policy document related to the L3 certification. 
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4090.pdf. 
Note that both the USB version above and this K7 talk about L3 + EFP.  
Interestingly, EFP means different things to different modules.

I did see the offhand comment about batteries being a single point of 
failure in the document you pointed to below... that was the single 
comment about active tamper. I hope the actual decision document spent 
more time on tamper than this.

> The module is designed to sense and respond to out-of-range 
> temperature conditions as well as out-of-range voltage conditions. The 
> temperature and voltage conditions are monitored in the power-on 
> state. If the module senses an out-of-range temperature or over 
> voltage, the module will reset itself, clear all working memory and 
> log the event.
>
This is generic fuzzing protection.  It's good, sort of mandatory to be 
taken serious, but not unique. Credit cards have this. Unclear from the 
Luna HSM website if the module will zeroize itself under certain conditions.

> The module is accessed directly (i.e., electrically) over the USB 
> interface. It also has an LCD touchscreen for displaying system status.
>
> It has a small internal backup battery (3.6V) that is only used to 
> power the module's real-time clock.
>
Let's say the battery gives out in 5 years.  Does this have any effect 
on the signing process?   Does the RTC of the HSM module feed into the 
signature process? What functionality of the HSM, if any, is affected by 
the presence or failure of the RTC.?

> The HSM will be stored in a Secure Transport Mode (STM). a random 
> string and a fingerprint of the internal state of the module is output 
> from the module. The fingerprint is a SHA2-256 digest of the random 
> string, module CSPs, firmware, module configuration information, and 
> non-volatile memory. Only the HSM Security Officer (SO) credential can 
> put the module into STM and take it out of STM.
>
When in SecureTransportMode - are any of the keys super-encrypted?  E.g. 
if it's stored in STM, is the key internally in a form that does not 
require decryption by the CO credentials?  In other words, is this a 
policy wrapper to the key material or a cryptographic wrapper?

What happens if the CO credentials are lost or stolen?  Are they kept 
with or near the HSM?

> Additionally, the HSM will be stored in a Tamper-Evident Bag (TEB) 
> inside of the safe.
>
That's useful.  Are the TEBs serialized? How and where are the serials 
recorded and is that record immutable?  What is the process for 
verifying the non-tamper status of the bag?

Thanks for the previous answers - unfortunately they prompted the above 
questions.

I have read the document whose link you provided below...

Later, Mike


> More information about the analysis of the HSM selection can be found 
> here 
> https://www.icann.org/en/system/files/files/hardware-security-module-replacement-2024-28feb24-en.pdf 
>
>
> This goes into detail outlining the differences between the FIPS 
> security levels, tamper monitoring levels, etc.
>
> Responding to your specific questions:
>
> Is there an internal battery?
>
>   * Only the small internal backup battery (3.6V) is used to power the
>     module's real-time clock.
>
> Is it replaceable?
>
>   * No
>
> How often does this USB HSM need to be plugged into power to maintain 
> the internal battery?
>
>   * Doesn't have an internal battery to power the cryptographic module.
>
> What happens if you leave it in a safe for a year - or alternately, 
> how long can the unit remain unplugged before it wipes its keys?
>
>   * The keys will remain in the HSM as long the HSM is not tampered.
>
> What's the lifetime of the battery before replacement?
>
>   * There is no battery to power the cryptographic module that needs
>     replacement.
>
> Best regards,
>
> --
>
> Andres Pavez
>
> Cryptographic Key Manager
>
> On 2/29/24, 10:21, "ksk-rollover on behalf of Michael StJohns via 
> ksk-rollover" <ksk-rollover-bounces at icann.org on behalf of 
> ksk-rollover at icann.org> wrote:
>
> Hi -
>
> The product brief for the Luna USB G7 doesn't provide a lot of data. 
> The previous HSM provided level four hardware protection - e.g. a 
> tamper perimeter and the ability to zeroize the keys if someone tried 
> to decap the thing.  That's almost entirely dependent on having a 
> constant power source - usually a three stage line/battery/capacitor 
> model.
>
> On the PCI cards, there's a Li ion battery - a rather large one - on 
> the card just in front of the tamper covered HSM engine. See 
> https://thalesdocs.com/gphsm/luna/7/docs/pci/Content/install/pci_hw_install/battery_replace.htm
>
> The older luna USB HSM had a battery compartment - I can't see one on 
> the images I've been able to find of the current one.  It was also a 
> most Level 2 device with L3 security.
>
> My questions are these: Is there an internal battery? Is it 
> replaceable? How often does this USB HSM need to be plugged into power 
> to maintain the internal battery?  What happens if you leave it in a 
> safe for a year - or alternately, how long can the unit remain 
> unplugged before it wipes its keys?  What's the lifetime of the 
> battery before replacement?
>
> Later, Mike
>
> On 2/28/2024 7:20 PM, James Mitchell via ksk-rollover wrote:
>
>     ICANN has announced the schedule to generate the next KSK.
>
>     Generating a new KSK restarts the process announced last year,
>     which was suspended after it was identified that a supplier of key
>     equipment used to store the KSK (known as a Hardware Security
>     Module, or HSM) would be exiting the business during the expected
>     lifespan of the new KSK.
>
>     The next KSK will be generated on new Thales Luna USB G7 HSMs.
>
>     The announcement and information regarding the new HSMs is
>     published at
>     https://www.icann.org/en/announcements/details/icann-to-generate-new-dns-cryptographic-key-at-april-2024-ceremony-28-02-2024-en.
>
>     James Mitchell
>
>     IANA
>
>
>
>     _______________________________________________
>
>     ksk-rollover mailing list
>
>     ksk-rollover at icann.org
>
>     https://mm.icann.org/mailman/listinfo/ksk-rollover
>
>     _______________________________________________
>
>     By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20240301/51049488/attachment-0001.html>

More information about the ksk-rollover mailing list