<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/5/2014 6:16 PM, Paul Hoffman
wrote:<br>
</div>
<blockquote cite="mid:2A0275AA-FC69-47BC-9714-7EA6BB95D995@vpnc.org"
type="cite">
<pre wrap="">On Oct 5, 2014, at 2:50 PM, Tomofumi Okubo <a class="moz-txt-link-rfc2396E" href="mailto:tomofumi.okubo@gmail.com"><tomofumi.okubo@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">What you suggested is simply lowering the security level for
convenience as you did not suggest compensating controls.
</pre>
</blockquote>
<pre wrap="">
It wasn't "for convenience", it was to enable us to have a wider choice of HSMs that meet our needs. For example, one of our possible needs is "have HSMs from a variety of manufacturers", which is something you proposed just the other day. Another possible need is "have an HSM that uses the signing algorithm we want", given that there are some people who want to move towards modern elliptic curve signatures in the future.
</pre>
<blockquote type="cite">
<pre wrap="">Instead you
just suggested removing controls as it is overlapping with existing
ones.
</pre>
</blockquote>
<pre wrap="">
I did not propose "removing controls": I proposed meeting specific requirements ourselves if IANA can do it better. If the tamper evidence provided by the additions in the Level 2 part of an HSM's FIPS-140 certification is as good as, or not even as good as, what is provided by IANA's design (the tamper-evident bags), then it is not an actual control. The same is true for Level 3 and Level 4, I believe. I'm not sure, so I'm asking for others who know the specifics of how the levels are met *in HSMs* to comment.</pre>
</blockquote>
<br>
The following table is taken directly from the FIPS 140-2 doucment.<br>
<blockquote type="cite"><img
src="cid:part1.05090508.01050508@nthpermutation.com" alt=""></blockquote>
<br>
The most important piece you get with Level 4 of this is that when
tamper is detected, zeroization is performed. L4 devices are
designed to the Roach Motel standard - keys check in but they never
check out.<br>
<br>
I'm responding behind a number of other responses. WRT to your
original comment, the only thing you get if you remove HSM
protections and keep the tamper stuff is a knowledge that you're
*really* screwed when the tamper seal is broken.<br>
<br>
If the tamper seals are defeated (e.g. the key material is removed
from the tamper bag and copied and returned), you don't even know
that... Then there are all the possible slight of hand scams that
can take place - cf <a class="moz-txt-link-freetext" href="http://en.wikipedia.org/wiki/Pigeon_drop">http://en.wikipedia.org/wiki/Pigeon_drop</a> for one
example.<br>
<br>
<br>
<br>
<br>
<br>
<blockquote cite="mid:2A0275AA-FC69-47BC-9714-7EA6BB95D995@vpnc.org"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">IMHO, it is better to have tamper evidence (level2) and tamper
resistance (level3) at the HSM level.
</pre>
</blockquote>
<pre wrap="">
Why? This is a serious question. Why rely on the tamper evidence and tamper resistance of a system when you can add better functionality for both, which is what IANA is already doing?</pre>
</blockquote>
<br>
The answer to this is that a tamper event causes destruction of the
key material. Tamper evidence or tamper resistance does not by
itself give you any assurance with respect to the underlying key
material.<br>
<br>
<blockquote cite="mid:2A0275AA-FC69-47BC-9714-7EA6BB95D995@vpnc.org"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">I personally think the
environmental controls (level4) might be too much but it is true that
it has controls that protects the cryptographic key from different
type of attacks.
</pre>
</blockquote>
<pre wrap="">
In the case of the HSMs that IANA uses, what specific attacks are those? I would be somewhat surprised if the same controls weren't required for Level 1, but you are more familiar with how HSMs meet the FIPS-140 requirements.</pre>
</blockquote>
<br>
See the above table. A software module can be certified as L1 (and
I believe one of the mozilla pseudo-PKCS11 software modules is so
certified). It really provides no protection against cloning or
extraction of the key material.<br>
<br>
Mike<br>
<br>
<blockquote cite="mid:2A0275AA-FC69-47BC-9714-7EA6BB95D995@vpnc.org"
type="cite">
<pre wrap="">
--Paul Hoffman
_______________________________________________
ksk-rollover mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/ksk-rollover">https://mm.icann.org/mailman/listinfo/ksk-rollover</a>
</pre>
</blockquote>
<br>
</body>
</html>