Is this the first ever practically-deployed use of a threshold scheme?
Jakob Schlyter
jakob at kirei.se
Mon Aug 2 18:16:34 EDT 2010
On 2 aug 2010, at 16.51, Jeffrey Schiller wrote:
> Does the root KSK exist in a form that doesn't require the HSM to
> re-join, or more to the point if the manufacturer of the HSM fails, is
> it possible to re-join the key and load it into a different vendor's
> HSM?
With the assistance of the vendor (or their employees), it would be possible to reassemble the storage master key (SMK) by combining 5 of 7 key shares, then decrypting the key backup. There is nothing in the HSM units itself that is needed for a key restore.
> In other words, is the value that is split the "raw" key, or is it in
> some proprietary format or encrypted in some vendor internal key?
The value that is split is the SMK, used to encrypt the actual key. The actual key is not split and, once in production, is never to be transported outside the ICANN Key Management Facility.
> Back in the day we used an RSA SafeKeyper to store the IPRA key (there
> is a bit of history, we even had a key ceremony with Vint Cerf in
> attendance). This was the early to mid '90s.
Aha, that's why Vint was so on top of things during the East Coast key ceremony :-)
> The SafeKeyper had an internal tamper key that was used to encrypt all
> exported backups (in addition to the threshold secrets required). If
> the box failed, you could order one with the same internal tamper
> key. However you could not obtain the tamper key and you therefore
> could not choose to switch HSM vendors.
In this case, the SMK == the tamper key.
jakob
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list