[Cryptography] HSM's to be required for Code Signing Certificates
Thierry Moreau
thierry.moreau at connotech.com
Mon Jan 30 10:17:02 EST 2017
On 30/01/17 06:34 AM, Peter Gutmann wrote:
> Thierry Moreau <thierry.moreau at connotech.com> writes:
>
>> This (or the mere count of digital signature operations performed during an
>> HSM session, reported in a trustworthy way) is actually missing from the most
>> readily documented HSM deployment project, the DNSSEC root KSK signature
>> ceremonies held by IANA on a regular basis.
>
> What's the threat here, and how would this defend against it?
The threat model is good question, and I have no answer to share.
I used the ICANN/Verisign/NIST determination to make a globally trusted
HSM deployment as a study case for cryptographic controls implemented
transparently and "to the highest standards."
(The transparency aspect is more readily present if one refers to the
process design documents pre-dating the first ceremony.)
The defense potential is as follows. The KSK signing ceremony outputs a
known number of ZSK-certification digital signatures. If the bad guys
are controlling the laptop during a legitimate ceremony, they might
harvest a few extra signatures from the HSM (i.e. certifying their own
ZSK public key for which they control the private counterpart). If the
HSM reported the number of signatures actually performed on its own
display, it would allow a ceremony witness to confirm that the HSM did
not do this service to the bad guys.
>
>> The evil is in the details! Believe me, or look at
>>
>> https://data.iana.org/ksk-ceremony/
>
> Ugh. I gave up after "Fratres, agnoscamus peccata nostra, ut apti simus ad
> sacra mysteria PKI celebranda". Do they dress in priest's robes in the
> videos?
As a matter of fact, no.
>
> Peter.
>
More information about the cryptography
mailing list