[Pki-devel] lightweight sub-CAs; updated design

Christina Fu cfu at redhat.com
Fri Oct 17 17:04:32 UTC 2014 

sorry I missed a few folks in my reply ...

On 10/17/2014 10:01 AM, Christina Fu wrote:
> Hi Fraser,
>
> This response is for the "Key generation and storage" part of the design.
>
> First of all, Dogtag does provide symkey retrieval via a JNI package 
> which provides interface to NSS called "symkey".  There had been talks 
> of merging symkey functionalities into JSS (which is also a JNI 
> package that provides interface to NSS) in the future.
>
> In fact, for years, Dogtag has been doing what's similar to what 
> Petr^2 Spacek described with DNSSEC, the wrapping/unwrapping of keys 
> on both NSS softtoken as well as supported HSMs for distribution 
> without ever disclosing any private keys in memory.
> This is the most basic requirement for Common Criteria for RHCS.
> This is just to assure you that whatever you need, it's most likely 
> already there and more.
>
> BTW, I'm not familiar with "SoftHSM".  The name itself sounds like an 
> oxymoron, but we don't have to get into that ;-).
>
> As far as HSMs go, once keys are generated, you are not going to be 
> able to export any private keys out of it unless they are temporary 
> and non-sensitive keys, which should not be the case for CA signing keys.
> In practice, since HSMs are expensive, people use net HSM so servers 
> can share the same hardware unit as long as they are within the same 
> secured network, which means that you don't have to try to distribute 
> the certs and keys, as long as you have the right 
> permission/privileges and enough info to access such network shared HSM.
> In cases when sharing of an HSM is not possible, HSM vendors provide 
> assistance to "copy" keys from one HSM to another.  When our customers 
> run into that, we ask our customers to contact their vendor(s).
> In some situations, process can be taken to generate keys on soft 
> token in a secure and isolated location and manually import to 
> individual HSMs.
> What you do not want to do, is to put your CA signing keys anywhere 
> other than an isolated backup facility or in the token itself, no 
> matter how many times you wrap it.  Ciphers get cracked every few 
> years, and when your CA private keys are compromised, the consequences 
> are insurmountable.
> You might ask, why then KRA keeps the wrapped user private keys on the 
> ldap server for archival/recovery?  The answer is very simple. Those 
> are user keys.  It would be bad if they are compromised, but not as 
> bad or widespread.  Also, those user private keys are wrapped with 
> individual session keys (every key is different), unlike what DNSSEC 
> is doing with one single "master key", if I read it correctly (I 
> apologize I did not have time to look into DNSSEC at all).
> Anyway, Dogtag has a long history of serving facilities that require 
> high security, so that's why it is what it is today.
>
> Hope this helps.
> Christina
>
>
> On 10/16/2014 12:05 AM, Fraser Tweedale wrote:
>> On Wed, Oct 15, 2014 at 03:58:51PM +0200, Petr Spacek wrote:
>>> On 15.10.2014 14:48, Simo Sorce wrote:
>>>> On Wed, 15 Oct 2014 17:48:35 +1000
>>>> Fraser Tweedale <ftweedal at redhat.com> wrote:
>>>>
>>>>> On Wed, Oct 15, 2014 at 01:38:09AM -0400, Ade Lee wrote:
>>>>>> On Wed, 2014-10-15 at 01:15 -0400, Ade Lee wrote:
>>>>>>> On Fri, 2014-10-03 at 17:54 +1000, Fraser Tweedale wrote:
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> Just landed a big update to the lightweight sub-CAs design
>>>>>>>> proposal: http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs.
>>>>>>>>
>>>>>>>> I plan to start the implementing next week.  Aside from general
>>>>>>>> design review, specific things I need input on are:
>>>>>>>>
>>>>>>>> 1)
>>>>>>>>
>>>>>>>> How to propagate newly-generated sub-CA private keys to clones
>>>>>>>> in an automated way, and how to store them.
>>>>>>>>
>>>>>>> I'll comment about that in the IPA thread.  I had thought that the
>>>>>>> keys etc. would reside in the primary CA certdb.
>>>>>>>
>>>>>> Actually, I'll respond here because the IPA thread has moved
>>>>>> slightly away from this.  In the IPA thread, there is discussion of
>>>>>> storing the keys in ldap encrypted by some master key - which
>>>>>> presumably would be stored in the certdb.
>>>>>>
>>>>>> Decrypting the signing key and keeping it in memory is absolutely a
>>>>>> no-no.  The CA signing key material should only be present in the
>>>>>> HSM/softoken - and should never be exposed unencryted outside the
>>>>>> token. All crypto operations must be done there.  That most likely
>>>>>> means storing the data in the NSS certdb.
>>>>>>
>>>>> The design of key distribution could follow the DNSSEC design; see
>>>>> Petr Spacek's comments in this thread:
>>>>> https://www.redhat.com/archives/freeipa-devel/2014-October/msg00080.html 
>>>>>
>>>>> Presumably this design for key distribution has received some
>>>>> thorough attention.  Perhaps some of the assumption for DNSSEC do
>>>>> not hold for Dogtag. I have copied Petr and Simo for their input.
>>>> We use a softHSM for the DNSSEC stuff (in theory can be replaced by a
>>>> hw HSM too), and keys are handed within it only.
>>> We are finishing DNSSEC right so I don't have time to study sub-CA 
>>> design
>>> right now. For this reason I'm replying only with general statements:
>>>
>>> - SoftHSM can be used as generic purpose token with PKCS#11 interface.
>>> - It supports multiple "PKCS#11 slots" in single SoftHSM 
>>> installation so
>>> data can be separated as necessary: Each "slot" stores data in separate
>>> directory (with potentially different filesystem permissions, PINs 
>>> etc.)
>>> - Upstream is responsive and accepts patches with new features (i.e.
>>> unimplemented pieces of PKCS#11 standard) without problems.
>>> - SoftHSM v2 code could use some cleanup but it has clear design and
>>> structure and I don't see extensibility problems.
>>> - Storage & crypto backends have clearly defined API so it should be
>>> possible to implement own back-ends (LDAP & NSS, if necessary).
>>>
>>> Generally I don't see a reason why it couldn't not be used for as key
>>> storage mechanism for replicas (sub-CA keys, KDC master key, etc.) 
>>> or even
>>> for clients (GNOME keyring backed with SSSD-SoftHSM tandem).
>>>
>>> -- 
>>> Petr^2 Spacek
>> Thanks Simo and Petr for your input.
>>
>> After some more investigation it looks like all the crypto in
>> Dogtag, including for KRA etc, is performed within the
>> ``CryptoManager`` facility.  With that in mind, I've got a more
>> concrete implementation proposal that also uses ``CryptoManager``.
>> If it proves insufficient I will embark on a more detailed analysis
>> of feasibility/implications of bringing SoftHSM as a Dogtag
>> dependency (and remain open to other key distribution ideas).
>>
>> One difference between the DNSSEC/SoftHSM design is that the master
>> key has to be unwrapped each time a sub-CA key needs to be
>> installed.  This was because I couldn't see a way to store and
>> retrieve a specific SymmetricKey in CryptoManager/CryptoToken. If
>> there's a way to do this and I've just overlooked it, let me know.
>> But I don't think the security of the scheme is impacted ; it just
>> means that there's a bit of repeated work when we import sub-CA keys
>> from the database.
>>
>> Direct link to key distribution implementation detail in the design 
>> proposal:
>> http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs#CryptoManager_based_implementation 
>>
>>
>> Cheers,
>>
>> Fraser
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list