Re: [Pki-devel] lightweight sub-CAs; updated design
On 17.10.2014 19:04, Christina Fu wrote:
In some situations, process can be taken to generate keys on soft
token in a
secure and isolated location and manually import to individual HSMs.
What you do not want to do, is to put your CA signing keys anywhere other than
an isolated backup facility or in the token itself, no matter how many times
you wrap it. Ciphers get cracked every few years, and when your CA private
keys are compromised, the consequences are insurmountable.
You might ask, why then KRA keeps the wrapped user private keys on the ldap
server for archival/recovery? The answer is very simple. Those are user
keys. It would be bad if they are compromised, but not as bad or widespread.
Also, those user private keys are wrapped with individual session keys (every
key is different), unlike what DNSSEC is doing with one single "master key",
if I read it correctly (I apologize I did not have time to look into DNSSEC at
all).
Just to clarify why we did what we did with DNSSEC key distribution: The
approach with "one master key" for DNSSEC was used because it scales very well
and DNSSEC keys are relatively short-lived.
"Master key" is right now AES 128 bit and DNSSEC keys are RSA 2048 bit so it
is easier to attack the RSA keys directly anyway.
In our setup it is very easy to change all keys including replica and master
keys because all parts can cope with using multiple replica/master keys at the
same time - old keys can be used only for unwrapping and only the newest key
is used for wrapping.
(Underlying assumption is that IPA LDAP DB is safe way of communication/public
key publication. DNSSEC keys are used to sign data read from LDAP so IMHO
there is no point in attacking crypto if you can simply change data in DB and
let the server to sing it for you.)
Also, DNSSEC keys do not have the same problem as CA keys: Any DNSSEC zone key
(except DNS root - which is not case for IPA :-) can be exchanged at almost
any time. You only need to send your new zone public key to your parent domain
and wait ~ 3 DNS TTLs (the TTL is configurable).
So, if you are paranoid you can rotate all keys e.g. bi-weekly and you will
not need to touch clients - ever.
Anyway, I will be very glad if you could review the design more deeply when
you have time. It would be only better if we have more eyes on it.
Have a nice day!
--
Petr^2 Spacek