[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: RE: Some comments on the PKCS11 HSS Draft
Hi all, We would like to share some comments on the PKCS11 HSS Draft from Philip Lafrance and Mark Paruzel of ISARA corporation, in hopes of opening up the discussion to the whole group. The current draft can be found at: https://www.oasis-open.org/committees/document.php?document_id=66342 The full conversation thread can be found below, but to summarize, the main concerns are:
We look forward to any feedback you may have! Michelle From: Michelle Brochmann Hi Mark, We hadn’t considered this issue. In fact, Jonathan points out that some HSMs have specialized hardware that can perform operations much faster than a general purpose CPU. Still, since this kind of signature scheme does take a relatively long time for key generation and signing, we expect that it would be used in applications (such as code-signing) where this kind of wait is acceptable. We aren’t sure exactly what you mean by “PKCS11 connection timeouts” – is this something specific in the PKCS11 framework or just timeouts that will occur in applications using PKCS? Michelle From: Mark Paruzel <Mark.Paruzel@isara.com> Hi Michelle, Have you and your team given thought to how the long-running nature of HSS key gen impacts PKCS11 connection timeouts? On modern desktops, a H25-W8 tree could take many hours to compute. HSMs generally run on slower hardware compared to their desktop counterparts, which may result in a key generation ceremony that runs for 24+ hours. How do you suppose this impacts connection timeouts in P11? Cheers, -M From: Philip Lafrance Good morning all, By all means, feel free to share these comments with the P11 group. I’d also be curious to hear the comments provided by the other TC members. Best regards, Philip From: Michelle Brochmann <mbrochmann@infoseccorp.com> Hi Philip and Mark, Thanks for the additional information. Do you mind if I forward this to the OASIS PKCS11 mailing list for further discussion? Michelle From: Philip Lafrance <Philip.Lafrance@isara.com> Hello Michelle, I hope you’re well. Sorry for the delayed response on this. I’ve also cc’d my colleague Mark Paruzel on this thread. As per your proposed text: "An OCTET-STRING containing the information needed, in the context of the vendor-determined implementation, to obtain the private key information necessary to generate the next signature. This will include seed or other information necessary to generate the full HSS tree, and must include state information unless the state is maintained separately by the HSM." I like this—and I agree that the second sentence is probably not necessary. The important thing is that state information is not specified by the user. Rather, it should be handled mechanically by the HSM so as to mitigate the possibility of human error. We almost feel as though the requirement should be that state must be handled separately inside the HSM, and likely out of band of P11 or in a private key blob/format. Doing so would force implementors to treat the state as a special blob with special rules. This would yield new operational measures (from an administrative point of view) that treat the state in a careful manner with respect to backup/restore and key propagation. Regarding the NIST document. It is still a draft, and comments will be accepted by NIST up until the end of February. Our thinking is that wholesale banning of exporting keying material is not a good idea, and probably causes more problems than it solves. I’m not sure what your timeline is for getting your document published, but we should be careful to note that the requirements in the current SP 800-208 draft are subject to change. That said, we agree that back-up/restore mechanisms should be vendor defined. Best regards, Philip & Mark --
From: Michelle Brochmann <mbrochmann@infoseccorp.com> Hi Philip, Thanks again for bringing up these points. It seems that they can largely be mitigated by a simple change – instead of the current highly prescriptive definition of the CKA_VALUE in the private key, replace the “Meaning” entry in Table 1.5 with the following: "An OCTET-STRING containing the information needed, in the context of the vendor-determined implementation, to obtain the private key information necessary to generate the next signature. This will include seed or other information necessary to generate the full HSS tree, and must include state information unless the state is maintained separately by the HSM." What do you think of this? I’m not sure if the second sentence is necessary. Another thing we have noticed is that in this draft: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208-draft.pdf “It requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported.” Since the NIST pub says they can't be exported, do you agree that the PKCS#11 spec should ban export/import of private certificates? If it is not exportable, backup/restore and the prevention of accidental key reuse will be the responsibility of the HSM vendor. And, if we don't allow import/export, do we even need to specify the private key in the template? Thanks, Michelle From: Philip Lafrance <Philip.Lafrance@isara.com> Thanks for the speedy reply! I appreciate that. Additionally, we’re open to further collaboration going forward if you’re interested. I’m still new to OASIS and am learning how the TC operates, but I feel this is very important work. So, thank you for proposing this draft in the first place! I’m glad to see other people are taking this seriously. Best regards, Philip --
From: Michelle Brochmann <mbrochmann@infoseccorp.com> Dear Philip, Thank you very much for this information. I’m sharing it with my supervisors (cc’d in this reply) and hopefully it will spark some discussions leading to important improvements in the draft! Sincerely, Michelle From: Philip Lafrance <Philip.Lafrance@isara.com> Greetings Michelle, I hope this e-mail finds you quite well. My name is Philip Lafrance, from ISARA Corp. in Waterloo, Canada. I’ve only recently joined the PCKS#11 TC. Our team here has been developing, testing, and using HSS (and other hash-based schemes) for over four years now, and have amassed some knowledge in this area. Notably some of our team members were contributors to the HSS RFC. We have been working on a potential P11 draft as well, but it seems you beat us to the punch. If you would be so kind as to oblige me, I have some comments regarding your current draft. First, regarding the private key data in section 1.1.3. The private key format for CKA_VALUE states: “8 bytes encoding the private key index as a big-endian integer (initially 0, then updated whenever a signature is performed).” A few points on this:
Second, we have found that storing the state information with the private key is especially troublesome; for a few reasons. The possible consequences of these issues are that it allows for accidental reuse of state and implementation limitations. Here are some thoughts:
By removing state from the private key, many of the above issues are mitigated. Hardware vendors can come up with custom ways to tackle any remaining issues, such as transferring state from one machine to another. We found that by treating the state as an object separate from the private-public key pair, users are forced to think of this scheme carefully. I hope you will find these comments useful, and I look forward to your reply. Best regards, Philip Lafrance --
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]