Re: Proposal for a new PKI model (At least I hope it's new)

From: George Ou (533george_ou234_at_netzero234.com)
Date: 09/06/03 

Date: Sat, 06 Sep 2003 20:24:02 GMT

On Sat, 06 Sep 2003 11:21:48 GMT, Bryan Olson
<fakeaddress@nowhere.org> wrote:

>George Ou wrote:
>
> > No security system can withstand an attack from it's own
> > administrator. I can't worry about a moot point since there is no way
> > to defend that EVER!
>
>CA's often require "dual control", meaning that no one person
>acting alone can do anything interesting, so it takes at least
>two people acting in collusion to violate security (or at least
>one acting maliciously and one ignoring what he's supposed to
>do).

I completely agree. I'm just pointing out the bennefit of HSMs over
storing the private key in your issuing CA or Web Server.

Some of the better HSMs require 2 smart cards to backup the private
key to tape.

>For example, we might divide the operations staff into Team
>Alpha and Team Bravo. We might have two biometric systems side-
>by- side controlling entry to the computer room, one under
>control of each team, so that a member of each team is required
>in order to enter the room. We could use a secure token system
>that requires two keys to activate the token, and keep the
>activation material in two safes, one under control of Alpha and
>the other under control of Bravo. Logs could go to both an
>Alpha and Bravo logging host, so no individual could falsify
>them without detection.

Completely agree.

>The ultimate in dual-control is split-control signatures, where
>the key exists in two shares, neither of which is sufficient to
>sign anything. The two teams must cooperate to produce
>signatures. That wasn't possible for the CA I helped build (no
>practical two-party split-control scheme is known for DSA/ECDSA
>signatures), so we went with the Alpha-Bravo stuff above.

Ah, but that is exactly what my paper proposes. Two independent root
CAs per name space, each only having 50% signing power for maximum
level certificates. One would suffice for the basic level certs. I'm
promoting just such a scheme.

> > My job is to make sure that no external attacker
> > can steal the system, and if they do, make sure I know about it so I
> > can revoke it. That's common sense.
>
>That's wrong. Insider attacks are a much greater source of loss
>than external attacks.

Good point, I didn't mean to imply that you should ignore the inside
jobs. Having internal checks and ballances for top secret info is
critical. Thanks for the correction.

> >>>You show me one instance that a special purpose HSM has been shown
> >>>to be vulnerable to be coaxed into divulging it's private key.
> >>
> >>How about Mike Bond et al's attack on the IBM 4758, which is a FIPS 140-1
> >>class 4 device (the only one certified at level 4, I think).
> >
> > Were they able to break into a secured building with cameras and
> > security guards, crack the thing open and steal the private key, and
> > do it in such a way that they don't tip anyone off? I don't care if
> > they got the stupid thing in some lab with all the time in the world,
> > that's fine and dandy as a piece of research. It ain't practical, and
> > that's all anyone can ask.
>
>They did exactly what you asked: coaxed it into divulging
>private keys. They exploited a defective combination of
>features in IBM's CCA software for the 4758. It was entirely
>practical, though it did require user-level access.

Could they have done it in the scenario I raised? And do it in an
undetectible way? Did they need physical access? This is why root
CAs should be off the wire.

George Ou
http://www.LANArchitect.net

Relevant Pages

  • RE: Encryption question
    ... > sender's private key at the message hash. ... >>Alice encrypts her email to Bob using his public key. ... > Security Linux, the comprehensive security solution that combines six ... Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. ...
    (Security-Basics)
  • Re: How to Install certificate?
    ... Bob is right that security admins don't like export of private keys...many ... export/import process. ... The sample code does not enable export/import of the private key. ... 2000/2003 Certificate enrollment server. ...
    (microsoft.public.pocketpc.wireless)
  • Re: Inside Symantecs security bunker
    ... >> window cost them billions. ... >> customers to ensure the security of their computer infrastructure. ... > thing you do with it, the very first thing is to encrypt it with modern ... And where do you put your private key? ...
    (uk.rec.subterranea)
  • Re: Agent security (was Re: Secure file transfer from unix to windows)
    ... >> it to store the unlocked private key in memory for malicious person ... If the greater security comes with greater ... > Without ssh-agent, it would be very hard to get many people to use ...
    (comp.security.ssh)
  • Re: Proposal for a new PKI model (At least I hope its new)
    ... CA's often require "dual control", ... Alpha and Team Bravo. ... The ultimate in dual-control is split-control signatures, ... > security guards, crack the thing open and steal the private key, and ...
    (sci.crypt)