IETF Logo Mail Archive

Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Olaf Kolkman <olaf@NLnetLabs.nl> Thu, 21 January 2010 11:42 UTC

Return-Path: <olaf@NLnetLabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C92953A6A0A for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 03:42:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VX33RA-P7U01 for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 03:42:05 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id C87183A6984 for <dnsop@ietf.org>; Thu, 21 Jan 2010 03:42:04 -0800 (PST)
Received: from [IPv6:2001:7b8:206:1:226:bbff:fe0e:7cc7] ([IPv6:2001:7b8:206:1:226:bbff:fe0e:7cc7]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o0LBftWi084759 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dnsop@ietf.org>; Thu, 21 Jan 2010 12:41:56 +0100 (CET) (envelope-from olaf@NLnetLabs.nl)
From: Olaf Kolkman <olaf@NLnetLabs.nl>
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/signed; boundary="Apple-Mail-12-151590753"; protocol="application/pkcs7-signature"; micalg="sha1"
Date: Thu, 21 Jan 2010 12:41:50 +0100
In-Reply-To: <200904282021.n3SKL3sg051528@givry.fdupont.fr>
To: dnsop WG <dnsop@ietf.org>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr>
Message-Id: <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl>
X-Mailer: Apple Mail (2.1077)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Thu, 21 Jan 2010 12:41:56 +0100 (CET)
Subject: Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 11:42:06 -0000

In trying to get a reasonable version 2 out of the door before Anaheim I am trying to identify and where possibly close open issues.

As a reminder: http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/ has the open issues listed and a per issue highlight of their history.

This thread, about the use of HSMs, is captured in http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/HSMs the content of that page is replicated below.

I believe I captured the gist of the discussion in a modified version of paragraph 3.6 (see below). The first two paragraphs are not modified, the text starting with "The ideal situation" has been.

I welcome editorial comments off-list.

If the chair believes the current text captures consensus I will move this issue to the closed issues list.

--Olaf




$Id: cryptography_flawed 14 2009-02-09 18:54:12Z olaf $
20100121
   The use of HSMs
   Shane Kerr/Ed Lewis
   Added: 21 jan 2010
   http://www.ietf.org/mail-archive/web/dnsop/current/msg07190.html
   and
   http://www.ietf.org/mail-archive/web/dnsop/current/msg07193.html   

   The recommendation to use a HSM is far to strong. Arguments of fate sharing
   and operational overhead are being made on the list.




Discussion:

	From: 	Shane Kerr <shane@ca.afilias.info>
	Subject: 	Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
	Date: 	April 21, 2009 1:03:58 PM GMT+02:00
	Cc: 	dnsop WG <dnsop@ietf.org>


I believe the key of the thread is captured in the following quotes:


Stephane Bortzmeyer wrote:
> 
> But the risk for the key is not only people modifying it, it is simply
> people *reading* it (a concern which also exists for the database but
> is much less important). 
> 
> I have no practical experience with HSMs but, in my mind, the
> interesting thing is that they guarantee noone will read the key
> without an authorization (that's quite unlike the database where you
> certainly prefer a few unauthorized looks to a complete loss).

This is the key point IMHO.

AIUI, the attack vector that HSM are designed to protect is that someone
makes a copy of your key signing material without you knowing about it.
Once they do that, they can spoof replies until such time as you roll
your key.

If an unauthorized person modifies the contents of the database backing
your zone, you may or may not know about it, but an observant customer
will at least notice that the data has changed.

So the two are not totally equivalent.

Having said that, I agree that HSM hysteria is a bit overblown, and that
the actual DNSSEC signing is very, very unlikely to be the weakest link
in DNS security in any organization.




Resolution:

Following the suggestion from:
	From: 	Peter Koch <pk@DENIC.DE>
	Subject: 	Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
	Date: 	April 27, 2009 1:19:45 PM GMT+02:00
	To: 	IETF DNSOP WG <dnsop@ietf.org>

I rewrote the text to highlight the economic tradeoff, the relevant part of section 3.6 is copied below.



3.6.  Private Key Storage

   It is recommended that, where possible, zone private keys and the
   zone file master copy that is to be signed be kept and used in off-
   line, non-network-connected, physically secure machines only.
   Periodically, an application can be run to add authentication to a
   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
   transferred.

   When relying on dynamic update to manage a signed zone [11], be aware
   that at least one private key of the zone will have to reside on the
   master server.  This key is only as secure as the amount of exposure
   the server receives to unknown clients and the security of the host.
   Although not mandatory, one could administer the DNS in the following
   way.  The master that processes the dynamic updates is unavailable
   from generic hosts on the Internet, it is not listed in the NS RRSet,
   although its name appears in the SOA RRs MNAME field.  The
   nameservers in the NS RRSet are able to receive zone updates through
   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
   approach is known as the "hidden master" setup.

   The ideal situation is to have a one-way information flow to the
   network to avoid the possibility of tampering from the network.
   Keeping the zone master file on-line on the network and simply
   cycling it through an off-line signer does not do this.  The on-line
   version could still be tampered with if the host it resides on is
   compromised.  For maximum security, the master copy of the zone file
   should be off-net and should not be updated based on an unsecured
   network mediated communication.

   The ideal situation may not be achievable because of economic
   tradeoffs between risks and costs.  For instance, keeping a zone file
   off-line is not practical and will increase the costs of operating a
   DNS zone.  So in practice the machines on which zone files are
   maintained will be connected to a network.  Operators are advised to
   take security measures to shield unauthorized access to the master
   copy in order to prevent modification of DNS data before its signed.

   Similarly the choice for storing a private key in a Cryptographic
   Hardware Security Module (HSM) will be influenced by tradeoff a
   tradeoff between various concerns:

   o  The risks that an unauthorized person has unnoticed read-access to
      the private key

   o  The remaining window of opportunity for the attacker.

   o  The economic impact of the possible attacks (for a TLD that impact
      will in most cases be higher than for an individual users).

   o  The costs of rolling the (compromised) keys: whereby the costs of
      roling a ZSK is lowest and the costs of rolling a KSK that is in
      wide use as a trust anchor is highest

   o  The costs of buying and maintaining an HSM.

   For dynamically updated secured zones [11], both the master copy and
   the private key that is used to update signatures on updated RRs will
   need to be on-line.





________________________________________________________ 

Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

v2.23.0 | Report a Bug | By Email