Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

[Andrew Sullivan <ajs@shinkuro.com>]

On Tue, Apr 21, 2009 at 01:22:01PM -0400, Edward Lewis wrote:

> same fortifications.  "Breaking the database" security won't make getting 
> to the key any easier, i.e., the database does not contain the 
> information needed to access the key.

If the database does not contain the information needed to access the
key -- which actually means "does not contain the key", since if the
database contains the key it contains the information needed to access
the key -- then you have just built your own HSM-like device (except
that it implements some of the components in software instead).  Now
your only problem is trying to prove that your system is as secure as
the alternative, which is just buying an HSM.  HSMs aren't just
expensive because of the unusual hardware they contain.  The testing
of them to prove they meet all those big standards most of us haven't
read is expensive and time consuming (and risky, if you find your
device fails).

If the database _does_ contain the key, then the only question is
whether there is an escalation attack that can get an attacker the
privileges needed to access the key.  One such escalation attack, of
course, is "get hired and have access to the superuser account."  I'm
aware of how the accounting systems catch such access.  I'm also aware
of how such access accounting breaks down.

Anyway, I completely agree that this is a cost-benefit analysis that
different sites have to do based on their use cases.

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.