HSM outage causes root CA key loss
I haven't been able to find an English version of this, but the following news item from Germany: http://www.heise.de/security/E-Gesundheitskarte-Datenverlust-mit-Folgen--/news/meldung/141864 reports that the PKI for their electronic health card has just run into trouble: they were storing the root CA key in an HSM, which failed. They now have a PKI with no CA key for signing new certs or revoking existing ones. (When I talk about PKI I always title the root CA as the Single Point of Failure, but I think this is the first time in a non-private CA where it's actually become this in practice. For private-label PKIs it's a lot more common because of the lesser-known public key phenomenon). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Physical security rather than crypto---but perhaps of interest
http://news.bbc.co.uk/2/hi/technology/8147534.stm Chuck [Moderator's note: It is helpful, when posting a link, to give enough information that people can know whether they want to go and read the article. In this case, the title and first few sentences are: Snooping through the power socket Power sockets can be used to eavesdrop on what people type on a computer. Security researchers found that poor shielding on some keyboard cables means useful data can be leaked about each character typed. By analysing the information leaking onto power circuits, the researchers could see what a target was typing. The attack has been demonstrated to work at a distance of up to 15m, but refinement may mean it could work over much longer distances. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: 112-bit prime ECDLP solved
Hi all, We are pleased to announce that we have set a new record for the elliptic curve discrete logarithm problem (ECDLP) by solving it over a 112-bit finite field. The previous record was for a 109-bit prime field and dates back from October 2002. See for more details our announcement at http://lacal.epfl.ch/page81774.html. Computing power doubles every 18 months to two years, so the required EC length should gain a bit every year or every nine months. Which suggests that existing deployments should default to 128 bits. with 160 bits being overkill. Of course overkill does not cost much. If one shoots someone the head, it is wise to follow up with a second shot through the head at very short range just to be on the safe side. YearBreakable keys. 2009112 2010113 2015117 2020121 2025124 I am assuming a rapid rate of progress, in which case line widths halve every four years. In which case Moore's law breaks in 2033 when we get nanometer line widths, for lines will then be molecules - probably carbon nanotubes. 2033130 Subsequent expansions in computing power will involve breaking up Jupiter to build really big computers, and so forth, which will slow things down a bit. So 144 bit EC keys should be good all the way to the singularity and a fair way past it. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: HSM outage causes root CA key loss
http://www.heise.de/security/E-Gesundheitskarte-Datenverlust-mit-Folgen--/news/meldung/141864 reports that the PKI for their electronic health card has just run into trouble: they were storing the root CA key in an HSM, which failed. They now have a PKI with no CA key for signing new certs or revoking existing ones. Actually, for a couple of days now they didn't stop pointing out that they were still running the PKI in a test environment and that only 'a few hundred test cards' are affected... Just stupid nonetheless... :-\ Cheers, Stefan. -- Stefan Kelm sk...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstrasse 100 Tel: +49-721-96201-1 D-76133 Karlsruhe Fax: +49-721-96201-99 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: HSM outage causes root CA key loss
- Peter Gutmann pgut...@cs.auckland.ac.nz wrote: I haven't been able to find an English version of this, but the following news item from Germany: ... It is exactly for this reason that when we generated the root key for the U.S. Higher Education PKI we did it outside of an HSM and then loaded it into two HSMs. The raw key was then manually secret shared accross five CD's (three being the quorum) which were distributed to five individuals for safe keeping. Because CD's have 700 Mb of storage and the share secret is tiny, literally thousands of copies of it were written on each CD along with the source code of the secret sharing software (written in Python). In theory every few years we are supposed to take out the CD's and verify that they can be read. It's probably time to do that now :-) Because of prior experience with a SafeKeyper(tm) (a very large HSM), I learned that when the only copy of your key is in an HSM, the HSM vendor really owns you key, or at least they own you! -- Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice j...@mit.edu - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: HSM outage causes root CA key loss
At 5:58 PM +1200 7/13/09, Peter Gutmann wrote: I haven't been able to find an English version of this, but the following news item from Germany: http://www.heise.de/security/E-Gesundheitskarte-Datenverlust-mit-Folgen--/news/meldung/141864 http://www.h-online.com/security/Loss-of-data-has-serious-consequences-for-German-electronic-health-card--/news/113740 reports that the PKI for their electronic health card has just run into trouble: they were storing the root CA key in an HSM, which failed. They now have a PKI with no CA key for signing new certs or revoking existing ones. -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
RE: HSM outage causes root CA key loss
Hi, reports that the PKI for their electronic health card has just run into trouble: they were storing the root CA key in an HSM, which failed. They now have a PKI with no CA key for signing new certs or revoking existing ones. Suppose this happens in a production environment of some CA (root or not), how big a problem is this? I can see two issues: - they have to build a new CA and distribute its certificate to all users, which is annoying and maybe costly but not a security problem, - if they rely on the CA for signing CRLs (or whatever revocation mechanism they're using) then they have to find some other way to revoke existing certificates. No need to revoke any certificate. Any other problems? Maybe something with key rollover or interoperability? Seems to me that for signing CRLs it's better to have a separate Revocation Authority (whose certificate should be issued by the CA it is revoking for); then revoking can continue when the CA loses its private key. The CA still may have revoking authority as well, at least to revoke the Revocation Authority's certificate... Grtz, Benne de Weger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
RE: HSM outage causes root CA key loss
At 11:09 PM +0200 7/14/09, Weger, B.M.M. de wrote: Any other problems? Maybe something with key rollover or interoperability? Bingo. Key rollover has been thinly tested in relying parties. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: HSM outage causes root CA key loss
On Tue, Jul 14, 2009 at 11:09:41PM +0200, Weger, B.M.M. de wrote: Suppose this happens in a production environment of some CA (root or not), how big a problem is this? I can see two issues: - they have to build a new CA and distribute its certificate to all users, which is annoying and maybe costly but not a security problem, Not a security problem? Well, if you have a way to do authenticated trust anchor distribution that doesn't depend on the lost CA, then sure, it's not a security problem. But that's just not likely, or at least there's no standard for authenticated TA distribution, yet. If you can do unauthenticated TA distribution without much trouble (as opposed to by, say, having to physically visit every host), then chances are you have no security to begin with. If there was such a standard you'd want to make real sure that you have separate keys for TA distribution than for your CA, with similar physical and other security safeguards. This goes to show that we do need a TA distribution protocol (not for the web, mind you), and it needs to use PKI -- a distinct, but related PKI. As long as both sets of hardware tokens don't die simultaneously, then you'll be OK. Add multiple CAs for TA distro and you get more redundancy. - if they rely on the CA for signing CRLs (or whatever revocation mechanism they're using) then they have to find some other way to revoke existing certificates. The only other ways are: distribute the new CA certs, and/or use OCSP (which must use a different cert than the CA). OCSP is the better answer, if you can get all apps to use it. Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: HSM outage causes root CA key loss
Weger, B.M.M. de wrote: - if they rely on the CA for signing CRLs (or whatever revocation mechanism they're using) then they have to find some other way to revoke existing certificates. ... Seems to me that for signing CRLs it's better to have a separate Revocation Authority (whose certificate should be issued by the CA it is revoking for); then revoking can continue when the CA loses its private key. The CA still may have revoking authority as well, at least to revoke the Revocation Authority's certificate... Unfortunately those code paths seem rarely traveled/tested between implementations and even within a single implementations fraught with caveats; so one often ends up with a (sub) CA in the same chain as the cert one wants to revoke. Any other problems? Maybe something with key rollover or interoperability? Aye - and there is another area which is even less traveled than above. Dw - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: 112-bit prime ECDLP solved
We are pleased to announce that we have set a new record for the elliptic curve discrete logarithm problem (ECDLP) by solving it over a 112-bit finite field. The previous record was for a 109-bit prime field and dates back from October 2002. First of all congratulations to the team at EPFL! Which suggests that existing deployments should default to 128 bits. with 160 bits being overkill. Of course overkill does not cost much. If one shoots someone the head, it is wise to follow up with a second shot through the head at very short range just to be on the safe side. James, do I really have to point out the obvious that just because 112 bits is a new record this does not mean that 113 is undoable today. The coolness of this result is that a smallish cluster of low cost machines could do this computation in only half a year. 200 PS3s cost you no more than 200 x 400 USD at published prices - and less if you buy that many at once. So with about 1 000 000 USD and a full year you would get 122 bits already now and agencies have a bit more budget than this! Furthermore, the algorithm parallelizes extremely well and can handle a batch of 100 targets at only 10 times the cost. So, yes, we sure will be able to break 130 bits in 2033 - but certainly much sooner if anyone tries. Tanja - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com