Skip to content

Latest commit

 

History

History
237 lines (163 loc) · 9.27 KB

eduid-yubihsm-kmps.mkd

File metadata and controls

237 lines (163 loc) · 9.27 KB

% eduID YubiHSM KMPS % Leif Johansson & Fredrik Thulin % 2014-03-16

Introduction

This document is the key management practice statement for the eduID YubiHSM symetric key containers relative to the SUNET Key Management Policy (SUNET KMP).

Terminology

  • SUNET KMP: Key Management Policy - a document describing the SUNET KMF.
  • SUNET KMF: Key Management Facility - the combination of procedures and resources covered by the SUNET KMP.
  • eduID: The SWAMID student and scolarship identity provider

Service Description

The eduID YubiHSM symmetric key containers provide keyed HMAC-SHA1 for use by OATH OTP and VCCS password services. Each YubiHSM is connected to a server in the RED zone when in operation and is provisioned with keys in the BLACK Zone.

Logical Access Control

When in operation the YubiHSMs are connected to RED zone servers and access is restricted by logical access control applied on a host level.

Physical Access Control

The YubiHSMs are stored in BLACK zone safe when not in use. The YubiHSMs are provisioned using a programming station (PS) laptop which has been modified to reduce the external attack surface. This includes the following steps:

  • all wifi cards have been removed or disabled
  • all wifi antennas have been removed or disabled
  • all bluetooth or other radio transcievers have been removed or disabled
  • all cameras, microphones and speakers have been removed or disabled
  • all Ethernet ports have been removed or disabled
  • the PS does not support Firewire or docking station ports

Environmental Controls

HSMs are located in datacenters equipped with fire-suppression, intrusion detection and alarms, and electronic door access control.

Roles and Responsabilities

Security Officer

The Security Office is the Application Key Materials Manager (cf KMP) for the YubiHSM service. It is a role delegated from the SUNET CISO to trusted employees of SUNET and NUNOC. The SO will have access to the PS and therefore will have access to key backups. Dual control is employed to restrict SO from physically accessing the PS alone.

Procedures

Extract from SAFE

Before using a cryptographic key component stored in the SAFE (eg a YubiHSM or a yubikey) the authenticity of the device must be verified against the signed KMF log:

  1. Extract the tamper-evident bag which contains the item from the SAFE. Depending on the way the item was stored this may involve opening the SAFE and possibly opening an inner compartment with a SO compartment key.
  2. Locate the last log entry in the KMF log where this item was used.
  3. Compare the serial number on the tamper-evident bag with the serial number in the KMF log entry.
  4. Open the bag and extract the item.

Deposit to SAFE

The SAFE deposit procedure is the inverse of the SAFE Extraction procedure:

  1. Find an unused tamper-evident bag.
  2. Put the item in the bag and seal it.
  3. Record the serial number on the bag in the KMF log associated with the item in question.
  4. Sign the KMF log and put the bag in the proper place in the SAFE.

PS Setup

KCO Enrollment

Each YubiHSM KCO has a YubiKey in static mode which in combination with a personal password (salt) is used to enable full disk encryption on the PS.

To configure a YubiKey in static mode (should be done on PS, using attached HW RNG):

# ykpersonalize -2 -o-append-cr

To add a new KCO to the LUKS header of the PS:

Find unused slot in LUKS header (look for Key Slot X: DISABLED)

# cryptsetup luksDump /dev/sda1

Add a new KCO key to Key Slot X (this requires cooperation of one existing KCO, and the one to be added):

# cryptsetup luksAddKey --key-slot X /dev/sda1

Verify that Key Slot X is now ENABLED:

# cryptsetup luksDump /dev/sda1

To remove a key, enter the key to the following command:

# cryptsetup luksRemoveKey /dev/sda1

As long as the key is known, it can be removed without knowing the Key Slot number.

Initialize PS

  1. A Security Officer (SO) retrieves the programming station from the BLACK zone safe. The SO will remain in sight of the PS throughout the process.
  2. The laptop is oriented so as not to face cameras or windows.
  3. The KCO uses a yubikey+password (salt) to unlock Full Disk Encryption on the PS during PS boot/startup.

Key Generation

Assemble a KCO and an SO present in the office. The KCO is responsible for key operations and the SO is responsible for KMF log.

  1. Use the "Initialize PS" procedure to prepare the PS for use.
  2. The KCO uses the "Extract from SAFE" procedure to retrieve the Full Disk Encryption (FDE) token (YubiKey in static password mode) from private storage in the BLACK zone safe.
  3. The KCO uses the FDE token to bring PS online and log in as user 'root'. A part of the FDE key (salt) should be memorized by KCO and not stored in the SAFE.
  4. YubiHSM Symmetric key management is performed using the program `vccs-configure-hsms'.
  5. The Key database file is encrypted using the GPG public key of the SO ESCROW smartcards. The encrypted backup is put on the KCO's BACKUP USB memory, and stored in a tamper-proof bag in the KCO's compartment in the SAFE.
  6. PS is shut down and again placed in the SAFE by the SO.
  7. The KCO FDE token is returned to BLACK zone storage by the "Deposit to SAFE" procedure.

Detailed commands for generating HMAC keys (step 4 above)

The current date, plus a key usage letter combination is used as key handle. The program `vccs-configure-hsms' will suggest key handles using this scheme:

Assuming the date is 2014-02-21, the regular password credential HMAC key is called 0x140221aa and the OATH credential HMAC key is called 0x140221da.

If a second key needs to be created the same day, it should be called 0x140221ab or 0x140221db.

To bootstrap a brand new HSM (or one whose configuration has been reset using the 'zap' CLI command):

$ ./vccs-configure-hsms --init

  1. Insert the first YubiHSM while pressing the button underneath the hole to get it into programming mode.

  2. Generate new keys

    Password credentials key:

    $ ./vccs-configure-hsms --keydb_file /path/to/key.db --gen_key Insert a YubiHSM and press enter INFO Detected YubiHSM with id : xxx Enter new key handle (press enter for '140221aa') : INFO New key '140221aa' added to key database. $

    OATH tokey key:

    $ ./vccs-configure-hsms --keydb_file /path/to/key.db --gen_key --key_usage oath Insert a YubiHSM and press enter INFO Detected YubiHSM with id : xxx Enter new key handle (press enter for ' 140221da') : INFO New key '140221da' added to key database. $

  3. Install generated keys on any number of VALIDATOR HSMs:

    Be prepared to enter the Master Key to unlock the configuration if prompted.

    $ ./vccs-configure-hsms --keydb_file /path/to/key.db --max_key_age 1095 --install_keys 140221aa Insert a YubiHSM and press enter INFO Detected YubiHSM with id : xxx INFO INFO Keys now in HSM : INFO 140221aa (age: 0 day(s), flags=0x10000, usage=unknown) Commit changes to keystore? Enter 'yes' or 'no' : yes INFO xxx Keys committed to keystore. $

    $ ./vccs-configure-hsms --keydb_file /path/to/key.db --max_key_age 1095 --install_keys 140221da --key_usage oath Insert a YubiHSM and press enter INFO Detected YubiHSM with id : xxx INFO INFO Keys now in HSM : INFO 140221aa (age: 0 day(s), flags=0x10000, usage=unknown) INFO 140221da (age: 0 day(s), flags=0x20000, usage=unknown) Commit changes to keystore? Enter 'yes' or 'no' : yes INFO xxx Keys committed to keystore. $

  4. Create special ORIGINATOR HSM:s for generation of new OATH credential AEADs:

    $ ./vccs-configure-hsms --keydb_file /path/to/key.db --max_key_age 1095 --install_keys 140221da --key_usage oath --originator Insert a YubiHSM and press enter INFO Detected YubiHSM with id : xxx INFO INFO Keys now in HSM : INFO 140221da (age: 0 day(s), flags=0x2, usage=unknown) Commit changes to keystore? Enter 'yes' or 'no' : yes INFO xxx Keys committed to keystore. $

Dual control

Task: Activate PS

  1. SO extracts PS from SAFE
  2. KCO unlocks FDE using KCO YubiKey+password (salt) (YubiKey stored in KCO compartment of SAFE)

Task: Generate HMAC keys

  1. SO monitors everything and manages KMF log
  2. KCO operates PS. Unlocks YubiHSM using YubiHSM Master Key

Task: HMAC key backup

  1. SO controls SO GPG private key. This key is stored on YubiHSM NEO that is kept in SO compartment of SAFE
  2. KCO controls backup USB memory, stored in KCO compartment of SAFE

Task: Physically install PS in small safes on-site

  1. SO unlocks SAFE
  2. KCO retrieves taper-proof bag with YubiHSM for specific site from KCO compartment in SAFE
  3. NUNOC transports tamper-proof bag to site
  4. KCO unlocks small safe on-site

Task: Restore HMAC keys

  1. KCO retreives backup USB memory stored in KCO compartment of SAFE
  2. SO decrypts backup using GPG private key stored on YubiKey NEO kept in SO compartment of SAFE