1 / 31

Hardware Security Modules and Kerberos

Hardware Security Modules and Kerberos. Asanka Herath Secure Endpoints Inc. Advantages of integrating HSMs into the Kerberos infrastructure. Why HSMs?. Why HSMs?. Compromise containment Reliable Auditing Performance Compliance (FIPS 140).

deepak
Download Presentation

Hardware Security Modules and Kerberos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardware Security Modules and Kerberos Asanka Herath Secure Endpoints Inc.

  2. Advantages of integrating HSMs into the Kerberos infrastructure Why HSMs?

  3. Why HSMs? • Compromise containment • Reliable Auditing • Performance • Compliance (FIPS 140)

  4. Changes to key management when integrating an HSM Key Management with an HSM

  5. For example…

  6. nCipher nShield

  7. nCipher Security Worlds

  8. Properties of a Security World • Key management • Managed key usage • Key encapsulation • Keys generated and live inside the security world and (ideally) never leave • Secure code execution • Secure Execution Environment (SEE)

  9. A Security World Consists of … • Hardware modules • Administrator card set • Operator card sets and/or softcards • Encrypted key data or certificate data

  10. The Security World Key • Contained in … • The administrator card set • Protects … • Key recovery information

  11. Module Key • Contained in … • The hardware module • Protects … • Application keys

  12. Operator Keys • Contained in … • Operator card sets • Protects … • Application keys

  13. Application Keys • Contained in … • Key blobs • Protects … • Other applications keys • Data

  14. A Security World Consists of … • Keys that protect other keys

  15. A Hierarchy of Keys Operator Card Set Application Key A Application Key B Operator Key A Data

  16. A Hierarchy of Keys Module Key Application Key A Application Key B Data

  17. Privilege Separation • Ability to use a key gives the ability to use child keys • But not vice-versa • Facilitates privilege separation

  18. Key Tickets • Can be issued for any loaded key • Can be redeemed for the use of a specific key • Necessary for delegating use of keys across application boundaries • Transient • Per session

  19. Working With Key Tickets Application Key A Application Key B Application Key B Application Key B Ticket Application Key B Ticket Process 1 Process 2 Data

  20. Integrating HSMs with Kerberos infrastructure Heimdal

  21. Key Usage Model in Heimdal • Application has access to plaintext key

  22. New Key Usage Model • Separate key usage from key material • An application doesn’t need the plaintext key in order to use it • Ability to specify a key without knowing the plaintext key • Key tickets • Key blobs • Key identifiers • Ability to load and unload keys • Using already loaded keys

  23. What’s involved in integrating the use of HSMs into code Kerberos API and Library

  24. Key Encoding • Current … • Assumes knowledge of the physical key • Key length is fixed • No need to prepare/clean up keys. Stateless.(exceptions: derived keys, key schedules) • Need … • Backwards compatibility • Support key references • Key tokens • Key blobs • Key identifiers

  25. Key Blob • Contains (encrypted with parent key) • Key • Access control list • Usage constraints • Time limits • Use limits • Issuance certificate • Security world and module information • Timestamps

  26. Key Types and Encryption Types • A new “Key Type”? • A new “Encryption Type”? • Must distinguish between a plaintext key and a key reference

  27. Something like … Plain text (fixed) Header Key blob (variable) Header Key reference (variable)

  28. Key “Lifetimes” • Loading a key requires a parent/authorization key to be already loaded • “Lifetime” refers to the time between loading and unloading a key

  29. Connection to Hardware Devices • Connections must be established first • Can be somewhat expensive • Lazy connections • Connections should be avoided if unnecessary • Specially for client libraries where we may or may not have access to the security world and access to security world is not necessary

  30. Privilege Separated Processes • Break into privilege separates processes • Move privileged code into SEE

  31. asanka@secure-endpoints.com Q&S

More Related