Ceremonies Design for PKI's Hardware Security Modules
Abstract
Ceremonies are a useful tool to HSMs in PKI environments. They state operational procedures and usage scenarios. Their correct construction can lead to a safer operation. This paper presents basic ceremony procedures to manage the life cycle of cryptographic keys and ideas of requirements needed to assure security throughout the usage of ceremonies in the context of an HSM It presents ceremonies to make the implementing the OpenHSM protocols. OpenHSM protocol operational establishing basic building blocks that can be used by any PKI application based in an HSM. Our main contributions are the re-usage of ceremony phases and a survey on formal methods to verify them.
Keywords:
Key management protocol, Hardware Security Modules, Ceremony Design, Ceremony Analysis
References
Bella, G. (2007). Formal Correctness of Security Protocols, volume XX of Information Security and Cryptography. Springer Verlag.
Bensalem, S., Ganesh, V., Lakhnech, Y., Munoz, C., Owre, S., Rue, H., Rushby, J., Rusu, V., Sadi, H., Shankar, N., Singerman, E., and Tiwari, A. (2000). An overview of SAL. Technical report.
Brainard, J., Juels, A., Rivest, R. L., Szydlo, M., and Yung, M. (2006). Fourth-factor authentication: somebody you know. In Proceedings of the 13th Conference on Computer and Communications security, pages 168–178, New York, NY. ACM.
Chokhani, S., Ford, W., Sabett, R., Merrill, C., and Wu, S. (2003). Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 3647 (Informational).
de Souza, T. C. S., Martina, J. E., and Custódio, R. F. (2008). Audit and backup procedures for hardware security modules. In Proceedings of the 7th Symposium on Identity and Trust on the Internet, New York, NY. ACM.
Ellison, C. (2002). Improvements on conventional pki wisdom. In Proceedings of the First Annual PKI Research Workshop, Gaithersburg, MD.
Ellison, C. (2007). Ceremony design and analysis. Cryptology ePrint Archive, Report 2007/399. http://eprint.iacr.org/.
Estrutura de Chaves Públicas Brasileira (2007). Manual de Condutas Técnicas 7 Vol I (MCT 7 Vol. I) versão 1.0. Technical report, Instituto Nacional de Tecnologia da Informa cão ITI.
FIPS (2002). Security requirements for cryptographic modules, FIPS PUB 140-2.
Gordon, M. J. C. (1993). Introduction to HOL: A Theorem Proving Environment. Cambridge University Press.
Martina, J. E., de Souza, T. C. S., and Custódio, R. F. (2007). Openhsm: An open key life cycle protocol for public key infrastructures hardware security modules. In Fourth European PKI Workshop: Theory and Practice, volume 4582 of LNCS, pages 220– 235. Springer-Verlag.
Rede Nacional de Ensino e Pesquisa (2009). ICPEDU Infraestrutura de Chaves Pblicas para Pesquisa e Ensino . https://www.icp.edu.br/.
Ruksenas, R., Curzon, P., and Blandford, A. (2007). Detecting cognitive causes of confidentiality leaks. In First International Workshop on Formal Methods for Interactive Systems, volume 183 of ENTCS, pages 21–38.
Ruksenas, R., Curzon, P., and Blandford, A. (2008). Modelling and analysing cognitive causes of security breaches. Innovations in Systems and Software Engineering, 4(2):143–160.
Spira, L. F. (1999). Ceremonies of governance: Perspectives on the role of the audit committee. Journal of Management and Governance, 3:231–260(30).
Bensalem, S., Ganesh, V., Lakhnech, Y., Munoz, C., Owre, S., Rue, H., Rushby, J., Rusu, V., Sadi, H., Shankar, N., Singerman, E., and Tiwari, A. (2000). An overview of SAL. Technical report.
Brainard, J., Juels, A., Rivest, R. L., Szydlo, M., and Yung, M. (2006). Fourth-factor authentication: somebody you know. In Proceedings of the 13th Conference on Computer and Communications security, pages 168–178, New York, NY. ACM.
Chokhani, S., Ford, W., Sabett, R., Merrill, C., and Wu, S. (2003). Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 3647 (Informational).
de Souza, T. C. S., Martina, J. E., and Custódio, R. F. (2008). Audit and backup procedures for hardware security modules. In Proceedings of the 7th Symposium on Identity and Trust on the Internet, New York, NY. ACM.
Ellison, C. (2002). Improvements on conventional pki wisdom. In Proceedings of the First Annual PKI Research Workshop, Gaithersburg, MD.
Ellison, C. (2007). Ceremony design and analysis. Cryptology ePrint Archive, Report 2007/399. http://eprint.iacr.org/.
Estrutura de Chaves Públicas Brasileira (2007). Manual de Condutas Técnicas 7 Vol I (MCT 7 Vol. I) versão 1.0. Technical report, Instituto Nacional de Tecnologia da Informa cão ITI.
FIPS (2002). Security requirements for cryptographic modules, FIPS PUB 140-2.
Gordon, M. J. C. (1993). Introduction to HOL: A Theorem Proving Environment. Cambridge University Press.
Martina, J. E., de Souza, T. C. S., and Custódio, R. F. (2007). Openhsm: An open key life cycle protocol for public key infrastructures hardware security modules. In Fourth European PKI Workshop: Theory and Practice, volume 4582 of LNCS, pages 220– 235. Springer-Verlag.
Rede Nacional de Ensino e Pesquisa (2009). ICPEDU Infraestrutura de Chaves Pblicas para Pesquisa e Ensino . https://www.icp.edu.br/.
Ruksenas, R., Curzon, P., and Blandford, A. (2007). Detecting cognitive causes of confidentiality leaks. In First International Workshop on Formal Methods for Interactive Systems, volume 183 of ENTCS, pages 21–38.
Ruksenas, R., Curzon, P., and Blandford, A. (2008). Modelling and analysing cognitive causes of security breaches. Innovations in Systems and Software Engineering, 4(2):143–160.
Spira, L. F. (1999). Ceremonies of governance: Perspectives on the role of the audit committee. Journal of Management and Governance, 3:231–260(30).
Published
2009-09-28
How to Cite
MARTINA, Jean Everson; SOUZA, Túlio Cícero Salvaro de; CUSTÓDIO, Ricardo Felipe.
Ceremonies Design for PKI's Hardware Security Modules. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 9. , 2009, Campinas.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2009
.
p. 115-128.
DOI: https://doi.org/10.5753/sbseg.2009.20627.
