[Opendnssec-user] Why protect keys with a hardware HSM?

Roy Arends roy at nominet.org.uk
Tue Oct 27 08:30:10 UTC 2009


Ville Mattila wrote on 10/27/2009 05:08:37 PM:

> Hi,
> 
> Why should one bother setting up a hardware HSM for OpenDNSSEC signer
> to protect zone/key signing keys?

To be clear, OpenDNSSEC does not mandate a hardware HSM. It is possible to 
run it with SoftHSM.
 
> Consider attacker trying to forge a signed zone.  He gains root 
privileges
> on OpenDNSSEC signer host and modifies the incoming yet-unsigned zone
> data before the records are fed to HSM for signing.  Thus root access
> (and the user processing incoming unsigned zone) on OpenDNSSEC signer
> host must be secured very carefully regardless of whether one is using
> hardware or software HSM.  Right?

Right!

> Keys must, of course, be well protected and hardware HSM does that
> better than software (because of far more restricted physical/software
> access methods?).  But what are the signing keys in general good for
> from attackers point of view?  Use them for poisoning a resolvers cache
> with e.g. the well known Kaminsky method? 

Yes. 

> Anything else?

Signing a zone also provides protection against man in the middle attacks, 
i.e. scenarios with a compromised secondary server, or with a compromised 
system somewhere on the path between the server and the validator. This is 
an independent class of attacks from cache-poisoning.

Additionally, signing a zone increases the usability of that zone for 
securely distributing additional services. As an example, folks already 
envision x509 certificates in the DNS, signed using DNSSEC. 

An HSM can also be used as a signing accelerator, when a software based 
keystore (for lack of a better term) is just not fast enough.

An HSM solves the problem of key-leakage, but not key abuse. Anyone with 
remote (and root) access to a system that communicates with an HSM is 
likely able to inject data.

Kind regards,

Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091027/351a8f7c/attachment.htm>


More information about the Opendnssec-user mailing list