0

Let's assume we have an internal environment consisting of some distributed systems, one central system and an internal PKI. The central system is serving a cluster of HSMs that shall be accessable by network in a securely controlled way. On the distributed systems, there are different application services run by separated technical users that want to make use of the hardware-based cryptography offered by the central system. The distributed systems don't have access to local HSMs.

Each connection from an application service to the central HSM-service is secured by mutual-auth TLS using certificates from the internal PKI. While the central system's tls private key can be protected by the local HSMs, the applications services' tls keys have to be software keys and protected somehow by the local access control system.

In this setup we are concerned about a single malicious administrator on the distributed systems using/copying the private key of an application service to perform cryptographic operations on sensitive data of that application.

Is there any elegant solution to protect agsinst this threat?

Currently, we can only think of the following approaches:

a) Of course we could provide local HSMs to each distributed system. However, this should be incredibly expensive regarding the amount of distributed systems and would also require to establish a responsability for a more complex infrastructure.

b) Someone had the idea to somehow use local TPMs to protect the application services' keys from the administrator and also keep them separated. I'm not sure if I really understand this approach but for me it sounds like a missunderstanding of what a TPM is capable to do.

c) The access control system and the monitoring should be configured such that any access to a key from an administrator's session is raising an alert. Of course, this also requires a concept that reduces the power of an administrator so he cannot manipulate. Not to mention a concept of how to handle such alerts properly.

So I would like to know if you know an elegant solution to this problem. I assume this should be a standard problem in the era of cloud computing. Maybe you have some further ideas.

Thank you!

moritz1895
  • 3
  • 2
  • The TPM key storage provider (KSM) can be used to keep private keys secure so the administrator can't take the key elsewhere as they won't have access to it. – Brian Sep 15 '20 at 17:53
  • Is it really desirable for the administrator to copy the key to another system ? Since we are in an internal environment, the service is only reachable from an internal system. I think there is only a slight advantage to copy the key from one internal system to another because it could be more difficult to track the attack. – moritz1895 Oct 05 '20 at 08:10

2 Answers2

0

I'm not sure how many servers exactly would be participating in your distributed system, but at this point I would suggest that you actually could provide every one of the servers in your system with an HSM. This is made possible due to the fact that there are now extremely small and inexpensive HSMs available that could potentially meet your needs.

For example, you may want to take a look at the YubiHSM 2. It can plug into any available USB port on any server and keep keys secure. It may not have some of the more advanced capabilities of network appliance HSMs, but you don't seem to need that sort of thing for the system that you described above.

bnsmith
  • 67
  • 8
0

IMHO, you are looking for a technical solution to an organisational question...

If you cannot trust your admins, then they should not have admin privileges. Said differently staff members should only have the required priviliges to do their job. If someone must have access to a secret data (here a private key) for a specific operation, and you do not want to trust them for anything other, all you can do is to make sure that this private key is not used for anything else that you control. If they can use that key, then you should admit that they can do anything using it. Even if the key was stored on a hardware device, most encrypting tool can use a key on a hardware device for file encryption. The only point to a hardware device is that the key cannot be copied and later used from their personal machine.

For the problem of encrypting key files of the application, as soon as they have write access to the files, they can do. It is enough for them to build their own keys.

Said differently, you should have a second look to what your thread model is. If you do not want the key to be carried outside of your systems because authentication from the outside has to be prevented, then using hardware devices make sense, but smartcard or USB device are not that expensive. If you are trying to prevent someone having write access to a file to use that key to encrypt it, I really think that you are chasing the wrong rabbit...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84