Tuesday, February 03, 2009

Building a HSM_RKM for PKI

This is my final year project and I would like to give an introduction to the project through this post. The project is about building a Hardware secured, Root Key Manager for a Public Key infrastructure which operates off line. Root Key Manager is the system which provides keys to the top node(Root CA) of the PKI. The security of these keys are vital to maintain the trust of whole PKI. Therefore we need to secure the RKM in various ways. Currently there are systems which provides the functionality to some extent. But the problem with the available systems are, they cost huge amount of money and they aren't open to public since they are properitery. The Goal of this project is to built a system which is low cost and open for academia for further extentions and studying purposes. The project is supervised by Dr. Chandana Gamage.

The initial system requirement
  • Access to the HSM-RKM must be controlled via a two-factor
    authentication mechanism
  • Should provide output of the HSM-RKM through a portable external
    interface such as a USB-Flash-ROM memory device
  • Generate the root key pair and securely store the private key
    within the HSM-RKM and output the public key through the external
  • Generate a limited number of other key pairs and securely store
    the private keys within the HSM-RKM and output the public keys
    through the external interface
  • Self-certify the root-key public key certificate
  • Certify any other public key certificate input through the
    external interface
  • The HSM-RKM must be of suitable dimension and construction to be
    securely stored in a safe
I'm going to use this post to comment on the progress and changes of the project work hereafter.

1 comment:

  1. Objective 1: Choosing the appropriate software

    As the first objective of the project, I worked on identifying the already existing software which can be used to achieve my goals. As you can see the HSM-RKM need to generate and manage keys and as a further extension, it needs to sign other public key certificate with its root key. After achieving this, it needs to be integrate to a proper Operating system and then it needs to be hardware secured.
    Therefore after a quick search for open source PKI systems, OpenCA, pyCA and ejbCA seems to be doing the most of the things I need to have in my system. But all of them were fully functional
    Certificate authorities with lot of capabilities such as using LDAP and HTTPS. In my system there won't
    be any communication to the outside using standard protocols like this. It is intend to provide the keys to a usb stick and the Private keys should be stored securely inside HSM-RKM itself. Looking further into OpenCA, I realized that it uses OpenSSL crypto libraries extensively and that leads me to think about the usage of OpenSSL in my system.
    OpenSSL is a crypto toolkit which provides open source implementation of the SSL and TLS protocols.
    OpenSSL is based on SSLeay by Eric A. Young and Tim Hudsom.
    It supports
    Blowfish, Camellia, DES, RC2, RC4, RC5, IDEA, AES
    Cryptographic hash functions
    MD5, MD2, SHA, MDC-2
    Public-key cryptography
    RSA, DSA, Diffie-Hellman key exchange, Elliptic curve

    which is in-line with my requirements. OpenSSL is "duel licensed" under the OpenSSL License and SSLeay License. Unlike other dual-licenses schemes, here, both of the licenses will apply when we use it.
    In May 2008, Debian version of the OpenSSL library had a serious security flaw which was patched later. Since
    I'm going to use manually hardened version of Debian 5.0 (Lenny), hopefully, there won't be a issue such like this.