VE 07KeyMgmt

From MozillaWiki
Jump to: navigation, search

This is a draft document

Key Management

  1. Our private key and certificate databases are hash (Berkeley DB 1.85) indexed flat files (regular files). Temporary (session) keys are stored in memory (RAM).
  2. Private keys and secret keys are stored in the private key database. At Security Level 1, the operating system is restricted to a single operator mode of operation, which protects against unauthorized disclosure, modification, and substitution of the private keys and secret keys stored in the private key database. At Security Level 2, we use the discretionary access control mechanism of the operating system on the private key database to protect against unauthorized disclosure, modification, and substitution of the private keys and secret keys stored in the private key database.
    The private keys and secret keys stored in the private key database are actually encrypted using three-key Triple DES in CBC mode (DES-EDE3-CBC) to provide additional protection against unauthorized disclosure, modification, and substitution. Although Triple DES is an Approved security function, the key encrypting key is derived from the user's password using an extension of the PKCS #5 PBKDF1 key derivation function (see the nsspkcs5_PBKDF1Extended function) with an 16-octet salt, an iteration count of 1, and SHA-1 as the underlying hash function. Since password-based encryption such as PKCS #5 is not FIPS Approved, the private and secret keys in the private key database are considered in plaintext form by FIPS 140-2 (see FIPS 140-2 Section 4.7 and FIPS 140-2 IG 7.1). For more information on how the secret and private keys in the private key database are password-encrypted, see the nsspkcs5_CipherData function.
  3. When the secret keys and private keys reside in memory, they are protected by the OS from unauthorized disclosure, modification, and substitution.
  4. Public keys are stored in two ways.
    • Public keys in public/private key pairs (owned by the operator) are stored as attributes of the associated private keys in the private key database.
      Attributes of private keys are also password-encrypted as explained in the note above.
    • X.509 v3 certificates containing public keys are stored DER encoded in the certificate database. The certificates are not encrypted, but are digitally signed by the Certification Authority (CA) that created them.
    • At Security Level 1, the operating system is restricted to a single operator mode of operation, which protects against unauthorized modification and substitution of the public keys and certificates stored in the private key and certificate databases. At Security Level 2, we use the discretionary access control mechanism of the operating system on the private key and certificate databases to protect against unauthorized modification and substitution of the public keys and certificates stored in the private key and certificate databases.
  5. When the public keys reside in memory, they are protected by the OS from unauthorized modification and substitution.
  6. The NSS cryptographic module uses the following cryptographic keys, cryptographic key components, and CSPs in the FIPS Approved mode of operation:
    • AES secret keys
    • Triple DES secret keys
    • HMAC secret keys
    • DSA public keys and private keys
    • RSA public keys and private keys (used for key transport and digital signatures)
    • ECDSA public keys and private keys
    • Diffie-Hellman public keys and private keys (used for key agreement)
    • EC Diffie-Hellman public keys and private keys (used for key agreement)
    • TLS premaster secret (used in deriving the TLS master secret)
    • TLS master secret (used in the generation of symmetric cipher keys, IVs, and MAC secrets for TLS)
    • authentication data (passwords).
  7. The NSS cryptographic module uses the following cryptographic keys internally. These keys are not visible to the operator.
    • The Triple DES key derived from the user's password, used to encrypt the secret keys and private keys stored in the private key database.
    • The 1024-bit DSA public keys for the software/firmware integrity test are stored along with the DSA signatures in the .chk files for the softoken (PKCS #11) and freebl shared libraries/DLLs. The DSA domain parameters (prime p, subprime q, base g) and public key (y) are stored in a straight binary format (i.e., not DER encoded).
  8. No passwords (e.g., the password for password-based encryption, or the private key database password) are stored on disk in plaintext.
  9. An extension of the PKCS #5 PBKDF1 key derivation function (see the nsspkcs5_PBKDF1Extended function) is used to convert a user's password to a DES-EDE3 (three-key Triple DES) key that is used to encrypt a known plaintext to determine if it matches the password verifier stored in the database.
  10. Prior to exiting the NSS cryptographic module, all passwords entered by users and private keys (stored on disk) are zeroized from memory.

Key Generation

The FC_GenerateKey and FC_GenerateKeyPair functions of the NSS cryptographic module perform key generation. FC_GenerateKey generates secret keys and domain parameters, and FC_GenerateKeyPair generates public/private key pairs.

Approved key generation method: The NSS cryptographic module uses the Approved RNG specified as Algorithm Algorithm Hash_DRBG of SP 800-90 to generate cryptographic keys used by the Approved and non-Approved security functions. The validation certificate for the Approved RNG is Cert# 208.

Secret keys for symmetric key algorithms and HMAC are generated using the output of the Approved RNG.

DSA public and private keys are generated using the method specified in FIPS 186-2 with Change Notice 1.

RSA public and private keys are generated using the method specified in PKCS #1.

The prime numbers that are generated for both RSA and DSA are tested using Miller-Rabin test (FIPS 186-2 Appendix 2.1. A Probabilistic Primality Test).

ECDSA public and private keys are generated using the method specified in ANSI X9.62-1998.

Security of key generation method: The keys generated by the NSS cryptographic module have at most 256 bits of security. (See NIST Special Publication (SP) 800-57 Part 1, Table 2 in Section 5.6.1 on page 63.) Therefore, compromising the security of the key generation method (e.g., guessing the seed value to initialize the Approved RNG) requires at least as many operations as determining the value of the generated key.

The initial value of XKEY is derived using the following procedure.

  • We obtain 1024 bytes from the system random number generator. On Windows XP SP 2, we call the CryptGenRandom function in the CryptoAPI. On Solaris, HP-UX, Linux, and Mac OS X, we read from the special device /dev/urandom.
    On HP-UX B.11.11, one must install the HP-UX Strong Random Number Generator (KRNG11i) bundle to add the /dev/random and /dev/urandom special files. The KRNG11i bundle can be downloaded for free from the HP software depot, and installation is straightforward.
    We set XKEY to the SHA-256 hash of these 1024 bytes.
    XKEY = SHA-256(1024 bytes from the system RNG)
    This is performed in the RNG_RNGInit function.
  • We then add extra entropy input to XKEY using SHA-256 as the mixing function:
    XKEY = SHA-256(XKEY || entropy_input)
    This is performed in the RNG_SystemInfoForRNG function. The mixing function is modeled after the reseed processes for the Hash_DRBG and Dual_EC_DRBG deterministic random bit generators in NIST SP 800-90 and the Reseed function for the Fortuna random number generator in Ferguson and Schneier's Practical Cryptography. The extra entropy input is either time-varying or machine-varying. On Unix, it includes:
    • various high-resolution clocks, several times. Examples are
    • the names, values, and memory addresses of all the environment variables.
    • static system information or current system/kernel statistics, twice. Examples are
      • the overall system statistics returned by the sysinfo function on Linux
      • machine hardware name, OS release level, and hardware serial number returned by the sysinfo function on Solaris
      • version number of OSF/AES OSC supported and version of CPU architecture returned by the sysconf function on HP-UX
      • the maximum number of simultaneous processes per user id, the maximum number of streams that a process may have open at any one time, and the maximum number of open files per user id returned by the sysconf function on Mac OS X
    • the host name (returned by gethostname)
    • the status information (struct stat) and contents of the file specified in the environment variable NSRANDFILE
    • the status information (struct stat) and contents of the files /etc/passwd, /etc/utmp
    • the status information (struct stat) of the directories /tmp, /var/tmp, /usr/tmp
    • the output of the "netstat -ni" command.
  • On Windows, the extra entropy input includes
    • various high-resolution clocks, such as QueryPerformanceCounter, GetTickCount and time, several times.
    • information about the system's current usage of both physical and virtual memory returned by GlobalMemoryStatus
    • the bitmask representing the currently available disk drives returned by GetLogicalDrives
    • the NetBIOS name of the local computer returned by GetComputerName
    • the pseudo handle and process identifier of the current process returned by GetCurrentProcess and GetCurrentProcessId
    • information about the file system and volume of the root of the current directory returned by GetVolumeInformation(NULL, ...)
    • information about the current disk, including the amount of free space on the current disk, returned by GetDiskFreeSpace(NULL, ...)
    • the number of files in C:\WINDOWS\system32 and the status information and contents of the first 10 readable files and then 10 or 11 files spread throughout the directory

References

Michael Howard and David C. LeBlanc, Writing Secure Code, Second Edition, Microsoft Press, 2002.

Michael Howard's Web Log, Cryptographically Secure Random number on Windows without using CryptoAPI, http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx.

D. Eastlake, 3rd, J. Schiller, and S. Crocker, RFC 4086 (formerly RFC 1750): Randomness Requirements for Security, June 2005. This RFC recommends the use of /dev/urandom and CryptGenRandom.

Elaine Barker and John Kelsey, NIST Special Publication 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2006.

Key Establishment Techniques

The NSS cryptographic module uses the following asymmetric key establishment techniques listed in FIPS 140-2 Implementation Guidance Section 7.1, which FIPS 140-2 Annex D says are allowed in a FIPS Approved mode of operation:

  • Diffie-Hellman (key agreement). The module supports Diffie-Hellman public key sizes of 1024-2236 bits, corresponding to 80-112 bits of security.
  • EC Diffie-Hellman (key agreement). The module supports elliptic curve key sizes of 163-571 bits, corresponding to 80-256 bits of security.
  • Key Wrapping using RSA keys (PKCS #1, key wrapping). The module supports RSA key sizes of 1024-8192 bits, corresponding to 80-192 bits of security.
    Note: The Cryptographic Algorithm Validation Program (CAVP) can only validate RSA key sizes up to 4096 bits, so our RSA algorithm implementation has only been validated for RSA key sizes of 1024-4096 bits.

The strengths of security of the asymmetric key establishment techniques are obtained from Table 2 of Section 5.6.1, NIST SP 800-57 Part 1.

Caveats:

Since the NSS cryptographic module allows a key establishment method to establish a cryptographic key that is stronger than the key establishment method, the following caveats are required by FIPS 140-2 IG 7.5:

  • Diffie-Hellman (key agreement, key establishment methodology provides between 80 bits and 112 bits of encryption strength)
  • EC Diffie-Hellman (key agreement, key establishment methodology provides between 80 bits and 256 bits of encryption strength)
  • RSA (PKCS #1, key wrapping, key establishment methodology provides between 80 bits and 192 bits of encryption strength)

The Security Policy Rule 20 is also annotated with these caveats.

The NSS cryptographic module does not implement the Over-The-Air-Rekeying (OTAR) Protocol.

Entity Association Assurance

Each instance of the NSS cryptographic module is owned by a single operator (the module owner).

By definition, all the secret and private keys in the NSS cryptographic module are associated with the module owner.

The public and private keys are correlated based on their PKCS #11 CKA_ID attribute. The public and private keys in a key pair have the same CKA_ID value. In the NSS cryptographic module, the CKA_ID attribute of a public key or private key is the SHA-1 hash of (a component of) the (associated) public key.

If a public key's CKA_ID value is the same as that of a private key in the NSS cryptographic module, the public key is associated with the module owner. Otherwise, the public key is associated with an entity other than the module owner. Such a public key is usually extracted from a public key certificate, which contains the name of the entity associated with the public key, and imported into the NSS cryptographic module. The operator of the NSS cryptographic module is responsible for associating such a public key with the right entity. The NSS cryptographic module only knows such a public key doesn't belong to the module owner because it doesn't have the associated private key.

The NSS cryptographic module returns unique PKCS #11 object handles (CK_OBJECT_HANDLE) for the stored or imported cryptographic keys. With the object handles as unique identifiers, the operator can associate the keys with the correct entity (self or another entity).

Key Entry and Output Methods

The NSS cryptographic module does not employ either manual or electronic key entry and output methods.

The NSS cryptographic module does not support entry of the seed key during key generation.

The NSS cryptographic module uses automated key transport methods, so the cryptographic key being transported needs to meet the key entry/output requirements (in Section 4.7.4 of FIPS 140-2). Automated key transport methods use the FC_UnwrapKey and FC_WrapKey functions.

  • The FC_UnwrapKey function enters an encrypted secret or private key into the NSS cryptographic module.
  • The FC_WrapKey function outputs an encrypted secret or private key from the NSS cryptographic module.

For example, in a TLS handshake with RSA key exchange, the NSS SSL library (outside the cryptographic module boundary) calls FC_WrapKey to output the premaster secret (encrypted with the server's RSA public key) from the cryptographic module on the client side, sends it to the server in the ClientKeyExchange message, and calls FC_UnwrapKey to enter the RSA-encrypted premaster secret into the cryptographic module on the server side.

Encrypted secret and private keys, entered into or output from the NSS cryptographic module and used in the FIPS Approved mode of operation, are encrypted using one of the following Approved algorithms:

  • Key Wrapping using RSA keys
  • AES
  • Triple DES
Note: If the AES or Triple DES key is derived from a password, the encrypted secret or private key is considered to be in plaintext form because password-based encryption is not FIPS Approved.

In the FIPS Approved mode of operation, secret keys, private keys, and TLS premaster secret may be established using automated methods (e.g., key transport protocols such as Key Wrapping using RSA keys). These keys can only be entered into or output from the NSS cryptographic module in encrypted form (using FC_UnwrapKey and FC_WrapKey).

Random Number Generator

There is only one random number generator (RNG) used in the NSS cryptographic module. The RNG is an Approved RNG, implementing Algorithm Hash_DRBG of NIST SP 800-90. (The RNG validation certificate is Cert# 208 NEEDSUPDATEFOR_3_12_X.) The Approved RNG is used within the NSS cryptographic module for all cryptographic purposes, including the generation of cryptographic keys used by an Approved security function.

Key Zeroization

The NSS cryptographic module performs explicit zeroization steps to clear the memory region previously occupied by a plaintext secret key, private key, or password. The function used to zeroize memory used by plaintext secret and private keys and passwords is the Standard C library function memset() or its synonym PORT_Memset(): 

 #define PORT_Memset     memset

If the memory is allocated from the heap, the PORT_ZFree() function can be used to both zeroize and free memory: 

 void
 PORT_ZFree(void *ptr, size_t len)
 {
     if (ptr) {
         memset(ptr, 0, len);
         PR_Free(ptr);
     }
 }

(PR_Free() calls the Standard C library function free() to free memory allocated from the heap.)

A plaintext secret or private key is zeroized when it is deleted (with a FC_DestroyObject call).

All plaintext secret and private keys are zeroized when

  • the NSS cryptographic module is shut down (with a FC_Finalize call),
  • the NSS cryptographic module is reinitialized (with a FC_InitToken call), or
  • the NSS cryptographic module switches between the FIPS and non-FIPS modes (with a NSC_Finalize/FC_Initialize or FC_Finalize/NSC_Initialize call sequence).

Passwords are automatically zeroized by the NSS cryptographic module immediately after use.

The memset() function is extremely fast. Zeroization can be performed in a time that is not sufficient to compromise plaintext secret and private keys and passwords.

Retrieved from "https://wiki.mozilla.org/index.php?title=VE_07KeyMgmt&oldid=162820"