Skip to main content

Approvers

Recall that with SKAs, you can define an authorization policy that defines rules for which approvers need to come together and approve the key usage before the operation is permitted by the HSM.

From the point of view of the HSM, each approver is a public-private key pair, also called the "Approver Key" or "Approval Key". When onboarding an approver, the HSM stores the public key. Later, the HSM verifies that an approval is valid by verifying that a specific message is signed by the corresponding private key.

For the purpose of SKA, the HSM does not care how the approver key pair is generated, nor where the private key is stored and how it is access-protected. This decision is up to the approver and their threat model. The available options also vary in user-friendliness.

Each approver needs to have some kind of "approval client" that can display pending approvals and use the private key to sign the approvalToBeSigned.

Manually

The most basic, but not very secure, way is to generate a key pair with a command line tool such as openssl and store the private key on a laptop disk. While this works, it is not recommended.

HSM

The key pair can also be generated and stored in an HSM.

For example, for optimal separation, every user might have its own HSM partition (so that access control can be separated between users). Then each user's approval client can generate a key pair in their own partition, and register the public key as the Approver Key. When using the private key, the approval client connects to their partition. The downside of this is that a lot of partitions are required.

TSB Approver Management API

The Transaction Security Broker (TSB) provides the Approver Management API. Its idea is the following:

  • The HSM generates a key pair and returns it to the TSB.
  • The TSB wraps the key using its own wrapping key (for backup purposes) and with a password.
  • The TSB stores the wrapped key.
  • The approval client retrieves the wrapped key.
  • The approval client unwraps the key using the password, and stores it locally.

This ensures that a true random number generator is used. Only a single HSM partition is needed (for the TSB). Each approval client needs to have a local mechanism for secure key storage.

For more details, see this page.

warning

This setup is designed for organizations that want to centrally manage approvers and be able to back up approver keys. To avoid the TSB becoming a single point of failure, it is recommended to protect the TSB's wrapping key hsm.backupKeyName using SKA and multi-authorization. This SKA key needs to use another method to manage the approver keys.

Securosys Authorization App

info

This is the recommended method for most users.

The Securosys Authorization App is a mobile application designed as a user-friendly approval client. It implements the Approver Management API to obtain a key pair that was generated by an HSM. The app stores the private key in the crypto processor of the respective mobile platform (for example, Secure Enclave on iOS).

For more details, see the Authorization App documentation.

Last updated on