Smart Key Attributes
Smart Key Attributes bring fine-grained authorization and usage rules to private keys stored on Securosys HSMs. For example, applications can define an authorization policy for the private-key by using quorums (n-of-m approvers need to approve a key usage) as well as timelocks and timeouts. Additionally, the application can set traditional key attributes to limit key usage to certain operations (sign, decrypt, unwrap).
Smart Key Attributes (SKAs) work with CloudHSM and on-premise Primus HSMs.
Why SKAs?
Traditionally, the industry has designed HSMs with one main security goal in mind: an attacker cannot run away with the private key. That is, there should be assurance that the private key is in the HSM, and only in the HSM, it cannot be taken out.
However, this security goal does not cover a very important practical aspect: whoever has access to the HSM can use the private key to perform operations (even if they cannot extract the key). That is, authorization has historically been pushed to the application using the HSM.
This is problematic: while malicious private key usage may be noticed after the fact by operators monitoring HSM logs, the damage can already be done. When a software artifact is maliciously signed, there are recovery mechanisms (tell the public about the bad artifact, revoke the key). But when a financial transaction is maliciously signed in a blockchain system, the money is irrevocably gone.
To solve this problem, Securosys has developed Smart Key Attributes (SKAs). SKAs allow applications to define authorization policies directly on keys. The advantage of this is that authorization rules are enforced not by the application (as is traditionally the case), but by the HSM inside its protected environment.
Benefits
- Write flexible and powerful multi-authorization rules.
- Use multi-signatures to authorize key usage.
- Let the HSM enforce authorization rules, instead of your application.
How to use SKAs in your application
The easiest way to use SKAs is through the Transaction Security Broker (TSB). The TSB makes it easy to manage a large number of approvers in an organization and includes recovery mechanisms for approver keys. The TSB also provides a REST API.
Alternatively, advanced users can manually manage SKAs on private keys with:
- the JCE provider,
- and the Primus Tools.
Please see the documentation of each respective API for more details. There you can find step-by-step tutorials for how to use SKA keys in your application.
The remainder of this documentation describes the high-level concepts of SKA.
License
The following licenses are required to use SKAs:
| License | Description |
|---|---|
KEY_AUTH | Basic SKA usage. |
EXTENDED_KEY_ATTRIBUTES | Basic SKA usage. |
ROOT_KEY_STORE | To use timelocks and timeouts (the integrity key is stored in the Root Key Store). Also needed to use the TSB. |
TSB_ENGINE | To use the TSB. |
In CloudHSM, these licenses are already included in most service packages.