Skip to main content

SKA Keys

Securosys Smart Key Attributes provide fine-grained authorization and usage rules for private keys. For example, applications can define an authorization policy for the private-key by using quorums, timelocks, and timeouts. Additionally, the application can set traditional key attributes to limit key usage to certain operations (sign, decrypt, unwrap).

Motivation

Traditionally, the industry has designed HSMs with one main security goal in mind: an attacker cannot run away with the private key. That is, there should be assurance that the private key is in the HSM, and only in the HSM, it cannot be taken out.

However, this security goal does not cover a very important practical aspect: whoever has access to the HSM can use the private key to perform operations (even if they cannot extract the key). That is, authorization has historically been pushed to the application using the HSM.

This is problematic: while malicious private key usage may be noticed after the fact by operators monitoring HSM logs, the damage can already be done. When a software artifact is maliciously signed, there are recovery mechanisms (tell the public about the bad artifact, revoke the key). But when a financial transaction is maliciously signed in a blockchain system, the money is irrevocably gone.

To address this problem, Securosys has developed Smart Key Attributes (SKAs). SKAs allow applications to define authorization policies on keys directly. The advantage of this is that authorization rules are enforced not by the application, but by the HSM inside its protected environment.

Using SKAs in your application

The Transaction Security Broker (TSB) is designed to make using SKAs as simple as possible. The TSB also provides a REST API.

Alternatively, you can manually manage SKAs on private keys with:

Please see the respective documentation for more details and step-by-step tutorials. The remainder of the SKA documentation describes the high-level concepts.

License

Smart Key Attributes and TSB requires dedicated licenses: KEY_AUTH and TSB_ENGINE.

Last updated on