[cabfpub] CA key generation, storage, and FIPS

Peter Bowen pzb at amzn.com
Thu Sep 29 23:39:22 UTC 2016


In reviewing the Baseline Requirements and certain trust store requirements, I ran into a set of questions I’m hoping someone can answer.

The BRs have several sections that address CA key protection.  The ones I think are relevant are below:

"The CA SHALL protect its Private Key in a system or device that has been validated as meeting at least FIPS 140 level 3 or an appropriate Common Criteria Protection Profile or Security Target, EAL 4 (or higher), which includes requirements to protect the Private Key and other assets against known threats.” (6.2.7)

"Protection of the CA Private Key outside the validated system or device specified above MUST consist of physical security, encryption, or a combination of both, implemented in a manner that prevents disclosure of the CA Private Key. The CA SHALL encrypt its Private Key with an algorithm and key-length that, according to the state of the art, are capable of withstanding cryptanalytic attacks for the residual life of the encrypted key or key part.” (6.2)

"The CA Private Key SHALL be backed up, stored, and recovered only by personnel in trusted roles using, at least, dual control in a physically secured environment.” (5.2.2)

The challenge I’ve run into is that the US NIST, which publishes the FIPS series, has specified that only only lengths of 512, 1024, and 1536 bits shall be used for p and q in RSA private keys.  This results in public key sizes of 1024, 2048, and 3072 bits.  Due to this, no FIPS 140 validations are being issued which include RSA with 4096-bit public keys.  

However, 4096-bits is the minimum size required for certain cases by trust stores and, as far as I know, it accepted by all trust stores.

How do we rationalize this with 6.2.7, given that no module certified more recently than Jan 2014 can generate 4096-bit RSA keys or sign using 4096-bit RSA keys in FIPS mode?

Is the correct interpretation that you need the cryptographic module to have been certified as meeting FIPS 140 Level 3 but the CA can operate it in non-FIPS mode?  

Can the CA use the cryptographic module to encrypt the private key, using AES-256 or another FIPS approved algorithm, for storage but unwrap/decrypt to do the generation and signature creation in a non-validated device (as implied in 6.2)?

And what does it mean to protect a private key _in_ a validated system or device, anyway?  Some HSMs are not designed to store keys, just wrap/unwrap and use keys.

Thanks,
Peter


More information about the Public mailing list