Topic
  • 7 replies
  • Latest Post - ‏2009-10-13T22:43:04Z by inestlerode
securityuser
securityuser
16 Posts

Pinned topic How to turn off FIPS security level

‏2009-01-11T05:30:05Z |
The XI50 we have has HSM and we enabled the FIPS Security Level 2 on the device. However, after turning this on, we are seeing performance degradation for WS-Security operations such as signature generation or encryption. How do I turn the FIPS security level off on the device? Can we still use HSM for keys

Thanks for all your help in advance
Updated on 2009-10-13T22:43:04Z at 2009-10-13T22:43:04Z by inestlerode
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to turn off FIPS security level

    ‏2009-01-14T04:04:43Z  
    The observed performance degradation has nothing to do with the optional HSM running in FIPS Level 2 or Level 3 mode, it has to do with the storage location of the key material. With an HSM equipped device, you must initialize the HSM in either FIPS 140-2 Level 2 or FIPS 140-2 Level 3 mode. There is no turning off the "FIPS" characteristics of an HSM.

    Where are you storing the key materials now? What are the details of the keys? (LENGTH, Generated by) How are you referencing the key materials in DataPower configuration?

    Corey
  • securityuser
    securityuser
    16 Posts

    Re: How to turn off FIPS security level

    ‏2009-01-14T17:41:29Z  
    The observed performance degradation has nothing to do with the optional HSM running in FIPS Level 2 or Level 3 mode, it has to do with the storage location of the key material. With an HSM equipped device, you must initialize the HSM in either FIPS 140-2 Level 2 or FIPS 140-2 Level 3 mode. There is no turning off the "FIPS" characteristics of an HSM.

    Where are you storing the key materials now? What are the details of the keys? (LENGTH, Generated by) How are you referencing the key materials in DataPower configuration?

    Corey
    The key I am using is stored in cert:/// location. The keys are 1024 bit keys, not 3DES encrypted
    Where should the keys be on a HSM device?
  • inestlerode
    inestlerode
    166 Posts

    Re: How to turn off FIPS security level

    ‏2009-01-14T22:50:34Z  
    The key I am using is stored in cert:/// location. The keys are 1024 bit keys, not 3DES encrypted
    Where should the keys be on a HSM device?
    Crypto Key objects on an HSM should live in a location starting with "hsm://hsm1/" (which means that they are inside of the HSM instead of on the appliance flash).

    Keys that live on the appliance flash ("cert:///") will work but much more slowly than on a normal appliance (the HSM has to import them and delete them on each RSA operation). The point of the HSM is secure key storage, so this use case is not realistic for production HSM users.

    You can get private key material inside of the HSM by generating a new key pair (using keygen and its hsm option) or by using crypto-import (both under Crypto Tools in the WebGUI).

    -Ivan
  • securityuser
    securityuser
    16 Posts

    Re: How to turn off FIPS security level

    ‏2009-01-23T21:41:37Z  
    Crypto Key objects on an HSM should live in a location starting with "hsm://hsm1/" (which means that they are inside of the HSM instead of on the appliance flash).

    Keys that live on the appliance flash ("cert:///") will work but much more slowly than on a normal appliance (the HSM has to import them and delete them on each RSA operation). The point of the HSM is secure key storage, so this use case is not realistic for production HSM users.

    You can get private key material inside of the HSM by generating a new key pair (using keygen and its hsm option) or by using crypto-import (both under Crypto Tools in the WebGUI).

    -Ivan
    Hi,
    Thanks for your response.
    I tried to import both the private key and certificate into the hsm using the crypto-import tool from the WebGUI. The private key imported correctly but the certificate (public key) seemed to have been imported into flash.
    Does this mean for verification and encryption, that the public key is copied into the hsm for each operation? If so, wouldnt this be a big performance hit?

    Thanks.
  • inestlerode
    inestlerode
    166 Posts

    Re: How to turn off FIPS security level

    ‏2009-01-29T18:40:33Z  
    Hi,
    Thanks for your response.
    I tried to import both the private key and certificate into the hsm using the crypto-import tool from the WebGUI. The private key imported correctly but the certificate (public key) seemed to have been imported into flash.
    Does this mean for verification and encryption, that the public key is copied into the hsm for each operation? If so, wouldnt this be a big performance hit?

    Thanks.
    The HSM can only contain private keys (you cannot import certificates into the HSM).

    There is no performance penalty for having your certificate on the flash on an HSM system (this is the only way it can operate). The public key is not recopied into the HSM on each verify/encrypt operation.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to turn off FIPS security level

    ‏2009-10-13T21:33:26Z  
    The HSM can only contain private keys (you cannot import certificates into the HSM).

    There is no performance penalty for having your certificate on the flash on an HSM system (this is the only way it can operate). The public key is not recopied into the HSM on each verify/encrypt operation.
    Hi inestlerode ,
    You are saying "(you cannot import certificates into the HSM)". But When we go Administration --> Cypto tools --> Import Crypto objects, we have option of Object type as "Private key" and "Certificate". From this I feel we can import Certificate into HSM. I tried that option, but a new certificate was created in cert:// directory.

    So my question is are you sure we cannot import certificates into HSM ?
  • inestlerode
    inestlerode
    166 Posts

    Re: How to turn off FIPS security level

    ‏2009-10-13T22:43:04Z  
    Hi inestlerode ,
    You are saying "(you cannot import certificates into the HSM)". But When we go Administration --> Cypto tools --> Import Crypto objects, we have option of Object type as "Private key" and "Certificate". From this I feel we can import Certificate into HSM. I tried that option, but a new certificate was created in cert:// directory.

    So my question is are you sure we cannot import certificates into HSM ?
    > So my question is are you sure we cannot import certificates into HSM ?

    Yes. I am positive that you cannot import certificates into the HSM.

    Crypto export/import of certificates can be used on any appliance (with or without HSM). The point of it is to allow you to export certificates (public information) that would otherwise not be exportable due to restrictions on copying files out of the cert:/// directory on the flash.

    Crypto export/import of private keys can only be used on appliances with an HSM since the keys are going in and out of the HSM itself (not some directory on the flash).

    There is no support for exporting private keys that live on the flash, and there is no support for importing certificates into the HSM.