Topic
7 replies Latest Post - ‏2009-10-13T22:43:04Z by inestlerode
securityuser
securityuser
16 Posts
ACCEPTED ANSWER

Pinned topic How to turn off FIPS security level

‏2009-01-11T05:30:05Z |
The XI50 we have has HSM and we enabled the FIPS Security Level 2 on the device. However, after turning this on, we are seeing performance degradation for WS-Security operations such as signature generation or encryption. How do I turn the FIPS security level off on the device? Can we still use HSM for keys

Thanks for all your help in advance
Updated on 2009-10-13T22:43:04Z at 2009-10-13T22:43:04Z by inestlerode
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: How to turn off FIPS security level

    ‏2009-01-14T04:04:43Z  in response to securityuser
    The observed performance degradation has nothing to do with the optional HSM running in FIPS Level 2 or Level 3 mode, it has to do with the storage location of the key material. With an HSM equipped device, you must initialize the HSM in either FIPS 140-2 Level 2 or FIPS 140-2 Level 3 mode. There is no turning off the "FIPS" characteristics of an HSM.

    Where are you storing the key materials now? What are the details of the keys? (LENGTH, Generated by) How are you referencing the key materials in DataPower configuration?

    Corey
    • securityuser
      securityuser
      16 Posts
      ACCEPTED ANSWER

      Re: How to turn off FIPS security level

      ‏2009-01-14T17:41:29Z  in response to SystemAdmin
      The key I am using is stored in cert:/// location. The keys are 1024 bit keys, not 3DES encrypted
      Where should the keys be on a HSM device?
      • inestlerode
        inestlerode
        166 Posts
        ACCEPTED ANSWER

        Re: How to turn off FIPS security level

        ‏2009-01-14T22:50:34Z  in response to securityuser
        Crypto Key objects on an HSM should live in a location starting with "hsm://hsm1/" (which means that they are inside of the HSM instead of on the appliance flash).

        Keys that live on the appliance flash ("cert:///") will work but much more slowly than on a normal appliance (the HSM has to import them and delete them on each RSA operation). The point of the HSM is secure key storage, so this use case is not realistic for production HSM users.

        You can get private key material inside of the HSM by generating a new key pair (using keygen and its hsm option) or by using crypto-import (both under Crypto Tools in the WebGUI).

        -Ivan
        • securityuser
          securityuser
          16 Posts
          ACCEPTED ANSWER

          Re: How to turn off FIPS security level

          ‏2009-01-23T21:41:37Z  in response to inestlerode
          Hi,
          Thanks for your response.
          I tried to import both the private key and certificate into the hsm using the crypto-import tool from the WebGUI. The private key imported correctly but the certificate (public key) seemed to have been imported into flash.
          Does this mean for verification and encryption, that the public key is copied into the hsm for each operation? If so, wouldnt this be a big performance hit?

          Thanks.
          • inestlerode
            inestlerode
            166 Posts
            ACCEPTED ANSWER

            Re: How to turn off FIPS security level

            ‏2009-01-29T18:40:33Z  in response to securityuser
            The HSM can only contain private keys (you cannot import certificates into the HSM).

            There is no performance penalty for having your certificate on the flash on an HSM system (this is the only way it can operate). The public key is not recopied into the HSM on each verify/encrypt operation.
            • SystemAdmin
              SystemAdmin
              6772 Posts
              ACCEPTED ANSWER

              Re: How to turn off FIPS security level

              ‏2009-10-13T21:33:26Z  in response to inestlerode
              Hi inestlerode ,
              You are saying "(you cannot import certificates into the HSM)". But When we go Administration --> Cypto tools --> Import Crypto objects, we have option of Object type as "Private key" and "Certificate". From this I feel we can import Certificate into HSM. I tried that option, but a new certificate was created in cert:// directory.

              So my question is are you sure we cannot import certificates into HSM ?
              • inestlerode
                inestlerode
                166 Posts
                ACCEPTED ANSWER

                Re: How to turn off FIPS security level

                ‏2009-10-13T22:43:04Z  in response to SystemAdmin
                > So my question is are you sure we cannot import certificates into HSM ?

                Yes. I am positive that you cannot import certificates into the HSM.

                Crypto export/import of certificates can be used on any appliance (with or without HSM). The point of it is to allow you to export certificates (public information) that would otherwise not be exportable due to restrictions on copying files out of the cert:/// directory on the flash.

                Crypto export/import of private keys can only be used on appliances with an HSM since the keys are going in and out of the HSM itself (not some directory on the flash).

                There is no support for exporting private keys that live on the flash, and there is no support for importing certificates into the HSM.