11.3. Security incident impact and response
The sections below identifies the impact of various compromises on keys or secrets and
the recovery action required.
Under Recovery Action the term revoke is used to indicate that the compromised key
must no longer be trusted or used. The terms revoke or revocation are normally used in
regard to digital certificates (normally containing public keys), where methods exist to
indicate that a certified key can no longer be trusted. However, this manual will apply the
term to all compromised keys.
11.3.1. Compromised Key or Secret: A brute force attack on blobbed
key outside of module
Impact
Application key is compromised and must not be used:
•
OCS protected application keys
•
Softcard protected application keys
•
Module/Module Pool protected application keys
Recovery Action
Revoke application key and destroy the Security World, since all applications keys in this
Security World must now be considered as compromised.
Destruction of the Security World is achieved by erasing/destroying the ACS and re-
initializing all the HSMs to a different Security World (with a new ACS).
Alternatively, to mitigate the present threat, the HSMs can be put into pre-initialization
mode whilst business recovery procedures are implemented prior to creating a new
Security World.
Note that erasing the ACS will prevent a lost/stolen backup being reloaded on to a new
HSM.
11.3.2. Compromised Key or Secret: Attacker has subverted memory of
HSM
Impact
Application key is compromised and must not be used:
•
OCS protected application keys
nShield® Security Manual 71 of 90
To Next Page
Loading...
Need help?
General
