How we built a PKI and a TSA and got them certified in 6 months
Part 2: Requirements
As we explained on the first part of this blog post (which you can read here) our goal was to build our own Qualified Time Stamping Authority.
Requirements
eIDAS also has a regulation about the requirements that a Qualified Time Stamping Authority must comply with.
The requirements and specification documents have been written by the European Telecommunications Standards Institute (ETSI) and talk about a bunch of different subjects including:
- Risk assessment
- Policies and practices
- Asset management
- Access control
- Cryptographic controls
- Certificate profiles
- Physical and environmental security
- Operation security
- Network security
- Incident management
- Collection of evidence
- Business continuity
There are some cool things, like cryptography and technical security aspects, but there are a bunch of boring things too…
We’ll forget about the boring parts and focus on the cool technical stuff.
Out of all specifications from ETSI documents we can extract two key requirements:
- We need a Hardware Security Module
- We have to build our own Public Key Infrastructure first
Choosing a Hardware Security Module
All Signaturit’s platform components are deployed using Amazon Web Services, so our first approach when choosing an HSM was to look for a cloud based HSM solution, and turned out AWS had one.
The AWS CloudHSM is a cloud based Hardware Security Module which you can interact with from within AWS cloud.
Unfortunately for us, the auditors responsible for the PKI and TSA certification process were not in favor of a cloud based solution and preferred us to have the HSM “in house”.
So we started looking for different HSM vendors that were available in the market.
Even though I’m not a “hardware guy”, It’s always interesting to buy a new gadget, especially one that has some sort of self-destruction functionality!
When looking for an HSM, certifications matter, but usually all commercial HSMs have been audited on the same security standards, which mainly include:
- FIPS 140–2 standard with levels 2 and/or 3
- Common Criteria EAL 4+
Another important aspect when choosing an HSM is which libraries are available to communicate with it. But again, usually, every HSM manufacturer provides the same library support, which mainly include:
- PKCS#11 (we’ll talk a little bit about this later)
- Java JCA/JCE provider
- Microsoft CSP and/or CNG provider
So after verifying that the HSM complies with these security levels and provides the client library that you need for your application, you can focus on its functionality for choosing one. We found two main differences:
- HSMs that store the application keys inside the device
- HSMs that maintain a master key loaded inside the device, but store the application keys encrypted with that master key outside the device, on a file system. When the key has to be used, it’s loaded, decrypted and used inside the HSM, so the key data is never loaded in memory outside the device.
We can argue which option is more secure, more flexible etc, both have pros and cons.
Besides that, there are some HSMs that provide more advanced functionalities like code execution inside the module, specific functionalities for payment systems, etc.
In the end we decided to choose one HSM model that keeps the keys encrypted on a file system because we considered it a more scalable approach. That way we’re not dependent on the HSM’s internal storage capacity, instead we can treat keys as any other file and easily share them between different HSM modules that have access to that filesystem.
We have an HSM!
After some market research, device analysis, and even training, we have an HSM and we’re ready to use it!
But, where are we going to install the [pretty big appliance] device?
Obviously for security reasons it was not a clever idea to have it in our office… So we had to look for a data center near by that comply with some security and management standards like ISO27001, ISO9001, ISO22301…
Luckily for us, that was not too hard to find near Barcelona.
So we were able to deploy our own network inside the data center with our brand new HSM waiting for the rest of the pieces of the puzzle to be build!
About Signaturit
Signaturit is a trust service provider that offers innovative solutions in the field of electronic signatures (eSignatures), certified registered delivery (eDelivery) and electronic identification (EID).
Open Positions
We are always looking for talented people who share our vision and want to join our international team in sunny Barcelona :) Be a SignaBuddy > jobs
