The Atalla Secure Configuration Assistant and Concepts of Hyper-Security

The Atalla Secure Configuration Assistant, also named the SCA-W, is a secure system dedicated to interfacing Atalla HSMs.

It contains:

• A secure media storage 
• A kit of administrator and backup smartcards
• The Atalla Secure keypad (ASK) acting as a Key Loading Device (KLD)

The SCA-W connects to the HSM and is used to perform initialization and management in a secure way. It achieves many of the concepts of hyper-security.

The SCA-W implements M of N quorum control via smartcards for configuration and other operations. 

The Concept of Hyper-Security

The notion of hyper-security in the era of Information Technology security and for the general security of computer systems is still an experimental concept. It is a set of ideas rather than a well-defined term. Here we shall define hyper-security simply as the sum of all security constraints of a system that involves physical security, cyber-security, human security, and in general, all possible security related to the system. Hyper-security, maximum security, maximal security, super-security are equivalent concepts to hyper-security.

As an example, let’s consider the following real-life implementation of a hyper-secure project.

A team of specialized key custodians was selected for a secret project that had to be “hyper-secure.” The data for the project had to stay secret.

The key custodians backgrounds and references were closely examined by a team of specialists and detectives. They were required to work in a secure building. The building had no internet access and did not allow access to any hardware other than a screen, keyboard, and mouse.

The cables connecting the terminals (e.g. the screens, keyboards, and mice) were secure cables that could not be cut. No “tempest” scanner could retrieve the information on the devices.

The key custodians were not allowed to bring in any recording devices such as flashcards, USB sticks, mobile phones, mp3 players, or smartwatches.

Each day they were required to go through a detection portal when they entered in the morning and left the building in the evening. Security guards were present, and they performed random physical searches.

The walls around the area were sonic-proof so that no information could have been leaked through vibrations. A Faraday cage surrounded the area so that no radio devices, short-wave emitters, or receivers, could have been used.

Additionally, the electrical system had been equipped with jamming devices because information could potentially transmit via the electrical system. The windows to the outside were dark, would not open, were bulletproof, and were specially designed so that no information could be exchanged with the outside via optical communication; especially lasers.

These measures were done because even if a rogue key custodian could have entered the building with a modem or a recording device, it should not have been possible for him to use it. Additionally, “traditional” measures were implemented, such as video monitoring and strict access control using fingerprint-based biometric identification.

The key custodians operated in a closed private network that was isolated from the internet. The resources they needed had been compiled and stored on a special server by a security officer who had access to the computers. The operating system used was equipped with all types of heuristic virus detection, habitual anti-virus, and anti-malware programs.

Only the security officer could access the central repository server. but only after a successful three-factor authentication process. This involved smartcard authentication, biometric authentication, and password authentication.

All the data of the project was ciphered and securely replicated on backup servers.

Now, this could convince readers that the project was implemented in a “hyper-secure” way; some might even say “paranoid.” However, there was still room for uncertainty. For example, the whole access control could have been easily bypassed by setting a fire in the area. In such an event, all access control would be automatically disabled and even worse, some doors leading to the outside would open to allow people to evacuate the building.

In such a case, only physical security remains, as security guards must control and direct the evacuation. For that example, the notion of hyper-security of a computer system goes beyond simple “IT Security” because it encompasses all aspects of security and also involves access controls, social engineering, protections against “non-standard” communications, etc.

A system being Common Criteria EAL4+, for example, does not automatically guarantee that it is “hyper-secure”. It all depends on the security target requirements. For example, consider that Windows 10 is EAL4+ certified.

Hyper-security is still a concept and not is described by any norms. It is perceived by readers as the “top secret” protection often portrayed in movies. The military, secret services, and special agencies are known to implement hyper-security for the development of secret weapons and protocols for interacting with nuclear weapons and strategic missiles, etc. Lie detectors and behavioral detectors are also parts of such hyper-security.

In the context of HSM technologies, hyper-security is also usually involved. Banks and financial organizations must protect their assets in a very secure way. For such organizations, breaches could result in hundreds of millions or even billions of dollars of losses.

Why the SCA-W Achieves Some Hyper-Security

Connecting a terminal to a secure system is not easy. By definition, allowing remote access is insecure. Of course, remote access is usually protected by a password or by keys, and might also be protected by IP restrictions. But if the security of the terminal is not at least equal to the security of the system it must connect to, it then creates a security problem. Why? Because compromising the terminal is compromising the entire system. Hence, why such a terminal used to connect to an HSM must be hyper-secure in many ways.

Atalla Secure Keypad (ASK)

The SCA-W uses the Atalla Secure Keypad, which is a secure cryptographic device with anti-tampering capacities. It is designed to meet the security requirements of PCI, x9.24, as well as other financial standards regarding the manual entry of PINs. All the keys and smart card PINs are entered into the Atalla Secure Keypad and are communicated securely to the smart card, thus isolating all security items.

Security Association

One of the main reasons why SCA-W achieves some hyper-security is its ability to create security associations. In its configuration, more than one administrator is needed to perform some management operations. For instance, three administrators will take part in a security association defined by the security policy, each will use their smart cards, one after the other to unlock the system with their own PIN secret.

This protocol is clearly hyper-secure and found in many critical tools, including interaction with nuclear strategic weapons, in many countries.

Loading of the HSM MasterKey(s) from the Administrators Smartcards

The HSM MasterKey is the root of all keys. It must be remotely transmitted to the HSM in a hyper-secure way. Loading such a key is performed via the administrators’ smartcards, which are as secure as the HSM because these smartcards are provided with sophisticated anti-tampering systems and resistant to all sorts of attacks (DPA, SPA, glitch, DTA, laser, chemical EM environmental attacks, etc.). Therefore, this is the ideal way to carry cryptographic keys. Essentially, the smartcards used by the SCA are themselves hyper-secure.

Summary

The Secure Configuration Assistant (SCA-W) achieves hyper-security. It is the ideal way to remotely connect to the Atalla HSM.
 

References

• More articles on the AT1000 (2018 - today), by Martin Rupp and the Utimaco team.