The following table describes the credentials used on SKFS and their access to the keys on the hardware module. It helps in summarizing the degree of vulnerability each SKFS credential can have on the keys and sensitive data in the database.
|
Credential |
Purpose |
Access to Keys? |
|---|---|---|
|
Linux root |
The superuser of the operating system normally has unlimited control over everything on the computer system, but without the required PINs for authentication to the hardware module, even the root user is incapable of accessing keys on the module. Because of the privileged status of the root users, they can assume the identity of any user on the Linux operating system. As a result, additional controls must be placed around this credential if the site security policy wishes to restrict individuals (with access to root) from accessing cryptographic keys on the hardware module. While the controls described in the Protecting PINs from root section of this document provides one method of restricting this access, sites must ultimately use methods that are in compliance to their internal security policies. |
Indirectly |
|
Linux strongkey |
This operating system user ID owns the web service application software that comprises SKFS. Since the web service application uses this user ID within the Linux operating system, this account has access to the PINs for the hardware module (so it can authenticate to the module before performing cryptographic operations on data). Care must be taken to secure this account and only provide its credential to trusted administrators. |
Yes |
|
MariaDB root |
This superuser account of the SKFS RDBMS has full control over everything inside all databases on the system. However, since data stored in the SKFS database only consists of ciphertext (data encrypted by the SKFS web application before it reaches the database) without any sensitive material that could decrypt them, this user cannot decrypt ciphertext despite their full control over database data. |
No |
|
MariaDB skfsdbuser |
The owner of database schemas and data in the SKFS internal database has unlimited control over everything inside this database schema and objects. However, as already indicated, since data stored in this internal database only consists of ciphertext without any sensitive material that could lead to its decryption, this user cannot decrypt ciphertext. |
No |
|
Payara admin |
This administration account of the JEE application server has full control over the application server's configuration. However, since this is not an operating system account, this administrator cannot read or modify anything other than the application server configuration files. This credential only exists to facilitate the administration of the application server through a web interface. |
No |
|
Web Service Credential |
This credential is used by SKFS to authenticate a requester of web services. Depending on the SKFS configuration, this can be against the SKFS managed users or against an LDAP-based Directory Server. This credential is verified by the SKFS web service application before it performs the cryptographic operation. Since the credential has no operating system, RDBMS, application server, or hardware module privileges, this user cannot access cryptographic keys in the module. If this credential has the decryption privilege, it will have the ability to request decryption services from SKFS. As a consequence, the password to this credential must be protected by the applications that will include them in their web service request to SKFS; SKFS does not maintain this credential's password. |
Indirectly |