Evaluate Secure Key Storage Solutions (HSM, Amazon Nitro, etc.)

[Jkd-eth]

User Story:

As the Passport team, I want to ensure that the cryptographic keys used for hashing and signing are secured against exposure, So that the integrity and security of the platform are maintained, preventing the potential doxing of 1.3 million addresses or other critical security breaches.

Acceptance Criteria

GIVEN the high sensitivity of cryptographic keys used in Passport's operations, WHEN evaluating secure storage and management options for these keys, THEN we should identify the best solution, whether it's an HSM, Amazon Nitro, or another technology, to ensure the highest level of security and minimize the risk of key exposure.

Exploration Goals

1. Risk Assessment: Identify specific vulnerabilities in our current software-based key storage, particularly focusing on the hashing key and signing key.
2. Solution Exploration: Evaluate various secure key management solutions, including HSMs, Amazon Nitro, and other potential technologies, to determine which offers the best protection against key exposure.
3. Security Impact: Analyze how each solution can prevent the exposure of critical data, such as the potential doxing of 1.3 million addresses, compared to our current practices.
4. Decision Criteria: Establish clear criteria for selecting the most secure and practical solution, based on security enhancements, cost, and operational impact.
5. Transition Plan: Develop a transition strategy to migrate to the chosen solution, ensuring minimal disruption and seamless integration with existing systems.

Timebox to 2 days (Gerald's comment below)

Product & Design Links:

N/A

Tech Details:

• Security Solutions Overview: Explore different hardware and software-based solutions like HSMs and Amazon Nitro for secure key management, each offering unique approaches to protecting cryptographic keys.
• Current Vulnerabilities: Our current software-based key management might not provide sufficient protection against advanced threats. A breach could lead to the exposure of the hashing key, compromising up to 1.3 million addresses.
• Potential Integration: Depending on the solution selected, changes may be required in how keys are accessed, rotated, and integrated within Passport’s existing systems.

Open Questions:

• [ ] How does each potential solution mitigate the risks associated with key exposure?
• [ ] Should different keys (e.g., for hashing and signing) be managed using separate solutions to enhance security?
• [ ] What are the key rotation and management implications for each solution, particularly in terms of security and operational efficiency?
• [ ] How can we smoothly transition to the new solution, ensuring continuity and backward compatibility during the migration phase?

Notes/Assumptions:

Feedback from Octant: It’s possible to transition to a more secure key management solution without significant operational disruption, potentially using credential versioning and a hybrid signing method (sign_by_hsm(hash(pii)), for example). We might need to run parallel systems during the transition to ensure security and functionality.

[lucianHymer]

I think AWS Nitro sounds like it could do something similar for us? https://aws.amazon.com/ec2/nitro/ Particularly the Nitro Security Chip, at first glance.

I believe that with this, we could have the chip generate it's own public/private key pair, and never reveal the private key even to us. Then we just send it data to sign/hash.

But if we do this, we'll probably need to think of some sort of system for rolling to a new keypair if we lose access to the original (since we won't have any backups, since it defeats the purpose). So we'll need to think that through.

This seems better than having to run our own dedicated hardware for this task.

[nutrina]

We should timebox this to 2 days.

We should look into AWS Nitro and HSM. What is the difference between these solution (pros & cons). In either case we should come up with a process for key rotation.