Entrust nShield Security Manual page 32

quorum is left in the card reader of a Module, as normal security practice is to remove
the last administrator card as soon as the current administrative task has been
completed.
The setting of this value will depend on the administrative tasks that the ACS quorum
will authorize to be performed in the Security World, and the results of the threat
analysis for the nShield administrators/ACS quorum.
The following is general guidance for NSO-timeout setting. Refer to your own security
policy to determine what value is acceptable:
• If the HSM is for general cryptographic use, and key migration may occur from
another Security World, the default NSO-timeout, which is 10 minutes, is a good
choice.
• If the risk of the last administrator card being mistakenly left in the HSM's card
reader is considered significant, a shorter value may be set for the NSO-timeout. The
value must be set large enough to allow completion of the longest operation the
ACS quorum authorize.
5.2.1.2. Creating and maintaining a quorum
Each card set consists of a number of smart cards, N, of which a smaller number, K, is
required to authorize an action. The required number K is known as the quorum. Each
card in an ACS stores only a share of the ACS keys. You can only re-create these keys if
you have access to enough of their shares. Because cards sometimes fail or are lost, the
number of shares required to re-create the key (K) should be less than the total number
of shares (N).
To make a robustly secure ACS, it is recommended that the value of K is relatively large
and the value of N is less than twice that of K (for example, the values for K/N being 3/5
or 5/9). The customer security procedures should determine the values of K and N which
should be based on a threat analysis of the protected data.
The customer security procedures should identify the role holders for the different cards.
Roles should be assigned based on area of responsibility but also awareness of role
holder's availability as they may be required to recover a Security World at short notice
in the case of a failure.
The customer's security policy should determine whether the pass phrases are required
for the cards. pass phrases provide an additional barrier to the attacker. This requirement
may be necessary based on the value of the data protected and the security around the
storage location of cards. A timing delay feature is applied to password retries to add
further protection.
If an ACS quorum (K of N) is lost, the associated Security World becomes unmanageable
nShield® Security Manual 32 of 90