AWS cloudhsm medium security documentation change
Summary
Updated ECDSA hash strength requirements documentation and added bypass configuration warning
Security assessment
Documents security compliance with FIPS 186-5 requirements and adds explicit warning about insecure bypass option ('--enable-ecdsa-with-weak-hash-function') that could weaken cryptographic security if misused
Diff
diff --git a/cloudhsm/latest/userguide/ki-all.md b/cloudhsm/latest/userguide/ki-all.md index f3688565f..cf136a2d9 100644 --- a//cloudhsm/latest/userguide/ki-all.md +++ b//cloudhsm/latest/userguide/ki-all.md @@ -153 +153 @@ This error is caused by an update to Instance Metadata Service Version 2 (IMDSv2 - * **Impact:** ECDSA signing operations fail when using hash functions that are too weak compared to the key strength. This failure occurs because [FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf) requires the hash function to be at least as strong as the key strength. + * **Impact:** ECDSA signing operations fail when using hash functions that are weaker than the key strength. This failure occurs because [FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf) requires the hash function to be at least as strong as the key strength. @@ -160,0 +161,4 @@ You might see an error similar to this in your client logs: +As an additional workaround, we have added a configuration option to bypass this requirement. Please note, this option is **not recommended** , as using ECDSA with weaker hash functions does not follow security best practices. To use this option, run the following command (replacing `configure-cli` with the configure tool for the SDK being used: [AWS CloudHSM Client SDK 5 configuration syntax](./configure-tool-syntax5.html)): + + sudo /opt/cloudhsm/bin/configure-cli --enable-ecdsa-with-weak-hash-function +