We are currently evaluating the KMS softsign component for production use. Softsign has some good properties compared to a HSM. However, some risk analysis is required beforehand.
- we have a sentry architecture with a KMS component,
- an adversary has taken over the validator node, and
- that the operator key is completely offline and not accessible by the attacker.
The adversary is able to send arbitrary commands to the KMS; e.g. SignVote, SignProposal and so on. As an effect, the adversary might be able to conduct a double-signing attack and therefore slash the validator.
- Once the operator detects the attack, he should be able to put the validator into the inactive set on a voluntary basis (fees should be imposed anyhow)
- Afterwards, the operator should be able to change the validator keys, otherwise the validator cannot recover from attacks at all (in case the validator key has been accessed by the adversary)
What do you think?