[Cryptech Tech] Key extraction compromise in Safenet HSM

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Aug 17 11:17:03 UTC 2015


Jacob <jacob at edamaker.com> writes:

>Key exploitation due to some particular usage scenario in PKCS#11.

This problem has been known for at least fifteen, possibly as much as twenty
years (I'm too lazy to trawl back through the email archives to find the exact
date).  There's others too, e.g. the old Spyrus key wrap mechanism that's
present somewhere in PKCS #11 uses flawed crypto that allows key extraction.

What is surprising is that there's a vendor that actually implements this
thing.  It looks like they've methodically implemented every possible
mechanism, including the ones that no-one else would touch with a barge pole.

As with many other crypto protocols (TLS and SSH spring immediately to mind),
I think the real skill in implementing them isn't in getting the crypto right,
it's knowing what parts you need to ignore.

(The fact that you have to do a lot less implementation work this way doesn't
hurt none either :-).

Peter.


More information about the Tech mailing list