[Cryptech Tech] Working memory on HSM for decrypted private key components?

Rob Austein sra at hactrn.net
Tue Dec 15 16:37:08 UTC 2015


At Tue, 15 Dec 2015 11:08:32 -0500, Russ Housley wrote:
> 
> Nice idea, but my experience is that it does not work out so simply.
> The function to wrap a private key for backup needs to whole
> plaintext key.  You can wipe the buffer as soon as practical, but
> there is a small period of time where the whole thing is in memory
> or registers.

Well, as a thought experiment:

One could design an integrated EC point multiplier and unwrapper which
unwrapped one bit of an ECDSA private key at a time.  Which might
require storing the private key in some very different form, ie, not
ASN.1, multiple wrapped objects (eg, one per bit) perhaps with a lot
of noise filler if necessary to get wrapping algorithm to work
properly in this strange case, etc.

Yes, this would be hideously complex, but the point is that one could
do it given strong enough reason.


More information about the Tech mailing list