[Cryptech Tech] arm

[Bernd Paysan]

Am Montag, 12. Januar 2015, 14:37:31 schrieb Rob Austein:
> At Sun, 11 Jan 2015 22:08:23 +0300, Basil Dolmatov wrote:
> > Moreover, handling of bulk data implies, that the source of these
> > data is reliable enough to maintain security chains without any weak
> > points in it.
> 
> No, that's the point of the entire discussion we had about
> "application aware signing" (formerly known as "deep content
> inspection"): the main reason for doing the hash inside the secure
> perimeter is not performance, it's so that the code inside the secure
> perimeter can inspect every bit of what is to be hashed and signed.

For me, it's still not clear what's the attack vector is here that is 
prevented.  Let's say I do the hash outside, transfer the hash to the HSM, and 
get a signature, what can I do by manipulating the hash?  I can get an invalid 
signature.  That's all.

If I, on the other hand, manipulate the hashed plaintext, I get a correct 
signature of something that has been manipulated.  That's bad.  However, even 
when I do the hashing on the HSM, I still can manipulate the plaintext outside 
the HSM boundary.

The only thing where hashing on the HSM makes sense is for data which the HSM 
itself controls and creates alone, without exporting it.  An application for 
that could be signed timestamps, where the (GPS-synchronized) RTC inside the 
HSM is source for the timestamps.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*