[Cryptech Tech] arm

[Leif Johansson]

On 01/13/2015 04:08 PM, Bernd Paysan wrote:
> Am Dienstag, 13. Januar 2015, 08:50:16 schrieb Leif Johansson:
>>> 13 jan 2015 kl. 03:30 skrev Bernd Paysan <bernd at net2o.de>:
>>> I would advocate against parsing more complex data types (think of ASN1)
>>> inside the ultra-secure boundary, because with bugs in the parser, you can
>>> 0wn the HSM.
>>
>> I'm wondering how much security-fu you get by just having a library for
>> doing simple offset byte-range checks wo actually parsing stuff inside the
>> boundary. Extra checks w parsing done outside the boundary...
> 
> You get very little.  Assume I want to get you to sign a ASN1 cert with a time 
> span that is much longer.  Then I pretend the time span is somewhere else in 
> the ASN1 and produce something valid there, and the byte-range check will 
> succeed.  You have a number of free-text fields in ANS1, where you can put 
> stuff that might look funny when someone actually examines the certificate, 
> but that doesn't really matter ;-). You could try to generate a public key 
> that contains something that looks like a valid ASN1 time range; that may take 
> a bit longer than the usual key generation time, but should be doable.
> 
> I suppose it's easier the other way round: The HSM inserts the signature times 
> into the fields pointed to by the signing request (you only have to check that 
> the fields are indeed inside the supplied blob), and then hashes and signs the 
> certificate, if that's easily doable.  However, I don't think it is.  ASN1 is 
> clearly a format from hell.
> 

right you are