[Cryptech Tech] Restricting FPGA signing

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jan 28 15:57:28 UTC 2015


Randy Bush <randy at psg.com> writes:
>Steve Kent responding to me
>
>    >    o Question from CrypTech project: we are inclined to put
>    >      request validity rules inside the tamper boundary.  E.g. does
>    >      a cert signer enforce application-specific semantics on what
>    >      it is willing to sign, e.g. validity period limits, alg
>    >      types, etc.?  Does this make sense?  Will it scale with
>    >      DNSsec, RPKI, and ghu knows what else?  Can rules be
>    >      abstracted into a general syntax (we think not)?
>
>    That might be a very powerful mechanism. It's very analogous to what
>    we implemented for the BBN SafeKeyper product, where rules could be
>    imposed on certs and CRLs that a CA was asked to sign. Note that
>    there is a patent on that mechanism (US # 6,671,804).

It's unclear from reading the patent exactly how this would affect anything we 
do.  The patent talks about "templates" in a very generic manner (obviously, 
for a patent you need it to be as broad in scope as possible), but given that 
there's lots of prior art here (issuing certs based on templates is what CAs 
do normally, with the "template" being a combination of PKCS #10 or SCEP or 
CMP request and the CA's certificate) it's not much of an issue.

The patent actually talks about digitally-signed templates created by a
template authority and sent to a CA workstation which loads them into the
hardware, the problem that the patent is trying so solve with this is that the
CA strips the integrity-protection/authentication from the data being signed
when it sends it to the HSM, so it just says "here is a blob, sign it" (think
at the PKCS #11 level, all you've got is C_Sign() and nothing above that).
The "invention" is to add rules to C_Sign() to make it less of a signature
vending machine.  If you're running cryptlib (or anything that operates at a
higher level) in the HSM then this isn't the case since the CA is running
inside the HSM, so you don't need rules added to the C_Sign()-level API.

Prior art for this, "The Design of a Cryptographic Security Architecture",
August 1999, predates the patent priority date of December 1999.

Peter.


More information about the Tech mailing list