[Cryptech Tech] goals / use cases

Okubo, Tomofumi tomokubo at verisign.com
Fri Jan 30 09:25:06 UTC 2015


On 1/28/15, 2:57 PM, "Warren Kumari" <warren at kumari.net> wrote:

>Can the attacker get close to the device?

Yes (but can¹t get the keys).

> How close?

Hands on (but can¹t get the keys).

> While it is operating under normal conditions?

Yes (but can¹t get the keys).

>Can he provide arbitrary data to the device, or is his ability to provide
>input limited?

Limited directly to the HSM (but not if through the signing server).


>Does he have access to startup keys (a token you need to present when
>turning the device on)?

No. The credentials should be physically protected separately as the
adversary will be able to get hold of the keys in the HSM with the
credentials.

>Can he physically monkey with it?

Yes (but can¹t get the keys).

>While it is in operation?

Yes (but can¹t get the keys).

>Without being noticed?

No. There should be an audit log generated by the HSM and monitored. The
typical HSMs hardware is also tamper evident and/or resistant (physically
and logically). In addition, there shall be other physical countermeasures
(CCTV, motion detectors etc...) too. Just like any other security
operation, HSMs need other (physical, logical) security controls to
complement it. HSMs are not perfect by itself.

>I've been assuming (and I *think* we've all been assuming) that the
>design is supposed to be secure against a powerful attacker with full
>access to the device, while it is on and functional, and who can take
>it away and poke at it under whatever conditions he wants, but I'm not
>sure if we've ever actually discussed and documented this.

Me too. I believe there should be protection against adversaries
physically getting hold of the HSMs.
Typically, once the session between the signing server dies, unless
configured otherwise, you need to reactivate the HSM with the credentials
to use the keys.

>The sorts of protections that one need against a remote attacker are
>(obviously) very different than those against someone with physical
>access.

In theory, if the HSM is there, your keys are there and it is somewhat
provable. This is major big difference between software generated keys. An
HSM binds the cryptographic key to the physical world and makes it
physically manageable.

My two cents.

Cheers,
Tomofumi



More information about the Tech mailing list