Re: [TLS] TLS and hardware security modules - some issues related to PKCS11

Bill Frantz <frantz@pwpconsult.com> Wed, 18 September 2013 00:21 UTC

Return-Path: <frantz@pwpconsult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2304011E81DC for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 17:21:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qgd0ZYKXxG20 for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 17:21:09 -0700 (PDT)
Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) by ietfa.amsl.com (Postfix) with ESMTP id 0863F11E81CC for <tls@ietf.org>; Tue, 17 Sep 2013 17:21:08 -0700 (PDT)
Received: from [173.75.83.246] (helo=Williams-MacBook-Pro.local) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1VM5Vx-00067i-Mi; Tue, 17 Sep 2013 20:21:05 -0400
Date: Tue, 17 Sep 2013 17:21:05 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: Michael StJohns <msj@nthpermutation.com>
X-Priority: 3
In-Reply-To: <52387927.4030007@nthpermutation.com>
Message-ID: <r422Ps-1075i-2648881BCFCD4A25A75989B801888781@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.3.1 (422)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec79c641fde1af3a04011e78c5c14636ce9c350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 173.75.83.246
Cc: tls@ietf.org
Subject: Re: [TLS] TLS and hardware security modules - some issues related to PKCS11
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2013 00:21:14 -0000

On 9/17/13 at 8:45 AM, msj@nthpermutation.com (Michael StJohns) wrote:

>Um.  No, not if you designed things properly.  It should be 
>possible for any protocol the IETF designs to do all the crypto 
>operation inside a hardware module and not depend on the weak 
>security of a general purpose computer.

While I have no objections to this requirement, I'm not sure 
that hardware is more secure than software if your attacker is a 
large country national crypto agency or sophisticated criminal 
gangs. I worry about Russia, England, China, France etc. as well 
as the USA.

Without taking the chips apart, even validated hardware can be 
replaced at the chip foundry with a different implementation 
which leaks keys via paths such as IVs or uses bogus random numbers.

These attacks can be minimized by using forward security -- more 
keys to attack/leak; making IVs deterministic based on the plain 
text and checked; using a cypher in counter mode for IVs, 
calculating them separately at each end, and not transmitting 
them etc.

There is no real safe heaven these days.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | Truth and love must prevail  | Periwinkle
(408)356-8506      | over lies and hate.          | 16345 
Englewood Ave
www.pwpconsult.com |               - Vaclav Havel | Los Gatos, 
CA 95032