Re: [TLS] TLS and hardware security modules - some issues related to PKCS11

[Nikos Mavrogiannopoulos <nmav@gnutls.org>]

On Tue, Sep 17, 2013 at 5:45 PM, Michael StJohns <msj@nthpermutation.com> wrote:

>> The master secret of a session is never a secret that is hidding
>> within the hardware module, instead, it is something known to the
>> calling TLS protocol stack and part of the TLS session cache.
> Um.  No, not if you designed things properly.  It should be possible for any
> protocol the IETF designs to do all the crypto operation inside a hardware
> module and not depend on the weak security of a general purpose computer.

What you care is protection of the long term keys by the security
module. Are you really sure you want to protect the temporal session
keys (i.e. TLS master key) as well? What do you gain if you do that?
If you want to protect the key from a software vulnerability that
gives access to the system to an adversary, then you have succeeded
your goal to protect the key but failed on the goal to protect the
data the key is encrypting/decrypting. Thus making the effort to
protect the session key pretty futile, as it is as important as the
data it protects.

> I want to protect inside of the HSM all of the following:
> a) the private keys related to the server or client identity

This makes sense because a private key is used more than one sessions
and can be used to attack future (and in some cases past sessions).

> b) the pre-master key
> c) the master key
> d) the session keys.

All of these are session-specific keys and protect the data that are
exchanged in that particular session. IMO there is no much sense
trying to isolate them from the software handling the data.

regards,
Nikos