Old PC as Hardware Security Module?

Casey Jones groups at caseyljones.net
Tue May 22 21:21:20 CEST 2007


Philipp Gühring wrote:
>>>> Does anyone know of software available to make an old PC into something
>>>> like a hardware security module.
>>> Yes, I developed exactly such software.
>> Great. What is it called? Is it available?
> 
> It´s called CommModule. It isn´t publically available yet, but it could be 
> made available upon reasonable demand.

All I can say is that I'm probably not the only one who would be
greatful if you would grant freedom to that program.


> Yes, and how do you use your pocket calculator or paper and pencil to verify 
> that the thing where you expect a signature doesn´t actually have one?

All I meant was that if for example, you signed an email, you could look
at the email and see if it had a signature before you sent it. Of course
if you do this simple inspection on a compromised computer you are
vulnerable to the following attack.

>> The attacker could sign something else and put a fake 
>> signature on what you wanted to sign. 
> 
> Or it could could tell you that the signing didn´t work because of a random 
> error.

Good point. I guess you would have to keep in mind that an error could
be an indication of compromise. A counter on your HSM could tell you if
the operation was completed, and if so, more careful investigation might
be warranted. Maybe the HSM should have a light that blinks in a 
distinctive manner to indicate that the signature had been successfully 
transmitted back to the computer. Maybe the HSM should store the last 
few hashes that it signed so you could boot to a live CD and verify that 
the hash that the HSM signed was the right one for the document you 
wanted signed. If the HSM signed the wrong document, which presumably 
the attacker wouldn't let you find, then that would be a strong 
indication of compromise. You could also pull your network cable before 
doing any decryptions so you would have time to investigate errors 
before the data leaked out.

>> But then if anyone checked the 
>> signature, it wouldn't verify. 
> 
> Yes, but what if it is too late then?

Having limited signatures or decryptions in your HSM doesn't make you
invulnerable, it's just significantly better than unlimited.

> The question is, whether your application is that critical (and time 
> critical).

I'd say it's worth it even for low security situations. It may not be
worth it if you have to boot a separate computer. I would prefer the
device to be small and quick to activate like a smart card is.

  >> Are there some other major weaknesses in the one operation limit that I
>> haven't thought of?
> 
> Secret-Key leakage with algorithms like DSS

How does secret-key leakage by DSS relate to limiting your HSM to one 
signature or decryption per button press?

> Well, there are several big questions from my point of view:
> * Does the HSM actually know what it is doing? Does it know, what it is 
> signing? Or does it just sign a hash, and doesn´t know what the hash stands 
> for?

The HSM doesn't know what it's signing. For high security applications I
would suggest taking whatever measures are necessary to secure the
workstation sufficiently to be trustworthy so you know what you're 
signing. It's home computers which are used for high risk activities 
like web browsing and reading email that would benefit most from an HSM, 
because they don't have expensive security arrangements.




More information about the Gnupg-users mailing list