[Cryptography] HSM's

ianG iang at iang.org
Tue Jan 21 02:16:57 EST 2014 

On 20/01/14 21:19 PM, Peter Todd wrote:
> On Mon, Jan 20, 2014 at 07:43:19PM +0300, ianG wrote:
>> At CAcert I more or less decided I could not trust the HSMs, as 
>> essentially they were unauditable.  I don't see that has changed,
>> and what I've heard of other CA practices is that they basically
>> wing it in this direction.  I guess some Auditors just nod off as
>> soon as they hear that an approved (?) HSM is used without even
>> checking the circumstances of the procurement and usage.
>> 
>> So we stuck with the "home grown" HSM concept which was to build
>> a machine, and lock it down in the secure rack.  This has the
>> risk that someone can sneak in and steal the root by opening it
>> up.  My call was that as the CA had covered pretty much all the
>> other risk better, this was an acceptable risk.  But in the
>> future they should work to reduce this one as well.
> 
> And this is why we need n-of-m multiple key support in OpenPGP:


(Hmmm, I thought it was there.)  N-of-m is so cool that you only need
1/m of analysis.

Is n-of-m deterministic?  Or can one of the m inject
distinct signature components and still get a good signature?  What
opportunities are there for byzantine manipulation?

It only gives you an advantage when you have distributed HSMs or more
typically distributed active people.  Which you want because you're
trying to avoid the centralised threat of human insider corruption, not
the external supplier corruption.

If we're talking about 3 HSMs in a single box where we are relying on
each HSM to check that the others aren't doing the wrong thing, then
n-of-m doesn't give us any advantage that I can see.

If we're doing (distributed) voting schemes over a transaction, just
doing straight signatures with distinct keys over a transaction is
nice for a voting algorithm, the sigs are the votes.  Using n-of-m in
that circumstance gives us strictly less information because the sig
fails or it doesn't, we don't know why/who withdrew.


> I don't really trust your home-grown HSM, or the professional one,
> but the chance of both being backdoored is low.


Yes, that's OP's goal, I think.



iang

More information about the cryptography mailing list