[Cryptography] [FORGED] USB hardware token for $2??
Ron Garret
ron at flownet.com
Fri Dec 23 01:24:31 EST 2016
On Dec 22, 2016, at 4:24 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Phillip Hallam-Baker <phill at hallambaker.com> writes:
>
>> Any chance one of these could be used as a low cost HSM? Specifically, the
>> use I would have for it would be to provide a second factor for sensitive key
>> management operations. I would not store the whole key on the device, just a
>> share of the key.
>
> Anything (with a CPU) can be used as a low-cost HSM, the problem isn't the
> hardware, it's the software. Take any random ARM-based device (or Atmel, or
> MSP430 if you're a masochist) and turn it into an HSM, all the work is in the
> software, not the hardware.
Unfortunately, that is not true. To be secure, the device needs its own on-board I/O of some sort. If it doesn’t then it is not possible to draw a security perimeter around the device. If you can access the device from your laptop, then so can an attacker who pwns your laptop. (And if you are convinced that your laptop is secure, then you don’t need an HSM.)
The reason the SC4-HSM exists is that I was originally going to use a Teensy3 (which is an awesome little piece of hardware, BTW) but then realized that I could not secure it against an attack launched from the machine it is plugged in to.
You are correct that the software is the hard part. But unfortunately you do need at least a little bit of help from the hardware. Blame Alan Turing.
rg
More information about the cryptography
mailing list