[Cryptography] [FORGED] USB hardware token for $2??

[Phillip Hallam-Baker]

On Thu, Dec 22, 2016 at 7:24 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:

> Phillip Hallam-Baker <phill at hallambaker.com> writes:
>
> >Any chance one of these could be used as a low cost HSM? Specifically, the
> >use I would have for it would be to provide a second factor for sensitive
> key
> >management operations. I would not store the whole key on the device,
> just a
> >share of the key.
>
> Anything (with a CPU) can be used as a low-cost HSM, the problem isn't the
> hardware, it's the software.  Take any random ARM-based device (or Atmel,
> or
> MSP430 if you're a masochist) and turn it into an HSM, all the work is in
> the
> software, not the hardware.
>

​Not quite, the board has to plug into a USB socket rather than having a
USB socket to be useful.​


> It always amuses and/or depresses me to see yet another ARM board on
> Tindie or
> Kickstarter or Indiegogo or whatever, "the world's first/smallest/most
> cromulent ARM XYZ" [0], which is exactly the same as every other ARM XYZ
> except that it has no software for it.
>

​You can use a cross compiler to target the chips used in the Arduino from
Visual Studio. Now whether the 8 bit chip is supported is another matter.
There are plug ins that provide full single step debugging.​

[0] Everything on Kickstarter has to be at least one, possibly more of, the
>     world's first, smallest, or thinnest.  No idea why, it just is.
>

​Because if it isn't new in some way, there isn't any point in paying
someone who might not deliver eight months in advance.​


On Thu, Dec 22, 2016 at 3:58 PM, Ron Garret <ron at flownet.com> wrote:
>
> What would make it “secure” then?  If all you want is a place for storing
> shares of secrets, why not just use a thumb drive?
>
> To my mind, the defining feature of an HSM is that the keys are generated
> by an on-board HWRNG and never leave the device (except perhaps in
> passphrase-encrypted form).  All the crypto operations performed using the
> keys are also performed on-board.  You also need some on-board I/O.  If you
> don’t have that, then you need to secure whatever is on the other end of
> the communications channel that you use to communicate with the HSM, and if
> you can do that then you don’t need an HSM.
>

​Generating the keys onboard is nice. But the defining feature in my view
is that the keys never leave once installed.

As far as endpoint compromise is concerned, it is a complete crock in my
view. Something that is not just not worth worrying about, it is positively
harmful to worry.

Anything you use, absolutely anything is just another turtle on the stack.
Anything that is sold as a crypto module is going to be 1000% more likely
to be attacked than anything else. Windows XP is going to be less likely to
be compromised with a targeted vulnerability than a sealed HSM sold by a
highly reputable vendor.

Yes, there is a value to having a HSM, the keys never leave, the operators
cannot default without visible evidence that shows up in an audit. But
don't treat them as unhackable as they aren't.

Do people really believe that Moti Yung was the first person to work out
how to compromise an RSA HSM by manipulating the modulus? How many people
have stripped down an HSM and checked the firmware.

So what I have been looking at is ways to use insecure HSMs in a secure
fashion. Which is what schemes such as my co-operative key generation do.


I have just bought eight of the devices for $10, delivered. That is the
reason I am interested. They are dirt cheap.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161223/9c3729cd/attachment.html>