[Cryptography] On the deployment of client-side certs

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Nov 20 18:56:01 EST 2016

Thierry Moreau <thierry.moreau at connotech.com> writes:

>My bet is that is is impossible to come up with a sound API design (between
>the secure chip and the hostile general-purpose digital computing
>environment). Basically, if the secure chip provides a service to a
>legitimate application and refrain from doing so for something else, 

It's the security equivalent of Maxwell's Demon, the HSM needs to separate the
good commands from the bad commands.  That's the standard response to "we have
a EAL 6.023x10^23 certified HSM!", to which you add "...that does absolutely
everything the Windows PC it's plugged into tells it to".  So in the end you
fall back to justifying the HSM as being useful for auditing purposes because
an auditor can check off the physical artefact that The One Key is stored in.

In practice it's a bit more complex than that, I looked at it in my 1998
Usenix Security paper, see pages 4-5 of
http://www.cypherpunks.to/~peter/usenix00_slides.pdf, specifically the "Tier 1
... 5" distinction.  Most crypto devices are Tier 1 or 2...


More information about the cryptography mailing list