[Cryptography] HSMs or Intel SGX? Which is harder to hack?

[Bill Cox]

If you wanted to store secrets so securely that you could never get them
out, how would you do it?  The secrets need to be usable for things like
signing, but they should be unrecoverable.  In particular, is it better to
buy an HSM, or use Intel's SGX mode on some of its newer processors?  If
the answer is HSM, which one(s)?

What if both the hardware cost and ongoing power cost are taken into
account?

Assume that the secrets are initially stored in an SGX enclave, or HSM
before an attacker has access to the system.  After that, the attacker has
full access, including physical access, to the HSM or CPU.  The attacker is
capable of dissolving the CPU packaging, reading fuses, and is skilled at
hacking HSMs.  Assume that all design secrets of both the Intel SGX
implementation and the HSM have been published, so there is zero security
through obscurity.

How would you make your secrets usable, but unrecoverable?  I realize that
there is no perfect security for secrets.  They can always be extracted.
However, which is a better solution?  Which is a more practical solution,
given that cost matters?

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170216/1870fc93/attachment.html>