[Cryptography] HSMs or Intel SGX? Which is harder to hack?

Mike Hamburg mike at shiftleft.org
Fri Feb 17 02:51:18 EST 2017 


> On Feb 16, 2017, Bill Cox <waywardgeek at gmail.com> wrote:
> 
> The cost per signature is the main metric for being "practical" in this case.  A 100K/second signature capable HSM that costs $1M would be worse than a 10/second signature capable device that costs $1.  I don't care about FIPS compliance, as it no longer seems well correlated with good security.


The image of 10,000 smart card readers dangling out of your host gives me a chuckle.

> I could keep reading manufacturer's claims of their HSM security, but I just can't read any more unsubstantiated claims of "military grade" security.  I was hoping some of you folks might know the real story, and save me the effort of discerning reality from fiction based on HSM marketing material.

Unfortunately, I’m not up to date on what all the certifications mean, but it is independent security analyses and certifications that you will want to look at.

> Here's an example of what makes it hard for me to read about HSMs.  I'm picking on Thales here only by chance.  I know for a fact that they are a well respected HSM vendor, but OMG, reading their web page is very hard for even an arm-chair crypto-geek like me.  Some quotes from this page <https://www.thales-esecurity.com/solutions/by-technology-focus/tamper-resistant-security>:
> 
> "While devices from Thales have been proven in a range of settings including some of the world’s most stringent environments, you do not need to take our word for the fact that they are more secure. Thales products have been independently certified to meet FIPS 140-2 and Common Criteria standards.”

Yeah, FIPS 140-2 means little, and CC depends on what level.

> What is the actual state of real-world security from respectable HSMs?  How hard is it to extract secrets from a "level 4" tamper-resistant HSM that attempts to erase secrets when a potential attack is detecte?

I’m not sure.  It’s supposed to be hard, but I’ve never looked closely at the evaluation of such HSMs.  There certainly are shoddy HSMs on the market, which leak their secrets (presumably accidentally) through radio emissions.  I’d look carefully at what the certifications claim.

Overall, it should be significantly harder to extract the key from a high-quality HSM than from SGX, because SGX is not designed to resist side channels at all.  Furthermore, to have even minimal resistance to side channels, you’d have to write a power analysis resistant enclave, which would be somewhat annoying.

However, you often can’t program an HSM with your business logic.  If the host is compromised and an attacker can sign data of his choice, then you might not be getting the security you want.  I guess in principle you could even log into the HSM from an SGX enclave with your business logic, but maybe at that point you’re just being silly.

Cheers,
— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170216/92e9ab82/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3571 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170216/92e9ab82/attachment.bin>

More information about the cryptography mailing list