[Cryptography] Anyone interested in a cheap security module for Raspberry Pi?

Ron Garret ron at flownet.com
Wed Jul 26 16:24:54 EDT 2017 

On Jul 26, 2017, at 11:10 AM, Bill Cox <waywardgeek at gmail.com> wrote:

> On Wed, Jul 26, 2017 at 9:39 AM, Ron Garret <ron at flownet.com> wrote:
> 
> On Jul 25, 2017, at 7:47 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> 
>> I also am a fan of the low cost open SC4-HSM,
> 
> Thank you!  :-)
> 
>> but I am interested in devices with better physical security.
> 
> Can you elaborate on what you mean by this?  The SC4-HSM can be made secure against an adversary with physical possession of the device.  If you’re willing to type in a pass-phrase, it can even be made secure against an adversary capable of decapping the SoC.  What more do you want?
> 
> rg
> 
> I have a different threat model than most HSMs:  I assume the attacker could be:
> 
> - Malware on the host computer
> - The owner of the device, so pass phrases do not help
> - A botnet of HSM emulators, so I'll need hardware attestation
> - A group of hackers motivated enough to buy a large number of HSMs and PWN them to control the network

I think we may have a fundamental disconnect here.  The SC4-HSM is not intended to be used in a data center.  It’s intended to be used by an individual who has it in their physical possession and plugs it in to a USB port of a host that is also by necessity in their physical possession.  So there is no “network” that an attacker could possibly control.

Also, the SC4-HSM has an on-board display and push-buttons which are integral to its security model.  You could emulate an SC4-HSM, but absent some really major breakthroughs in virtual reality technology you could not hide the fact that you were emulating it.  :-)

> I think it would be useful to have:
> 
> - Basic tamper resistance
> 
> Having an accessible debug port would be bad.  This would allow an attacker to see secret keys.  There is a debug port on the  STM32F405R.  Do you somehow disable it?

Yes.  There are two ways to disable the debug port, one temporary, the other permanent.  These are described in detail in the documentation.

> Neither a safe nor passphrase would help, because the owner is in the threat model.

I don’t understand this at all.  How can the owner of a device be an attacker?  That seems impossible by definition.

> I do not want to lock it down like a Tivo, but instead have the hardware erase all secrets, including the attestation key, before allowing the owner to reprogram the entire device.

Yes, this is exactly how the reversible lock-down feature works.

> Tamper detection would be useful.

The SC4-HSM does not have this, though it could be added.  However, this would undermine what I consider to be one of the SC4-HSM’s significant features: the ability to open the device and visually inspect the circuitry to insure that what is in the package is what is supposed to be there.  If you’re willing to trust your vendor then you might as well just use an iPod Touch.

> - Verifiable boot and firmware updates.

The SC4-HSM gives you access to DFU mode, which gives you direct hardware-level access to the flash.  There is no bootloader.  (You could, of course, upload one if you wanted to, but why would you want to?)

In addition, all of the current firmware and the tool chain is open-source.  It doesn’t get any more verifiable than that.  (Note however that the current version of the firmware has NOT been audited.  Verifiable != verified.)

> I'll need to be able to run a boot loader that verifies firmware signatures before upgrading

The SC4-HSM is designed to minimize the trust you need to put in third parties.  The only part of the design that is not independently verifiable is the SoC chip itself.  Everything else is either open to inspection or under the user’s direct control.  This is *more* secure than firmware signatures because those require that you trust both the bootloader and the signer of the firmware.

> , and in some cases, it will need to erase secrets before upgrading.  Can the STM32F405R do that?

Yes.  See above.

> - ECC (P256 is fine), AES, and SHA256 acceleration to enable reasonable transactions per second (as in more than 1).

The STMF405 does not have AES and SHA in hardware, but the STMF415 does (that is the only difference between these two chips).  The current production run has 405 chips but I would be more than happy to make a batch of HSMs with 415s if that were desirable.  However, the limiting factor on performance for any given application is much more likely to be the USB2 interface than the fact that you have to do your crypto in software.

The SC4-HSM computes an Ed25519 signature in about half a second.  I haven’t timed P256, but it seems about the same.

> The main metric here is hardware cost per transaction per second.  The K81 is pretty fast at 150 MHz, but it is slower than the  STM32F405R, and the K81 costs about 30% more.  I'm assuming the crypto engines are equivalent...
> 
> - Several KiB of SRAM, say a minimum of 4KiB
> 
> SRAM is divided up between applications, and one applications cannot read another's SRAM.  More SRAM is better.  The K81's 256KiB of SRAM is more than I need as is the 192KiB on the  STM32F405R.
> 
> - A lot of flash, say at least 100KiB
> 
> Flash would be divided between the virtual machine emulator and the application it runs, so each app only gets a fraction of flash memory.  The K81's 256KiB of flash seems low, but probably good enough.  The 1MiB of the  STM32F405R is a nice upgrade.
> 
> Do you think a SC4-HSM might be close to supporting this application's needs?  If not, would you have any interest in having my help developing a new HSM that would?

As you have noted, the SC4-HSM has more than enough RAM and Flash for your needs, but it was not designed for high-throughput.  It was designed to be e.g. a U2F token or a bitCoin wallet for personal use by a single individual who carries it around in their pocket.  A significant portion of the cost is in the display (not just the hardware but the assembly costs associated with it) which you don’t need in a data center.

However, if you want to explore a low-cost HSM for data center use I would be more than happy to discuss it with you.

rg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170726/d90d0930/attachment.html>

More information about the cryptography mailing list