search

randombit / botan

Cryptography Toolkit
https://botan.randombit.net
BSD 2-Clause "Simplified" License
2.53k stars 562 forks source link

TLS-PSK with HSM #2349

Open gowi opened 4 years ago

gowi commented 4 years ago

Hi, I'd like to use Botan for TLS-PSK. My problem is: the PSK is saved on a HSM and due to security reasons the PSK must not leave the HSM. Is there are possibility to use Botan in such a setup?

randombit commented 4 years ago

Interesting use case! This isn't supported currently, the code assumes the PSK is available. But if you HSM supports the right mechanisms (I think thats CKM_TLS_MASTER_KEY_DERIVE) then - aiui - we can ask it to generate the session master key using the values we provide but without exporting the PSK. However this would be a somewhat tricky change at the TLS level, and additionally would require some support in our PKCS11 lib to actually do the key derivation.

I feel compelled to point out that unless the PSK is protected in an HSM in both client and server side there isn't much point to this. And that if you have an HSM you can use RSA (and it is supported to do TLS auth using a RSA or ECDSA private key in hardware without exporting it). So, do that if you can, but I'm sure there are Reasons why that doesn't work.

I guess first thing is, verify that your HSM has a PKCS11 driver, and that the driver and hardware supports the TLS derivations mechanisms. If it doesn't, there is probably nothing we can do.

mouse07410 commented 4 years ago

In my (extensive) experience with HSM, they keep asymmetric keys, and do RSA and/or ECDSA. Some of the more expensive HSM devices have enough horsepower and can offload the bulk crypto -aka run the entire TLS session, but that's rare.

I've never seen HSM used with PSK.

gowi commented 4 years ago

The HSM will be an own development. According to https://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__25__5__MASTER__KEY__DERIVATION.html

CKM_TLS_MASTER_KEY_DERIVE [...] is used to produce the "master_secret" key used in the TLS protocol from the "pre_master" key.

So you need the premaster secret for CKM_TLS_MASTER_KEY_DERIVE? Does this work since the premaster secret contains the PSK?

gowi commented 4 years ago

Another question: How can I tell Botan that it shall use the CKM_TLS_MASTER_KEY_DERIVE method to derive the master secret?

snake-LB96 commented 4 years ago

Hi,

I have quite a similar problem:

PSKs can't be handed over to Botan in my scenario either. Since PSKs must not leave their secure environment, the computation of the master secret has to take place in that secure HW module as well - which would be clearly possible and isn't the main issue.

The problem is how to get this computation outside done and pass the master secret back to botan.

My idea was, if it wouldn't be possible to extend the TLS handshake with an additional (optional) user callback interface, so that the master secret could by computed by the user and handed back to Botan again which will then perform the following computations of the handshake.