Cryptography Reference
In-Depth Information
E
SMK
1
(
PGK
)
Export
E
TK
(
PGK
)
Import
E
TK
(
PGK
)
E
SMK
2
(
PGK
)
Figure 10.7.
Key masquerade attack
involved will never appear in the clear outside the HSM. We now show how this
could, at least in theory, happen.
As we will discuss shortly, one method of enforcing key separation in an HSM
is to store keys in the HSM encrypted under a master key that is specific to one
usage purpose. In this way, access to the key is directly linked to the use of a master
key that identifies the key usage purpose. However, many HSMs have
export
and
import
functions that allow keys to be transferred between different HSMs. Keys
are encrypted using a
transport key
during export and import. Figure 10.7 shows
how this facility could, potentially, be used to change the apparent usage purpose
of a key.
1. A PIN generation key
PGK
is stored on the HSM, encrypted by a
storage master
key SMK
1, which is the local key on theHSM that is used to store PINgeneration
keys.
2. The HSM is instructed to export
PGK
. It thus decrypts the encrypted
PGK
using
SMK
1, then re-encrypts
PGK
using the transport key
TK
. This is then exported.
3. The HSM is then instructed by the attacker to import a new MAC key. The
attacker submits
PGK
, encrypted under
TK
.
4. The HSM decrypts the encrypted
PGK
using
TK
, then re-encrypts it using
storage master key
SMK
2, which is the HSM key used to store MAC keys.
The HSM thus now regards
PGK
as a MAC key.
This attack will not be possible if different variants of transport key are used
for separate export and import functions. However, due to interoperability
issues between different vendors' solutions, transport key variants might not be
permitted.
The above difficulties all arise through security weaknesses in the interface
between the device on which the keys are stored and the outside world, which we
already observed in Section 10.5.3 was an aspect of key management that can be
problematic.
ENFORCING KEY SEPARATION
In order to avoid some of the problems that we have just illustrated, mechanisms
are required to enforce key separation. This can be regarded as part of the wider
