Spoofing a Hardware Security Module

DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY Spoofing a Hardware Security Module

By Jeff Stapleton – ISSA member, St. Louis Chapter

This article compares valid key management techniques using a cryptographic hardware security module (HSM) with commonly used untrustworthy software-based crypto methods that basically spoof the HSM. Two hardware-based techniques are contrasted with three hybrid-based methods. Security issues for the software-based methods are discussed, and an alternative standards- based scheme is introduced.

Abstract This article compares valid key management techniques using a cryptographic hardware security module (HSM) with commonly used untrustworthy software-based crypto methods that basically spoof the HSM. Software-based cryptography is generally Figure 1 – Hardware cheaper and easier to implement but at higher risk data encryption of key compromise whereas hardware-based cryptography has vastly lower risks but at greater costs and com- key encryption. The HSM spoofing problem arises when the plexity. Attempts at combining software-based crypto with data encryption is performed in software but the key man- hardware-based key management often introduces poor key agement is attempted in cryptographic hardware. Three un- management solutions. Two hardware-based techniques are trustworthy key management methods are contrasted with contrasted with three hybrid-based methods. Security issues the valid techniques: faux key, KMIP unwrapped keys, and for the software-based methods are discussed, and an alter- PKCS#12 password based key derivation functions [2]. The se- native standards-based scheme is introduced. curity weaknesses are explained and an alternate method is introduced: database encryption key management (DBEKM) [3]. his article compares valid key management tech- Hardware data encryption niques using a cryptographic hardware security module (HSM) [1] with commonly used untrustworthy The first HSM key management method discussed is cryp- Tmethods that essentially spoof an HSM. Software-based cryptographic hardware-based data encryption shown figure 1, tography is generally cheaper and easier to implement but where an HSM contains the data encryption key within its at higher risk of key compromise, whereas hardware-based cryptographic boundary. To preserve the security of the data cryptography has vastly lower risks but at greater costs and key, the cryptographic algorithm (e.g., AES [4]) used for de- complexity. Attempts at combining software-based crypto cryption and encryption is executed within the cryptograph- with hardware-based key management often introduce poor ic boundary. key management solutions with subtle but serious risks. For data decryption with the cleartext key inside the HSM: Two valid HSM key management methods are described to 1. The application system makes a call to the HSM with the establish a baseline: hardware data encryption and hardware ciphertext.

2. The HSM decrypts the ciphertext using the key. 3. The HSM returns the cleartext data back to the application. The application can then process the cleartext and for data encryption: 1. The application system makes a call to the HSM with the cleartext. 2. The HSM encrypts the cleartext using the key. 3. The HSM returns the ciphertext back to the application. Figure 2 – Hardware key management with data Thus, the application reads ciphertext from storage, encryption decrypts the ciphertext using the HSM, process- es the cleartext, encrypts the cleartext using the HSM, and To maintain the security of the master key, the cryptograph- writes the ciphertext back to storage. The data key and the ic algorithm used for key decryption is executed within the cryptographic algorithm reside within the cryptographic cryptographic boundary. To preserve the security of the data boundary of the HSM. key, the cryptographic algorithm used for data decryption The advantage of hardware-based data encryption is that the and data encryption is likewise executed within the cryp- cryptographic key has strong protection per the HSM physi- tographic boundary. cal and logical controls. One disadvantage is that networked For data decryption with the encrypted key stored outside the HSM have traffic latency that may affect the decrypt and- en HSM: crypt function calls. Cabled HSM have much higher traffic 1. The application system makes a call to the HSM. speeds as do onboard HSM that use the system bus for communications. Another disadvantage is the generally higher a. The HSM receives the encrypted data key from the ap- cost of an HSM especially when many architecture designs plication, where it is decrypted using the master key require redundant HSM for application and system availabil- residing within the HSM. ity. b. The HSM receives the data ciphertext from the application. Hardware Key management with data encryption 2. The HSM decrypts the data ciphertext using the data key. The second HSM key management method discussed is cryptographic hardware-based key management with data en- 3. The HSM returns the cleartext data back to the applica- cryption, shown in figure 2, where the data encryption key tion. is stored outside the HSM as an encrypted key. The data key The application can then process the cleartext and for data is encrypted using a master key contained within the HSM. encryption:

Click here for On-Demand Conferences www.issa.org/?OnDemandWebConf

Breach Report Analysis A Cure for the Common SOC Recorded Live: May 22, 2018 Recorded Live: February 14, 2018 Why Automation is Essential to Vulnerability 2017 Year in Review & Predictions for 2018 Management Recorded Live: January 23, 2018 Recorded Live: May 10, 2018 Mobile Device Security IoT/Mobile Security Recorded Live: September 26, 2017 Recorded Live: April 24, 2018 Blockchain & Other Mythical Technology Untraceable Currency Recorded Live: March 27, 2018 Recorded Live: August 22, 2017 Security Awareness Strategies Here Come the Regulators Recorded Live: March 21, 2018 Recorded Live: July 25, 2017 Privacy vs. Security Building Security in a Business Culture Recorded Live: February 27, 2018 Recorded Live: June 27, 2017 A WEALTH OF RESOURCES FOR THE INFORMATION SECURITY PROFESSIONAL

4. The application system makes a call to the HSM with the cleartext data. Note that if the data key no longer resides within the HSM from the pre- vious call, then the encrypted data key needs to be passed to the HSM (not shown). 5. The HSM encrypts the cleartext using the data key. 6. The HSM returns the ciphertext back to the application. Similar to figure 1, the application reads ciphertext Figure 3 – Software data encryption from storage, decrypts the ciphertext using the HSM, pro- ers offer some limited capabilities. The data encryption key cesses the cleartext, encrypts the cleartext using the HSM, might be stored as cleartext bits scattered on disk using a pat- and writes the ciphertext to storage. However, for figure 2 tern supposedly only known to the operating system; this is the master key and data key along with the cryptographic called key obfuscation. Alternatively, the data encryption key algorithms reside within the cryptographic boundary of the might be encrypted using a system symmetric or asymmetric HSM. The HSM functionally separates data decryption from key encryption key (KEK), where the KEK is obfuscated. The key decryption such that cleartext keys cannot be exported obfuscation storage locations are likewise protected using outside its cryptographic boundary. operating system controls and system access controls restrict The advantage of hardware-based key management with data access to the disk storage. encryption is the same for hardware-based data encryption: The advantages of software-based data encryption includes the key has strong protection per the HSM physical and log- lower costs and often less complexity when programing ap- ical controls. Likewise, the disadvantages are traffic latency plications to use cryptographic libraries. Getting an applica- and higher costs. Interestingly, the cryptographic hardware tion to interface with the communications and cryptographic and the application system typically have about the same functions of an HSM can be challenging. However, the major computational power, meaning that cryptographic algo- disadvantage of software-based cryptography is the higher rithms run about the same speed, so either will yield about risk of a key compromise. Further, detecting a key compro- the same throughput. mise is difficult; the key is not missing, rather an adversary Software data encryption has obtain a copy of the key that can be used for data decryption, alteration, or substitution. Software-based data encryption, in contract to hardware-based cryptography, is shown in figure 3 where the Faux key method server memory contains the data encryption key. No HSM The first hybrid-based key management method called faux is available to protect the key; only operating system controls key is shown in figure 4, where the data encryption key is and system access controls restrict access to the server mem- stored outside the HSM as an encrypted faux key. The faux ory segment that contains the key and the cryptographic al- key is encrypted using a master key contained within the gorithm. HSM. However, unlike hardware-based key management in For data decryption with the cleartext key in memory: figure 2, where the master key is a key encryption key (KEK), 1. The application system makes a call to the cryptographic the master key is actually another data encryption key. Hence, algorithm with the ciphertext. the faux key is really a data element and not a cryptographic key. To maintain the security of the master key, the cryp- 2. The algorithm decrypts the ciphertext using the key. tographic algorithm used for faux key decryption is executed 3. The algorithm returns the cleartext data back to the ap- within the cryptographic boundary. plication. For data decryption using an encrypted faux key stored out- The application can then process the cleartext and for data side the HSM: encryption: 1. The application system makes a call to the HSM. 4. The application system makes a call to the cryptographic a. The HSM receives the encrypted faux key from the ap- algorithm with the cleartext data. plication, where it is decrypted using the master key re- 5. The algorithm encrypts the cleartext using the key. siding within the HSM, and the faux key is returned to 6. The algorithm returns the ciphertext back to the applica- the software-based cryptographic algorithm as cleart- tion. ext. Further, the key needs to be copied from disk storage into b. The cryptographic algorithm receives the data cipher- memory during application initial program load. Some op- text from the application. erating systems do not provide any key protection while oth- 2. The algorithm decrypts the data ciphertext using the key.

3. The algorithm returns the cleartext data back to the application. The application can then process the cleartext and for data encryption: 4. The application system makes a call to the cryptographic algorithm with the cleartext data. 5. The algorithm encrypts the cleartext using the data key. 6. The algorithm returns the ciphertext back to the application. The HSM is basically being spoofed because the HSM decrypts the faux key as data but the application uses the faux key as a cryptographic key. Figure 4 – Faux key method This is an improper use of an HSM and a weak key management method. Despite employing an HSM the faux b. The cryptographic algorithm receives the data cipher- key method does not provide any additional assurance over text from the application. software-based data encryption with key management obfuscation. Faux key is sometimes used when an application, 2. The algorithm decrypts the data ciphertext using the key. designed to use software-based data encryption, is adapted 3. The algorithm returns the cleartext data back to the ap- to employ hardware-based key management without making plication. software changes. The application can then process the cleartext and for data KMIP unwrapped key method encryption: The second hybrid-based key management method called 4. The application system makes a call to the cryptographic KMIP [5] unwrapped key is shown in figure 5, where the data algorithm with the cleartext data. encryption key is exported from an HSM encrypted within a 5. The algorithm encrypts the cleartext using the data key. Transport Layer Security (TLS [6]) network connection. The 6. The algorithm returns the ciphertext back to the applica- data key is encrypted within a TLS data packet, which is de- tion. crypted by the calling application. When a TLS session is negotiated, two session keys are estab- For data decryption using a KMIP unwrapped key outside lished: the session encryption key and the session integrity the HSM: key—a keyed hashed message authentication code (HMAC 1. The application system establishes a TLS connection to [7]) key. The TLS session encryption key is for data encryp- the HSM. tion, not key encryption. Keys are generated and used for a. The HSM encrypts the data encryption key using the specific purposes to avoid various cryptanalysis attacks. Fur- TLS session key and exports the encrypted key within ther, the cleartext data encryption key is exposed wherever a TLS data packet to the application that subsequent- the application terminates the TLS connection between the ly decrypts the key in memory for use with its cryp- application and the HSM. For example, the TLS connection tographic algorithm. might terminate at a network router, load balancer, or some software component separate from the application. KMIP also supports wrapped keys where the transported key is protected using a key encryption key (KEK) within the TLS connection, but the establishment of the wrapping KEK is out of scope for KMIP. Note that wrapped keys are secure whereas unwrapped keys are not. KMIP is supported by a growing num- ber of vendors. PKCS#12 key wrap method The third hybrid-based key management method called PKCS#12 key wrap [2] is shown in figure 6, where the data encryption key is exported from the HSM to the calling application. The data key is en- Figure 5 – KMIP crypted using a password-based encryption scheme unwrapped key method (PBES), which combines a password-based key

| June 2018 36 – ISSA Journal ©2018 ISSA • www.issa.org • [email protected] • All rights reserved. Spoofing a Hardware Security Module | Jeff Stapleton derivation function (PBKDF) [8]. A password is inputted to a PBKDF that generates a key encryption key (KEK), which is used to encrypt the data encryption key. The reverse process inputs the same password into a PBKDF that generates the same KEK which is used to decrypt the data key. For data decryption using a PKCS#12 wrapped key outside the HSM: 1. The application system makes a call to the HSM. a. The HSM encrypts the data encryption key using a KEK generated from a PBKDF Figure 6 – PKCS#12 and password and exports the PKCS#12 to Key wrap method the application that subsequently decrypts the key in memory for use with its cryptographic algorithm. If the HSM generates the password, then it must A. The HSM generates a master key encryption key (MK). also be sent to the application system. B. The HSM generates an HMAC key (HK). b. The cryptographic algorithm receives the data cipher- C. The HSM encrypts the HMAC key using the master key: text from the application. MK(HK). 2. The algorithm decrypts the data ciphertext using the key. D. The HSM sends the encrypted key MK(HK) to the appli- 3. The algorithm returns the cleartext data back to the ap- cation server. plication. E. The HSM deletes the HMAC key but retains the master The application can then process the cleartext and for data key. encryption: F. The application server generates a unique database iden- 4. The application system makes a call to the cryptographic tifier (DB ID). algorithm with the cleartext data. 5. The algorithm encrypts the cleartext using the data key. 6. The algorithm returns the ciphertext back to the application. The application might provide the password to the HSM or the HSM might provide the password to the application system. Regardless, PKCS#12 wrapped keys address key management controls but introduce password management issues. Once the application system has stored the PKCS#12 object on disk, it can be reopened at any time using the password. Howev- er, the password must be protected as access to the password yields access to the data encryption key. An administrator might manually enter the password but typically the application needs to automatically open the wrapped keys. Some PKCS#12 implementations use an auto-open feature where the password is null. PKCS#12 is often the only interoperable method available between an application and an HSM. Database encryption key management An alternative method called Database Encryption Key Management (DBEKM) is shown in figure 7, where the HSM sends a seed to the application to generate the data encryption key. The HSM provides a hashed message authentication code (HMAC) key that is later used to create a unique seed, which is subsequently used by the application to generate a data encryption key. The setup for DBEKM consists of the following preliminary steps:

The HSM retains the MK but not the HK; the application retains the encrypted key MK(HK) but does not have access to the MK. DBEKM can use the same MK for one or more HK and can support one or more DB ID per HK. The uniqueness and relationships of the DB ID, HK, and MK are rela- tive to the database architecture. For example, the application can associate the MK with its MK(HK) and DB ID using a key label that calls the MK by its assigned name. For data decryption using DBEKM with an HSM: 1. The application system makes a call to the HSM. Figure 7 – a. The application passes a unique data- DBEKM base identifier (DB ID) and the encrypted key MK(HK) to the HSM over a TLS connection. The application can then process the cleartext and for data The HSM decrypts the HMAC key using the mas- encryption: ter key and generates a seed using the identifier. 4. The application system makes a call to the cryptographic HMAC (Decrypt (MK, MK(HK)) = HK, DB ID) = seed algorithm with the cleartext data.

b. The HSM exports the seed to the application over the 5. The algorithm encrypts the cleartext using the data key. TLS connection. The application generates the data 6. The algorithm returns the ciphertext back to the applica- key using the seed with a key derivation function tion. (KDF) and provides it to the cryptographic algorithm. The HSM does not need to retain the HMAC key nor does

KDF (seed) = data key (DK) it need the ability to execute the KDF used by the application. Exportation of the seed does not violate the HSM cryp- c. The cryptographic algorithm receives the data cipher- tographic boundary. The seed is protected during transmis- text from the application sion over the TLS connection. Further, because the identifier 2. The algorithm decrypts the data ciphertext using the key. is unique per application, the corresponding seed and the data key are likewise unique. However, more robust DBEKM 3. The algorithm returns the cleartext data back to the ap- protocols can be employed that entail digital signatures and plication. asymmetric key management based on a public key infrastructure (PKI [9]). The ability for an application to fetch its data key is partially based on possession of the encrypted key JOURNAL MK(HK) but further restricted by HSM access controls. The same database can use more than one DB ID to generate multiple data keys using the same master key (MK) and Infosec Book Reviews HMAC key (HK). For example, column-based encryption Have you read an excellent information security can employ different keys per column by using unique identi- book of value to ISSA members? You are invited fiers per column. Further, an application can change its data to share your thoughts in the ISSA Journal. key by simply managing its DB ID. As an example, the application can convert encrypted data from its current key to • Summarize contents its next key by using two identifiers. Alternatively, multiple • Evaluate interesting or useful information databases might share the same HK but still use unique data • Describe the value to information security keys based on different identifiers. DBEKM is relatively new professionals and not widely adopted. • Address any criticisms, omissions, or areas that Conclusion need further development This article described two HSM-based key management Review should be 500-800 words, including short methods, one software-based data encryption, and three hy- bio, photo, and contact email. Submit your review to brid key management methods. The three hybrid methods all [email protected]. attempt to use an HSM to strengthen their key management, but each introduce problems. Faux key, KMIP unwrapped DEVELOPING AND CONNECTING key, and PKCS#12 wrapped keys all have issues. Faux key CYBERSECURITY LEADERS GLOBALLY and KMIP unwrapped key both misuse data encryption keys. KMIP unwrapped key also breaches the HSM cryptography

| June 2018 38 – ISSA Journal ©2018 ISSA • www.issa.org • [email protected] • All rights reserved. Spoofing a Hardware Security Module | Jeff Stapleton boundary. PKCS#12 manages keys properly but creates a password management problem. Conversely, a standards-based alternative method called DBEKM is introduced that has sev- eral advantages over the hybrid methods without violating the HSM cryptography boundary. While HSM-based methods are clearly superior, when software-based cryptography is necessary, the DBEKM method is a better option than the existing hybrid solutions discussed in this article. ISSA Journal 2018 Calendar References Past Issues – digital versions: click the download link: 1. FIPS 140-2 Security Requirements for Cryptographic Mod- ules – https://csrc.nist.gov/publications/detail/fips/140/2/fi- JANUARY nal. Best of 2017 2. IETF RFC 7292 PKCS #12: Personal Information Exchange Syntax v1.1 – https://tools.ietf.org/html/rfc7292. FEBRUARY 3. ANSI X9.73-2017: Cryptographic Message Syntax – ASN.1 Legal, Regulations, Ethics and XML Standard – ww.x9.org. 4. FIPS 197 Advanced Encryption Standard (AES) – https:// MARCH csrc.nist.gov/publications/detail/fips/197/final. Operational Security — the Basics of Infosec 5. Key Management Interoperability Protocol (KMIP) – https://www.oasis-open.org/committees/tc_home.php?wg_ APRIL abbrev=kmip. Internet of Things 6. IETF RFC 5246 The Transport Layer Security (TLS) Proto- col Version 1.2 – https://www.ietf.org/rfc/rfc5246.txt. MAY 7. FIPS 198-1 The Keyed Hash Message Authentication Health Care & Security Mangement Code (HMAC) - https://csrc.nist.gov/publications/detail/ fips/198/1/final. JUNE 8. IETF RFC 2898 PKCS #5: Password-Based Cryptogra- Practical Application & Use of Cryptography phy Specification Version 2.0 – https://tools.ietf.org/html/ Editorial Deadline 4/15/18 rfc2898. 9. ANSI X9.79 Public Key Infrastructure (PKI) – Part 4: Asym- JULY metric Key Management – www.x9.org. Standards Affecting Infosec Editorial Deadline 5/15/18 10. Jeff Stapleton, Security Without Obscurity: A Guide to Con- fidentiality, Authentication, and Integrity, CRC Press, ISBN AUGUST 9781466592148 – https://www.crcpress.com/Security-without-Obscurity-A-Guide-to-Confidentiality-Authentication/ Foundations of Blockchain Security Editorial Deadline 6/15/18 Stapleton/p/book/9781466592148. 11. Jeff Stapleton, W. Clay Epstein,Security Without Obscurity: SEPTEMBER A Guide to PKI Operations, CRC Press, ISBN 9781498707473 Privacy – https://www.crcpress.com/Security-without-Obscu- Editorial Deadline 7/15/18 rity-A-Guide-to-PKI-Operations/Stapleton-Epstein/p/ book/9781498707473. OCTOBER 12. Jeff Stapleton,Security Without Obscurity: A Guide to Cryp- Security Challenges in the Cloud tographic Architectures, CRC Press, ISBN 9780815396413 Editorial Deadline 8/15/18 – https://www.crcpress.com/Security-without-Obscuri- ty-A-Guide-to-Cryptographic-Architectures/Stapleton/p/ NOVEMBER book/9780815396413. Impact of Malware Editorial Deadline 9/15/18 About the Author Jeff Stapleton is an information security pro- DECEMBER fessional with over 25 years experience. He The Next 10 Years has been involved in the development of more Editorial Deadline 10/15/18 than three dozen ANSI and ISO standards, If you have an infosec topic that does not align with the chaired the X9F4 standards workgroup for monthly themes, please submit. All articles will be considered. over 15 years, and is the author of the Secu- For theme descriptions, visit www.issa.org/?CallforArticles. rity without Obscurity book series [10][11][12]. He can be con- tacted via [email protected]. [email protected] • WWW.ISSA.ORG