Thanks all guys for your opinion. There is a HSM used which vendor provides hardware RSA encryption and decryption. However, the key of to the hardware is one way-- I can only pass in the key to the hardware, but cant pass out. Due to the low performance of the hardware decryption, I decide to use the software decryption alternatively. (The software decryption is executed in a embedded linux sys which is still within the secure scope). Therefore, I need to take a procedure to ensure the storage safety of my private key.
Sorry I made a mistake. My proposed design should be "RSA key XYZ's public key ->encrypte AES key -> encrypt RSA key XYZ's private key". Meanwhile, I will pass the RSA XYZ's private key to the hardware RSA decryptor. Upon startup, the HSM decrypts the AES key with the desired but "not touchable" private key, and consequently decrypt the encrypted private key. Will this procedure be safe in the case someone obtained my encrypted AES key and encrypted RSA private key? Thanks again. Peter Lin On Tue, Oct 27, 2009 at 8:08 AM, Patrick Patterson < ppatter...@carillonis.com> wrote: > Peter Lin wrote: > > Hi folks, > > > > I have a problem about key security. > > > > If a RSA private key is encrypted by an AES key, which is again encrypted > by > > the same RSA private key itself, is this considered as a secure > procedure? > > Obtaining the encrypted RSA private key and the AES key, is there any way > to > > "calculate" or "recover" the private key by some methods like solving an > > equation? > > > > The reason for this strange design is that, the plain text RSA private > key > > is stored in some hardware chip which can only do en/decryption but > cannot > > pass the key out. However, I need to save a copy of the private key in a > > unsafe place for other purpose, but need to make sure its safety. Also it > is > > not desired to maintain two sets of keys, so here comes the idea to > encrypt > > a key with itself. > > > > Hope I have explained it clearly. Any opinion or better suggestion is > > appreciated. > > > The simple solution to your problem, is to not invent something > yourself, and to use a proper HSM that does key backup in a sane way > (FIPS 140-2 Level 3 or equivalent) - There are patches to OpenSSL that > will make these HSMs work in just about any environment, so my > recommendation would be to stop trying to reinvent wheels, and just use > the tools that already do what you want. > > If, for some reason, keeping the key private is sufficiently important > that you have to go to some rather elaborate measures to protect it, but > is insufficiently important that the expenditure of some funds is hard > to justify, you may want to give us a few more details as to exactly > what you are trying to accomplish so that we can give you some more help. > > Have fun > > Patrick. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
