Hi! I have been thinking about helping out for a while now, but have had trouble finding the time.
One thing I believe the project is sorely lacking is a strategy for putting the "S" in HSM. What makes an HSM "secure"? I would argue that ultimately it means it should be suitable for the purpose intended by the user, or put differently, it should meet ow the expectations the user has with regards to security properties. The project needs to define what these security properties should be. Another important aspect is assurance. How can the user know that the HSM is safe for the intended use and that it has the required security properties. Vendors of commercial products provide little assurance, arguing instead "we know what we're doing, trust us". Most open source projects aren't any better, relying on openness to somehow provide assurance without any verification. For OpenHSM to be useful it needs an assurance strategy. What do you think about these as a start for a list of claimed security properties: Mandatory: - All uses of externally invocable functionality in the OpenHSM can be attributed to an authorized subject - The cryptographic functions provided by the OpenHSM are always performed in a manner consistent with their specification - Secret key material generated by the OpenHSM meets all requirements for safe use with the intended cryptographic functionality - Secret key material generated by or stored in the OpenHSM is only recoverable by physically tampering with the OpenHSM functionality - The OpenHSM resists logical attacks on integrity of function for all externally accessible interfaces - The operational guidance supplied with the OpenHSM is sufficient to enable the intended user to safely use the OpenHSM Optional: - All attempts at physically tampering with the OpenHSM functionality will result in easily discoverable evidence. If we could establish the reasonable expectations a user of OpenHSM can have, with regards to security properties, then I would be happy to contribute work on derived security requirements and an assurance case. Cheers, /olle _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
