Can export of wrapped secret key to insecure storage be cryptographically secure?

Vlad

11/30/23, 6:47 AM

I ask because some vendors of HSM try to avoid the export of wrapped secret key from HSM to insecure storage – storage that does not belong to these vendor’s HSM infrastructure.

For example, Thales prefer to backup keys to another Thales HSM – most of their documentation is about cloning between their devices. But Thales has an option when they send traffic via public networks: Backup HSM Installed Using Remote Backup Service (RBS)

“…It is useful in deployments where backups are stored in a separate location from the SafeNet Luna PCIe HSM, to mitigate the consequences of catastrophic loss (fire, flood, etc).”
gpg2 man pages say following:

Note that exporting a secret key can be a security risk if the exported keys are sent over an insecure channel.
From the other side I see that some solutions like AWS CloudHSM allow export/wrapping of key to insecure storage

Let’s use similar approach for AES-256 key wrapping described in this article How do HSM Backups work? for making a backup of 256-bit key from some HSM:

The HSM generates a unique (per backup) AES 256-bit key (KDF is used) to encrypt each backup of the OTK (the one-time or ephemeral key).
AES Key Wrap Algorithm: RFC 3394 (AES Key Wrap with No Padding)

The backup will be stored in the storage publicly available for reading (no write/delete permission). Let’s consider only attacks based on cryptanalysis, brute-force or dictionary attack (not side-channel or other kind of attacks). A dictionary attack is possible because the wrapping of AES-256 key is derived from passphrase (according to standard KDF). Assume that passphrase is strong or may be made strong enough if necessary.

All keys in the system have the same policy/purpose.

Updated: Since dictionary attack is in scope of this question generation of passphrase should be specified: Nowadays the following usage is common: for operation that happens rarely (like generation of the private key for wallet initialization or unwrapping the key to HSM from backup) 24 words are used (chia is an example). A person can write down these words. Dictionary contains 2048 == 2^11 words.

2^256 < (2^11)^24 == true

The application generates passphrase for the user. Each word from the dictionary is randomly (uniformly) selected. User's manipulations with input devices are used as seeds for RNG. The properties of generated pseudo-random sequences will be tested with randomness tests.

Is such export of wrapped secret key to insecure storage cryptographically secure? cryptographically secure means here that attacker cannot obtain secret (wrapped) key in plain text.

If mentioned conditions are not sufficient what should be modified?

Can the export of a wrapped secret key to insecure storage be cryptographically secure?

302

1 + 2

key-wrap

Maarten Bodewes

11/30/23, 10:03 AM

I guess it can be, but the layer between secure and utterly insecure is paper thin. Specifically relying on a password to protect the key is dangerous. The whole idea of an HSM is that the key value isn't leaked if the access control fails (and to protect against side channel attacks and such, of course). You can argue what the benefit of the HSM is in your environment. If it is acceptable depends on the use case / requirements / risk analysis and *if applicable* the client.

Vlad

11/30/23, 11:05 AM

I agree-there are many factors. This is why I try to focus on cryptographic aspects, considering only cryptanalysis,current computational capabilities for brute-force and dictionary attacks. Eliminating human factor. Nowadays following usage is common: for operation that happen rarely (like generation of the private key for wallet) 24 words are used. Person can write down these words. Dictionary - 2048 == 2^11 words. 2^256 < (2^11)^24==true; for several private keys per person it's feasible to manage several such passphrases. Dozen passphrases are difficult to store. I try to narrow the focus.

Score:0

Crypto

SAI Peregrinus

12/5/23, 11:01 PM

With a passphrase having at least as much entropy as the wrapping key, such exporting "under wrap" is effectively as secure as the less secure of (the underlying encryption algorithm) and (the storage method of the passphrase). It is usually recommended that such backups be stored in another HSM of equal or greater security to the original, as always access to the HSM itself must be controlled for it to remain secure.

+ 4

Vlad

12/8/23, 1:09 AM

in this case passphrase having at least as much entropy as the wrapping key.Here I do not consider not cryptographic aspect as how passphrase is stored-I assume that secure. HSM will often be more secure but not always (as in case of AWSHSMCloud) it is possible to backup to HSM.If I understood you correctly-your answer is YES. HSM is better but with described conditions backup to insecure storage is cryptographically secure.Likely HSM address some additional goals: forcing usage of the key according to its purpose, policy, preventing of usage of expired keys,etc Correct me please if I'm wrong.

Vlad

12/8/23, 1:13 AM

Can it be secure when there is no possibility to export to another HSM?

Vlad

12/8/23, 2:15 AM

Here author of answer (in comment below) explains why it's secure to export wrapped key to insecure storage and explain goals of HSMs https://crypto.stackexchange.com/questions/85693/exchanging-key-material-between-hsms-of-different-manufacturers/85706?noredirect=1#comment222699_85706 " You can store a wrapped key insecurely, without risking the key material directly. That's the point of wrapping. HSM may restrict what you can do with a wrapped key to prevent it from being used out of policy (e.g. for an unintended purpose, or after it's expired)."

SAI Peregrinus

12/19/23, 11:14 PM

You understand correctly. An HSM allows a key to be used (since it's decrypted inside the HSM), while a wrapped exported key can't be directly used (since it's encrypted). The security of the HSM is physical, the security of the wrapping encryption is mathematical. Usually the physical security of the HSM is the weak point, a sufficiently motivated attacker with enough resources can eventually defeat the tamper resistance and break into any current HSM. It'd just take a LOT of money, usually on the order of millions of dollars. Less than breaking AES-CCM though!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can export of wrapped secret key to insecure storage be cryptographically secure?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.