Allow to externalize crypto operations to HSM #240
Comments
|
Thanks for the suggestion. HSM does improve security, however please understand that its impact is limited. HSM protects key storage, while what we need to protect is key use. Regarding Cloud HSM... I'm very cautious about having "cloud" and "HSM" on the same line. |
|
You are totally right, HSM is about storage of crypto material. Some people mix that up with securing key use. Cloud is another topic, I think most of nowadays servers are running in "the cloud" (whatever cloud means, could be also a private cloud or let's say a k8s cluster....). |
|
Yes, cloud HSM is cheap, the offers look really attractive. However, to access your HSM, you use your cloud credentials. The security you get is as good as the security of your cloud credentials, you don't get real "hardware grade" security. Second, keys are safely stored in HSM but key use is guarded by a cloud provider. Cloud HSM is so cheap because expensive hardware is shared among many clients. And while your key alone might not justify an attacker's effort of breaching a well-protected big cloud provider, many keys combined might make it worthwhile. With cloud HSM, we get centralization of sensitive key material, which creates systemic risks and might actually reduce security for everybody. |
Ideally not. Cloudproviders typically offer a way to allow one service to access another service based on some credentials-less policy model (e.g "EC2 profiles" in AWS)
To some extend I agree but again: security and cost always have to be somehow balanced. |
For better security, crypto operations should ideally be done on hardware --> HSM / Smartcard / ...
Standard for this is typically PKCS#11 (see https://en.wikipedia.org/wiki/PKCS_11)
This would be particularely required for witnesses
Example for ethereum transaction done with AWS Cloud HSM
https://ethereum.stackexchange.com/questions/73192/using-aws-cloudhsm-to-sign-transactions
The text was updated successfully, but these errors were encountered: