Adding HSM to bouncycastle TLS PSK

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Adding HSM to bouncycastle TLS PSK

Fabian Eriksson

Hello!

 

Is there a way to hook in a HSM (Hardware Security Model) to bouncy castle so that the pre-shared key never have to leave the HSM (as currently required by the TlsPSKIdentityManager.getPSK method)? Right now you have to implement the TlsPSKIdentityManager interface and return the pre-shared key with the method “getPSK(byte[] identity)” which means the pre-shared key has to leave the HSM. We tried a work around for this by hooking into bouncy castle at an earlier part of the handshake-flow by overriding the “receiveClientKeyExcangeMessage”-method which in turn calls “establishMasterSecret”, but we ended up with an error because the bouncy castle jar is signed:

java.lang.SecurityException: class "org.bouncycastle.tls.TlsServerProtocol"'s signer information does not match signer information of other classes in the same package

 

So what we would need is to have the alternative to create our own “establishMasterKey”-method where we can fetch the master secret from a HSM instead of being generated directly in the bouncy castle library. In other words, something similar to this:

context.getSecurityParameters().masterSecret = hsm.generateSessionKeys(pskIdentity, clientRandom, serverRandom, prfAlgorithm);

 

Is there a way to do this?

 

BR

Fabian Eriksson

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Adding HSM to bouncycastle TLS PSK

Peter Dettman-3
Hi Fabian,
This is certainly a scenario we would like to support. A lot of the
crypto was separated into the TlsCrypto API
(org.bouncycastle.tls.crypto) to allow things like this, but there's not
currently an API primitive for PSK stuff.

Having said that, we did add the TlsSecret concept to help in situations
like this, so what you are trying to do may be possible by returning an
alternative TlsKeyExchange implementation (e.g. a modified
TlsPSKKeyExchange) from TlsServer.getKeyExchange().

TlsKeyExchange.generatePreMasterSecret only has to return a TlsSecret,
and this is opaque, so doesn't actually need to contain the literal
data. It just has to implement TlsSecret.deriveUsingPRF(prfAlgorithm,
labelSeed, length) to return the master secret;

So basically you implement TlsSecret as a sort of "remote handle" to the
HSM's data.

I hope that's not too confusing - let me know how you go, or if I can
explain it better, or if there's some roadblock I'm not seeing.

We'll still look at making this easier of course. I suspect it will
involve moving TlsPSKIdentityManager into the TlsCrypto API and changing
it to not expose the actual PSKs, similar in concept to what I describe
above.

Regards,
Pete Dettman


On 22/05/2017 9:09 PM, Fabian Eriksson wrote:

> Hello!____
>
> __ __
>
> Is there a way to hook in a HSM (Hardware Security Model) to bouncy
> castle so that the pre-shared key never have to leave the HSM (as
> currently required by the TlsPSKIdentityManager.getPSK method)? Right
> now you have to implement the TlsPSKIdentityManager interface and return
> the pre-shared key with the method “getPSK(byte[] identity)” which means
> the pre-shared key has to leave the HSM. We tried a work around for this
> by hooking into bouncy castle at an earlier part of the handshake-flow
> by overriding the “receiveClientKeyExcangeMessage”-method which in turn
> calls “establishMasterSecret”, but we ended up with an error because the
> bouncy castle jar is signed:____
>
> “java.lang.SecurityException: class
> "org.bouncycastle.tls.TlsServerProtocol"'s signer information does not
> match signer information of other classes in the same package”____
>
> __ __
>
> So what we would need is to have the alternative to create our own
> “establishMasterKey”-method where we can fetch the master secret from a
> HSM instead of being generated directly in the bouncy castle library. In
> other words, something similar to this:____
>
> context.getSecurityParameters().masterSecret =
> hsm.generateSessionKeys(pskIdentity, clientRandom, serverRandom,
> prfAlgorithm);____
>
> __ __
>
> Is there a way to do this?__
>
> __ __
>
> BR____
>
> Fabian Eriksson
>


Loading...