Old PC as Hardware Security Module?

[Casey Jones]

Robert J. Hansen wrote:
>> Does anyone know of software available to make an old PC into something
>> like a hardware security module.
> 
> What particular type of HSM do you mean?

Basically I'm looking for something that does what the OpenPGP Card 
does, but with a button to limit signatures and decryptions. It could be 
implemented as just an application on a regular operating system running 
on a dedicated computer. I'm not willing to pay for something with 
intricate physical anti-tampering protection like the typical 
professional HSMs. I might try making a variation of the 
open-openpgp-card. My version might be USB or it might be like one of 
those homemade smart cards that are longer than a regular smart card so 
they can use a regular thickness microcontroller sticking out on the 
end. One like that would have room for a button. It would also save me 
having to boot a separate computer when I wanted to use it.

>> I can't stand the thought of storing my private key on my main computer.
>> I use my main computer for things like web browsing and email, which I
>> think puts its security in serious jeopardy. I think a separate computer
>> which has only a single function, would be a valuable increase in 
>> security.
> 
> I'm assuming you're doing something incredibly high-value, like storing 
> nuclear weapon release codes or voting data or mortgage contracts or 
> classified material or... etc.  If that's the case, then you need to 
> talk to a professional and not the sort of more or less anonymous advice 
> you're likely to get from a mailing list.
> 
> If you're not doing these incredibly high-value things, then you may 
> want to rethink your threat model.  This appears to be excessive 
> overkill for most threat models I can imagine.

It seems to me that there is a very significant chance that my system 
could get owned some time. I don't think it takes much more than a zero 
day exploit in Firefox combined with a visit to the wrong site to get 
rooted. An exploit for Thunderbird in an email could also do it. Or 
worse, a buffer overflow in the tcp/ip stack like the one in OpenBSD 
recently. I don't know, but I'd think it would be common practice for a 
root kit to install a keylogger and to send off copies of the private 
keys. Does that threat model make me paranoid? I don't think it does, 
but then paranoids often can't tell.

>> I've been considering getting an OpenPGP Card, but there are three
>> reasons I'm reluctant to. The main one is that I want something that
>> will only do one signature or decryption at a time. That way if my
>> machine is compromised, I'll only suffer one hit before I'll notice
>> something's wrong.
> 
> The OpenPGP card actually gives you a substantial advantage in this 
> situation.
> 
> Let's say that you're running GnuPG on a PC and I'm able to subvert the 
> box.  I put in a keylogger and snarf your passphrase.  I also copy your 
> private keyring and mailspool off the box.  I can now read your mail 
> without ever touching it, except to copy a couple of files and install a 
> small app.  You're none the wiser.
> 
> Compare this to an OpenPGP card, where I have to find you in a dark 
> alley and have a conversation with your kneecaps to get your card and 
> PIN.  You will most probably know that something has happened to you.

The OpenPGP Card is a valuable addition to security. But even with the 
OpenPGP Card, everything encrypted to your key on your computer could be 
exposed, even by an automated rootkit. And if you get targeted 
personally, signatures could be made from your key without your 
authorization.

>> There are two other minor issues. I'd prefer my keys be encrypted when
>> not in use, so that if my device falls into the wrong hands, I won't
>> have to worry too much. Does the OpenPGP Card encrypt the keys while
>> stored on the card?
> 
> To my understanding, the OpenPGP card is tamper-resistant.  That's not 
> to say it's tamper-proof, but it would require substantial work to get 
> access.  I would not worry too much if your card fell into the wrong 
> hands, unless those wrong hands happen to belong to a First World 
> intelligence service, a major international corporation, or some 
> ambitious CompSci or EE graduate students.

Yes, smart cards have pretty decent tamper protection for a low security 
application like mine. Although when I read Kommerling and Kuhn's 1999 
article
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf
I was a little surprised how easily lightly-protected dies can be 
compromised.

>> Also, the OpenPGP Card appears to be from a german organization, like
>> the one that developed the Java Anonymous Proxy, and was forced by the
>> german government to back door the software. Does the german government
>> still consider it legal to force programmers to back door their
>> software?
> 
> You do know that Werner Koch, one of the central developers of GnuPG, is 
> German, right?  And that GnuPG at one point took some funding (long 
> since spent) from the German government?

I suspected by his name that he was German. I thought he might be well 
informed on the issue, and would comment. I'm not too worried about 
GnuPG because it's open source. But apparently the OpenPGP Card isn't.

> If you're concerned about Germany involving itself in the crypto 
> software business, you should probably not use GnuPG.  That said, I am 
> not concerned about this.

What makes you think the German government won't order the OpenPGP Card 
to be compromised? Either by FSFE or by ZeitControl. Hopefully they've 
got a law, or at least court precedent against that now.

>> With governments accusing each other of stealing proprietary
>> info and such
> 
> Governments accuse each other of stealing classified material.  
> Corporations accuse each other of stealing proprietary material.

I heard the EU accused the US of using Echelon to steal designs for 
windmills. I wouldn't be surprised if lots of countries do such things.