[gnutls-help] Using GnuTLS with an HSM

[Horst Freiburger]

I had a private conversation with Nikos. We decided to put this an the mailing list. Here a the results so far. The rest will be treated here...
 
----------------------------------------
The conversation so far:

 Hello Nikos!

No. That is a good idea! Maybe someone in the near future has the same problem, because of the TR-03109 in germany will very important for the german "Energiewende". What should i do, so that this conversation will appear on the mailing list?

Today i analysed this flow-chart a secound time and it seems to be like the standard-tls-handshake (except the thing with the HSM). The HSM has to do 5 steps in this handshake:

1. generate the random number ("ClientHello" - this step is solved with gnutls_handshake_set_random())
2. generate a Client-DH-EC-keypair for the DH-key-exchange while the handshake ("ClientKeyExchange")
3. calculate the pre-master-secret with the private Client-DH-Key and the public Server-DH-Key
4. calculate the signature of the All-Clients-Messages-Hash
5. verify the signature of the All-Servers-Message-Hash


Is there a way (except of direct changing the sourcecode) to manipulate the gnutls_handshake()? (Something like overwriting the whole handshake with my own functions, where i can call the security-module-things. Or to redirect the relevant function-calls in the real gnutls_handshake() to my functions) The HSM for TR-03109 doesn't exist neither. So i want to do something like write this function-prototypes in my program:
RANDOMUMBER hsm_generate_randomnumber (); (for step 1)
DH_CLIENT_PUBKEY hsm_generate_dhec_keypair (); (for step 2)
DH_PMS hsm_generate_pms (DH_SERVER_PUBKEY); (for step 3)
SIG hsm_generate_signature (HASH); (for step 4)
BOOL hsm_verify_signature (HASH, SIGNATURE); (for step 5)
The Prototypes may differ in the final version. Just an example.

An example:
In the sourcode of lib\gnutls_handhshake.c in the function static int_gnutls_send_client_hello (gnutls_session_t session, int again) something like this happenens when called:
if(funktionPointerToHsm_generate_randomnumber != NULL)
{
// call function and get the random number from there
}
else
{
// do the normal way and calculate the random number with the gnutls functions
}

Similar at the other steps. (I know that for the step 1 this way is not required because if gnutls_handshake_set_random(), but i just found the right position in the sourcecode to explain.)

I read that you added a gnutls_handshake_set_hook_function() to GNUTLS. Maybe that is the right thing for my problem and that does exactly what i discribed above. But i'm not familiar with the gnutls_handshake_set_hook_function()-function yet. (Just startet with GNUTLS 3 days ago). ;)

Sorry for the german document TR-03109. If you want i could post a english translation of this picture.

Thank you for your time and your answers!

Horst

Gesendet: Mittwoch, 17. Juli 2013 um 14:03 Uhr
Von: "Nikos Mavrogiannopoulos" <nmav at gnutls.org>
An: "Horst Freiburger" <hfusa at web.de>
Betreff: Re: Re: [gnutls-help] Using GnuTLS with an HSM
Hello Horst,
Would you mind to continue this conversation on the mailing list? I
think it is quite interesting for other parties that may use that
library that way?

regards,
Nikos

On Tue, Jul 16, 2013 at 7:22 PM, Horst Freiburger <hfusa at web.de> wrote:
> Hello Nikos!
>
> Thank you very much for your help. That one with the Random-Number is very
> useful to me!
>
> I think my secound question was explained in a very strange way be me. Sorry
> it was very late. ;)
>
> I'm just testing something for research by myself. I want to do a
> TLS-Handshake like it is explained in BSI TR-03109 (the german way of smart
> metering). The flow-diagram i want to realise is in
> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03109/TR03109-1.pdf
> on page 121. (Sorry this document ist german but the TLS-Handshake looks
> nearly like a normal one except of the HSM "Sicherheitsmodul".)
>
> The SMGW-Administrator is the server. The Smart Meter Gateway is the client.
>
> The first thing with the random number "Generiere Zufallszahl A" was my
> first question. You just posted the solution! Thank a lot! This is a TLS 1.2
> handshake with TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as the cipher suite.
> The the flow chart says that the server generates a EC-Keypair and sends the
> public key of this pair to the client. The client sends this to the HSM. The
> HSM genrates a EC-Keypair and calculates a master secret. The master secret
> and the public key of the clients key-pair will be send to the server. Now
> the hashes over all messages will be calculated and so on...
>
> So i think it is something like a standard TLS-handshake because everything
> that the TR-03109 uses is standard. But i don't know where to look, to find
> the solution. The use of a HSM is quiet new to me.
>
> Thank you for your time and your reply!
>
> Horst
>
> Gesendet: Dienstag, 16. Juli 2013 um 10:19 Uhr
> Von: "Nikos Mavrogiannopoulos" <nmav at gnutls.org>
> An: "Horst Freiburger" <hfusa at web.de>
> Cc: gnutls-help at lists.gnutls.org
> Betreff: Re: [gnutls-help] Using GnuTLS with an HSM
> On 07/15/2013 10:22 PM, Horst Freiburger wrote:
>> Hi!
>> I'am quiet new to TLS an GnuTLS. I want to use GnuTLS in a
>> client-server-project. I successfully have a TLS connection between the
>> client
>> and the server using GnuTLS. Because of the use of an HSM i have a few
>> requirements to GnuTLS and i'am not sure if GnuTLS ist able to fullfil my
>> requirements.
>> 1. Before sending "Client Hello" the HSM is generating a random number.
>> This
>> random number should be used in the "Client Hello"-message.
>
> Hello Horst,
> That one yes. There is gnutls_handshake_set_random().
>
>> 2. After receiving "Server Key Exchange" from the Client should give the
>> Public
>> Key of the Server to the HSM. The HSM generates the pre-masters secret.
>
> On which ciphersuite do you refer to, and which side? For example on
> server side and the RSA ciphersuite what your HSM does makes no sense.
>
> I've never seen this type of HSM. HSMs typically protect the long-term
> key of the server (or client), and for that provide operations on the
> key without exposing them. What does your HSM protect?
>
> regards,
> Nikos
>