[openssl-users] OpenSSL Engine for TPM

Freemon Johnson freemonj at gmail.com
Fri Jul 7 17:00:39 UTC 2017


Agreed. I can't speak for the gentleman that originated this thread but in
my context the use case would be to store the keys/certs within the TPM
that's all.

Regards,
Freemon

On Fri, Jul 7, 2017 at 12:03 PM, Blumenthal, Uri - 0553 - MITLL <
uri at ll.mit.edu> wrote:

> And in most cases (except those involving TPM-based platform attestation,
> which I don’t think has anything to do with OpenSSL use cases),  a separate
> hardware token (like a smartcard, or an HSM) would IMHO be a much better
> and more usable choice. PKCS#11 engine (libp11) to access those is quite
> popular and work well.
>
> --
> Regards,
> Uri Blumenthal
>
> On 7/7/17, 11:53, "openssl-users on behalf of Michael Wojcik" <
> openssl-users-bounces at openssl.org on behalf of
> Michael.Wojcik at microfocus.com> wrote:
>
>     > agreed, but this engine  does not really put the keys inside the TPM
> - instead it sets up a local repository that is encrypted
>     > using a key from the TPM. If you look at the way it is designed, it
> is not really secure (as it's not impossible to find the
>     > password that was used to encrypt the keys with).
>
>     "really secure" is not a useful phrase. Security is a set of
> asymptotic trade-offs between attacker and defender work-factors under a
> threat model. Nothing ever achieves "really secure".
>
>     Even a hypothetical OpenSSL engine that performed all cryptographic
> operations on the TPM wouldn't achieve specified security under the TPM
> threat model unless the engine, all of OpenSSL, and whatever is invoking it
> were part of the TCB.
>
>     That said, there is certainly a case to be made that an OpenSSL engine
> which performed at least some crypto operations on the TPM is of at least
> academic interest. Someone might want to start with the Trousers engine and
> try extending it. (Enhancing an existing engine generally isn't
> particularly difficult, in my experience, though of course it depends on
> what you're trying to do and what APIs are available.) Or try writing a
> fresh TPM engine using, say, the Windows TPM API.
>
>     It might help to know what your use case is.
>
>     Michael Wojcik
>     Distinguished Engineer, Micro Focus
>
>
>     --
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170707/8723baf6/attachment-0001.html>


More information about the openssl-users mailing list