[openssl-users] OpenSSL engine and TPM usage.
Michael Ströder
michael at stroeder.com
Thu Oct 26 07:33:49 UTC 2017
Michael Richardson wrote:
>
> Jakob Bohm <jb-openssl at wisemo.com> wrote:
> >> I wanted to know when we use engine instance for encyrption/decryption
> >> operation, can it be done selectively?
>
> > Please beware that many TPM chips were recently discovered to contain a
> > broken RSA key generation algorithm, so public/private key pairs keys
> > to be stored in the TPM should probably be generated off-chip (using
> > the OpenSSL software key generator) and imported into the chip,
> > contrary to what would have been best security practice without this
> > firmware bug.
>
> wow, further evidence that everything needs an upgrade path.
From the viewpoint of hardware vendors the upgrade path is selling new
hardware. It's simply like that. Not very sustainable...
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171026/d3ed26e9/attachment-0001.bin>
More information about the openssl-users
mailing list