[openssl-users] OpenSSL engine and TPM usage.

Michael Ströder michael at stroeder.com
Thu Oct 26 07:33:49 UTC 2017

Michael Richardson wrote:
> Jakob Bohm <jb-openssl at wisemo.com> wrote:
>     >> I wanted to know when we use engine instance for encyrption/decryption
>     >> operation, can it be done selectively?
>     > Please beware that many TPM chips were recently discovered to contain a
>     > broken RSA key generation algorithm, so public/private key pairs keys
>     > to be stored in the TPM should probably be generated off-chip (using
>     > the OpenSSL software key generator) and imported into the chip,
>     > contrary to what would have been best security practice without this
>     > firmware bug.
> wow, further evidence that everything needs an upgrade path.

From the viewpoint of hardware vendors the upgrade path is selling new
hardware. It's simply like that. Not very sustainable...

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171026/d3ed26e9/attachment-0001.bin>

More information about the openssl-users mailing list