带HSM的对称加密密钥

Question

I want to use an HSM to encrypt/decrypt sensitive data I will be storing in my database. The HSM device / server can create symmetric and asymmetric keys. I want to store data with highest possible security. So I have two approaches:

1) Make HSM generate a public/private key pair and it will keep the private key inside it and it will never leave. Now I can create a random symmetric key per entry I want to encrypt. I encrypt the data with random AES key, encrypt the AES key with public key generated in HSM and store result of encrypted data + encrypted key data in each row in DB. Now everytime I want to access the data, I send encrypted key data to HSM, HSM will decrypt it and send me back the decrypted AES key, I use that to actually decrypt data.

2) Per row/per entry, I make HSM to generate AES key and store the symmetric key token in it. I send data in plaintext to it, it sends me back in encrypted form. Everytime I want to access the data, I send encrypted data to HSM and it will decrypt and send it back to me.

HSM server will be a professional and fast one like Thales, so it can handle the traffic with good speed (hopefully).

The thing with first one is I only have to login as SO (Security Officer) to generate and store my public/private key pair in HSM and from now on, I just have to login as Read only user. But its slower and lenghty process compared to number 2.

Number 2 (as far as I know) will require me to have SO access to device whole time.

What do you suggest? Please advise.

Answer 1

I'm not sure security advice like this is best suited here, but rather than splitting hairs I'll give some advice.

First of all, I like hybrid (RSA + AES) encryption better because you don't have to protect the public key to encrypt (as long as an attacker cannot replace it with their own public key) - and you may not need to provide a PIN. So this would give advantage to the first scheme.

To be very secure you would do better to wrap a AES data key instead of encrypting it. Wrapping and encrypting are basically the same thing, but after unwrapping the AES key becomes a HSM static or session key , still within the HSM where you can decrypt with it. Decrypting will return it into insecure memory of the PC. Decrypting on the PC is probably faster but decryption on the HSM is more secure and should be preferred.

You should normally only require SO access for admin tasks. Usually you should be able to create objects such as keys using user access. But in the end those kind of things depend on the HSM configuration.

Answer 2

Depending on the security settings, a Thales HSM will only create a public/private key pair when the device is Authenticated. This means you may not be able to create them as you need them.

A technique I have used is to pre-generated ~1000 public/private key pairs and store this in a keystore (database or otherwise) when the HSM is Authenticated. Then you can use a randomly selected key from the database without the HSM being Authenticated.

Note the HSM can typically only store 20 keys internally - which is why you may want to store them externally. This also works well if you have multiple HSMs that are load balanced.