Building a hardware security module

secure

[Stefan] was nervous about putting the secret key for his Amazon Web Services account in his config file. In the security world, storing passwords in plain text is considered a very bad thing. but luckily there are ways around it. [Stefan]‘s solution was to make a hardware security module out of the newest ARM-powered Arduino Due.

The build puts the secret key for [Stefan]‘s AWS account right in the firmware of the Arduino Due (with the security bit on the Arduino flipped, of course). A Python web service then receives sign requests and talks to the Due over a serial port. The Due then signs the request and sends it off to another bit of Python code that handles the AWS API.

Hardware security modules are frequently used by three-letter government agencies to manage cryptography keys and ensure their data are encrypted properly. Instead of a hardware module costing tens of thousands of dollars, [Stefan]‘s only cost the price of an Arduino Due; not too shabby for a hardware security module that can sign more than 2000 requests per second.

Comments

  1. Erik says:

    Neat.

  2. hardcorefs says:

    About as secure as a HwaWei router………
    SHA1 has been ‘broken’ for years……

    • Bertho says:

      Ehm, you are referring to collisions in MD5 I assume. SHA has not had any /practical/ collision attack yet.

    • Alex Rossie says:

      Why is everyone so antsy about this.
      He’s not recommending Obama starts using it to encrypt his communications with the NSA or whatever.

      It’s being used for his personal uses and its a damn sight more secure than just leaving the key lying around…

  3. Preamp says:

    Be careful not to ‘break’ the hardware……

  4. Squonk42 says:

    Security bit? Decap IC using rosin (https://berlin.ccc.de/wiki/Experiment:_IC-Entkapselung_mit_Kolophonium), then restore the fuse (http://www.flylogic.net/blog/?p=176).

    Or search eBay for a Chinese company that can do it for you for a few $1000s…

    • let’s call that a “HSM” for the fun and the pleasure of building it, but a single consumer grade chip is clearly not a HSM.

      but security is always a money/risk compromise, if the protected thing is not worth the $1000s required to break the protection, then it’s safe…

  5. peter says:

    I assume he has ensured no timing attacks are viable on this or that the key is leaked through emissions. Also glitching or physical attacks to extract the key would be viable.there is a reason an HSM is expensive, they are tested to fips140, PCI and/or CC standard.
    For a personal website this is okay, for a major organization this is a regulatory and security failure.

  6. jpa says:

    This only stops the attacker from getting the plaintext password. If someone smuggles a trojan onto his PC, he can sign any requests anyway. (And this is a fundamental problem for which there is no easy solution – real systems usually verify the transaction contents on the HSM.)

  7. xorpunk says:

    I’ve done ARM based solutions before that did ECDSA and RSA handling all in a POP SDRAM and had a libusb solution do whatever I wanted with signing or encryption/decryption etc..

    Problem is you can’t get a license for ARM crypto SDK and the chips have no silicon protection secure ROM option if you’re not a major vendor… It’s a low class security solution at best…

  8. elwing says:

    that’s a nice build, but
    “a hardware module costing tens of thousands of dollars” most SAM used nowaday for transport or such application cost tens of dollars, not tens of thousands dollars…
    and the chip used are much harder to decap and readback due to various security mechanism preventing that, and some “obfuscation” in^the silicon layout…

    • xorpunk says:

      Drone silicon has ‘obfuscations’ and mesh complexity too, and third-world governments do complete RE inside a business week on them…

      As I said: even properly implemented this is a low class SOHO solution at best

      You could implement a bytecode VM in firmware and a PHY crypto protocol handler inside that, all on top of ARM domain handling, and I could still scrape data from a userland process dropped by a exploit with proper user…

  9. Couple of answers to what I read above:

    Yes, as I stated in the blog post, it is by no means a perfect solution. But it does raise the bar a lot. If you want an extra layer on top of this then you can add it. Grab the source. Submit a pull request please and I will include your improvements.

    AWS supports both SHA1 and SHA256. I chose SHA1 because I thought SHA256 was too heavy for the Arduino Due. I will actually implement that and see how much the difference is. Also, yes, weaknesses have been found in SHA1. But ‘SHA1 has been cracked’ simply shows a lack of knowledge about this specific domain. Please google that and you can read what ‘cracked’ really means.

    Please note that brute forcing the HMAC-SHA1 hash to get the AWS secret requires a plaintext message. Since all the AWS communication is over SSL, you would first need to do a much more sophisticated attack on the network infrastructure.

    The theoretical hardware attacks are fun. Several people have mentioned companies that can reset the secure bit. But nobody was able to give pointer to an actual company. I’m interested in learning more about this and if anyone has some real info for this specific chip then please forward.

    Also in the time that that it takes to physically break in and steal this Arduino, open the chip, reset the fuse I would probably notice that my lovely christmas present is missing or that the signing web service is failing because something has been unplugged.

    The nice thing about AWS credentials is that you can revoke them and generate new ones in about 15 seconds. Since it is only used to sign requests, the old keys are now useless as I have pushed the ‘Revoke’ button while you are still setting up your electron microscope.

    People, this is a weekend hack. Not a commercial grade FIPS compliant product. I had fun doing this and I learned a thing or two about the new ARM based Arduino.

    • Tyler says:

      Amen! And it’s neat!

    • ramriot says:

      Very nice project and nice reply to the flame-bait.

    • Reid says:

      Hi Stefan -

      Flylogic Engineering is one company that can decap ICs and reset their fuse bits (full disclosure, I work for IOActive, which bought Flylogic a few months ago). Their blog shows some chip teardowns, highlighting where the fuse bits are located for some CPUs.

      I agree though, it’s ‘great in theory,’ but in practice doing this is ineffective against most systems. In your case, you would definitely notice if a bad guy stole your hardware dongle and you would revoke the key that was stored on it, build a new module with a new key, and maybe put a new lock on your door :).

      Key management is quite a difficult task for most businesses. It’s very nice to see such a low-cost security token made open-source. Congrats on the cool project, Stefan, and thanks for posting the details about it!

    • elwing says:

      I can only agree with you, it’s definately a neat project, I was only reacting to HaD article that was stating that this is a good alternative to professional product costing “tens of thousands of dollars” when most sam solution are much secure and cost in the tens of dollars…

    • S says:

      Thanks for sharing It! It’s a very simple and well done proof of concept and is nice to see here cool projects like yours which I’d like be featured more often.

      But don’t be surprised when people reacts to generic statements like “It is questionable if recovery is possible at all.” and similar which are quite bold and surprising claims, specially comming from a “Security Tools Engineer at Mozilla”.

  10. ausserirdischegesund says:

    Would it be possible to port this to a teensy3?

  11. jklu says:

    Nicely done. I’m a bit curious why it would not be possible using an Arduino or a picaxe.

    Like mentioned security of a system depends on the weakest link.

    If you can’t trust the OS access controls on the platform accessing the HSM then adding a HSM being accessed by the same system only adds complexity but almost no security.

    One should take also take the AWS key management process into account. Using a HSM to store the AWS key and only using a password to be able to request a new key would also be out of balance. So Amazon’s dual factor is required too to restore the balance again.

    In summary: when evaluating a possible solution to mitigate a certain risk its advisable to get more insight in related risks. (unless of course you do it for just a hobby ;-))

    Last but not least: a cheap HSM can be had in the form of a USB security token:
    e.g. http://www.safenet-inc.com/products/data-protection/two-factor-authentication/etoken-pro/ whioch go for about 50 USD.

    These typically allow you to both inject keys and generate keypairs in the device and then use them in the same way as the poster did.

    • TD says:

      HA …. Don’t trust a SafeNet product. They are infected with Chinese hackers and refuse to do anything about it. The CIO closes her eyes and prays it away. Their source code is owned over and over again, and their internal security practices are non-existent. They have NO internal controls, and NO control over their infrastructure.

      ….and to think that most government agencies use them.

  12. Dovepistil says:

    If your “Arduino” code is small enough, or could be made small enough, consider a Digispark. If you haven’t seen one, these dirt cheap “femto Arduino” units feature a built in USB “A” connector, and the entire unit is very slightly larger than a standard USB “A” connector, at 0..69″ x 0.74″ x 0.18″. An ideal tiny “pocket fob” security key!

  13. Stefan Arentz says:

    You can do this on a smaller chip or arduino but keep in mind that the signing is cpu intensive and that you would need to accept relatively big messages and store those in memory.

    The Due with it’s Cortex-M3 is ideal because it has lots of power and memory.

    With some smart programming you can probably get this going on an ATmega but SHA1 was not really developed with 8-bit CPUs in mind, so that would be an interesting challenge.

  14. xorpunk says:

    I like how even light criticism is considered trolling and flaming here… I could of pointed out how it doesn’t meat 1-4 of the FIPS it claims to and that it can be dumped still both through OCD and GPIO…

    Too many people cutting corners on sensationalized projects, don’t blame the people giving honest opinions…

  15. Huckle says:

    Although it’s a neat hack, the premise is a bit moot considering Amazon has a Security Token Service and identity federation so you don’t have to put your secrets in source code.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s