
Why I don't like smartcards, HSMs, YubiKeys, etc. - philipn
https://www.devever.net/~hl/smartcards
======
sofaofthedamned
HSMs are shit.

In a previous role we used a major vendor's HSM to protect our private keys.
VERY expensive kit, more expensive than the load balancers and servers
combined.

We needed to use Elliptic Curve keys for a particular customer - so it got
even more expensive as we had to buy:

1\. A license from the LB vendor to use the HSM

2\. A licence from the HSM vendor to use EC with the LB.

... even though they trumpeted these announcements of how radically great they
were together we found:

1\. The integration didn't work, full stop.

2\. The version of OpenSSL we had to use (supplied) was about 18 months out of
date

3\. The specially b0rked version of OpenSSL supplied didn't support EC via a
HSM

Even better - when Heartbleed came out I had a patch from RedHat on day 1. The
load balancer?

Nope - nothing on their website - I had to create a ticket which said 'we are
aware of the issue', at which point the ticket was closed. I questioned this
and was told they couldn't keep it open, I had to create a new ticket every
few weeks to find out whether they'd actually deigned to assign a bug id to
the issue.

The HSM vendor just said nothing, zero, until a new version of the firmware
was silently released 4 months later.

The whole industry is shit. I'd rather have a farm of Yubikeys than one of
those HSMs.

~~~
pmarreck
Is there any way to do what a HSM does, in software? (Maybe with OS support)

~~~
tjohns
If your definition of an HSM is just "hides my key material from my
application server", then sure. This is basically the idea behind HashiCorp's
Vault.

However, you'd still be vulnerable to someone gaining root access on your
Vault server. A true HSM uses physically secure memory and a dedicated
cryptoprocessor to make it impossible for the secret to ever be leaked, even
if the host OS is compromised. This isn't really something that's possible in
software alone.

(In fact, the Vault documentation even mentions that you might still want to
use a dedicated HSM for security, since they implement a plugable mechanism
for secret storage.)

That said... you could use a TPM chip or ARM TrustZone to implement true TPM
functionality. It's still a hardware based solution, but it's hardware that's
much more affordable and possibly already inside your computer.

~~~
helloiamaperson
take a look at my post from earlier:
[https://news.ycombinator.com/item?id=13031870](https://news.ycombinator.com/item?id=13031870)
. I'd be interested to hear your (and others') thoughts.

------
wzdd
Odd -- JavaCard smartcards are available for under $5, have crypto co-
processors, and certainly support general-purpose code. See for example my
project for KeePass,
[http://code.lardcave.net/2016/08/06/1/](http://code.lardcave.net/2016/08/06/1/)
. After programming, you can choose to lock down the card (which means you can
only erase the card, not modify it). I'm using NXP chips and although I
haven't investigated completely I would be highly surprised if it was not
possible to get the tamper-resistant and cryptographic properties the author
is after.

There is an open-source toolchain for generating code for the card which works
great from OS X or Linux. Contactless writers are available on eBay for like
twenty bucks. And they will even work (via NFC) with Android phones.

It's a great time to be playing with contactless general-purpose smartcards.

~~~
kawsper
I even have a ring that runs JavaCard software on its JVM, they are sold for
cheap, and I bought one just for fun and history, there is an eBay listing
here: [http://www.ebay.co.uk/itm/JAVA-RING-RARE-Sun-Microsystems-
JA...](http://www.ebay.co.uk/itm/JAVA-RING-RARE-Sun-Microsystems-JAVA-ONE-
Promo-/300495374337)

~~~
hvidgaard
That seems like a great way to distribute some secret. Create an Arduino
reader for the ring, save the secret in a format that requires 3 out of 5
rings to reconstruct and store them apart.

Only the most persistent and knowledgeable about the ring will go through the
trouble to get the data off it.

------
SEJeff
So FWIW, I asked about how Redhat signs their packages some time ago (about
6-7 years ago!) and was introduced to Fedora's "Signing Server" service, which
is entirely open source. The email in full is:

    
    
        Hi Jeff, good to hear from you.
        
        There's really two parts to our signing server; the first is the
        separation of signing to a separate machine with the associated
        client/server and ACL controls, and the second is the interface to the
        nCipher HSM. The first part we've not made open because it's quite
        specific to Red Hat internal build systems and our kerberos setup.
        
        The second part is mostly straightforward use of nCipher utilities but
        includes a patch to GNUpg which I was originally going to make public
        but came into difficulty because it requires headers from the nCipher
        developer kit, and linking to it, and it's under a very non-compatible
        license. Given the cost of nCipher HSM units we didn't think other
        projects would want that solution either.
    
        So I'd actually prefer to point you to the work that has been done on
        a signing server for Fedora, which is open. See
        http://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer
        The Fedora folks looked into various hardware solutions too which were
        cheaper and didn't have the proprietary API issues, I can't find a
        link to that at the moment but Jesse Keating 
        should be able to give you more info.
    
        Hope that's a good starting point...
    

If anyone is interested, the project is actually named Sigul and is located
at:

[https://fedorahosted.org/sigul/](https://fedorahosted.org/sigul/)

~~~
dalai
A blog post by Mozilla on the topic of package signing with an HSM:

[https://blog.mozilla.org/security/2013/02/13/using-
cryptosti...](https://blog.mozilla.org/security/2013/02/13/using-cryptostick-
as-an-hsm/)

------
danpalmer
I'd like to address the difference between a SmartCard and an HSM as I feel
like the author doesn't acknowledge some of the practical differences. While
at the core they are both "hardware security", i.e. a physical chip that
implements security, an "HSM" as I have commonly seen the term used is a
completely different thing in most other ways.

An HSM is typically a 1-2U server, that is designed to provide high throughput
of cryptographic operations. It is ultimately a collection of a few high
performance servers networked together, with some custom ICs - not just a
small chip. As a result, you pay up to tens of thousands of dollars for one,
because it's a piece of critical infrastructure that is made to high
tolerances. It's akin to buying hardware load balancers or firewalls
appliances.

In addition to this, the validation process of an HSM is long. An HSM company
will likely have teams of hardware engineers, software engineers, and
specialised cryptography teams. There are audits for things like FIPS
compliance, as well as extensive pentesting by external companies. All of this
is expensive, to create a device that will never be mass market.

~~~
pzb
Both Smart Cards and HSMs can (and frequently do) contain FIPS validated
cryptographic modules and can be USB devices. What seems to set them apart is
content capacity and speed. A "HSM" can usually store dozens, hundreds, or
even tens of thousands of keys and can do numerous cryptographic operations
per second. Most "smart cards" can only store a few keys and frequently 1-2
operations per second.

Many HSMs also add advanced authentication capabilities, such as M-of-N access
control and/or hardware authenticators (e.g. you need 3 of 5 smart cards to
use the HSM). The other key feature usually found in HSMs but not smart cards
is backup/cloning without exporting the key (in PKCS#11 terms). This means
that the key can be moved between HSMs with all the protections in place. I've
yet to see a smart card that does this.

~~~
amluto
> The other key feature usually found in HSMs but not smart cards is
> backup/cloning without exporting the key (in PKCS#11 terms). This means that
> the key can be moved between HSMs with all the protections in place. I've
> yet to see a smart card that does this.

How does this work? Can an attacker buy an identical HSM, back up the key, and
restore it onto the new HSM?

~~~
nicolas314
Theoretically yes, though you would have to explicitly switch the original HSM
into backup mode, an operation that requires one or more admins to be present
and strongly authenticated, most often with smart cards.

------
georgyo
He mentions yubikey in the title, but then nowhere else. The Yubikey Neo seems
to be pretty close to his target device. The Yubikey 4 removed the ability to
write new apps.

The stuff about the NDA I do find alarming. In order to write "secure"
programs for the chip on the Yubikey, you must have an NDA with the
manufacturer. In fact the open source pgpcard app for the Yubikey is different
than what ships with the Yubikey because they can't open source the secure
bits. Which is a bit upsetting. So uploading the open source version weakens
your security.

That said, having my keys there still gives me much higher degree of security
then an encrypted file on my computer. Malware may be able to get my pin, but
not my keys.

~~~
closeparen
When I dug into the smart card scene, it was clearly a world meant for
enterprises that make deals on golf courses. The official specs, SDKs, etc.
for the hardware is sold for many thousands under "call us" licensing and NDA
from NXP. There's some working GPG applets but the open source PKI applets are
all abandonware; you're meant to license one (Windows only, of course) from
Gemalto, also a "call us" deal.

I've seen some references to anti-side-channel techniques that are trade
secret or patented or both. I think you can only get them in a Windows-based
"solution" deployed by consultants who are authorized resellers of these
companies.

Yubikey has done an incredible thing in democratizing the technology as far as
they have for smaller-scale, Linux and Mac-centric users. It's shitty, but
don't blame Yubikey.

------
lisper
This site is down so I was not able to read the original article, but I would
like to take this opportunity to draw HN's attention to my current project:

[https://sc4.us/hsm](https://sc4.us/hsm)

It's a fully open USB HSM based on an STM32F405 SoC. Includes an HWRNG, 1MB
Flash, and 196k of RAM. Currently runs TweetNaCl and also functions as a FIDO
U2F token. Technical details are here:

[https://sc4.us/hsm/manual.html](https://sc4.us/hsm/manual.html)

Currently out of stock but we will be shipping again in early January.

~~~
saganus
I'm interested in buying a couple of these.

Howver I'm wondering if there's a way I can also use it as a TOTP to replace
my Google Authenticator app for several accounts? I don't really like having
it in the phone because when I lose it I need to reset everything and it's a
pain.

Is it possible with SC4 to achieve this functionality?

~~~
lisper
Also... why do you want TOTP rather than U2F? U2F is better in every way
(unless you don't have access to a USB port).

~~~
saganus
Well, mostly because of those services that only implement TOTP, in particular
those that I can use with my Google Authenticator App.

My use case is this. I have several business accounts (Heroku, Cloudinary,
etc) that I like to enable 2FA on but which only support TOTP. I usually add
those accounts to my Google Authenticator App and all is fine.

Except when I lose/wipe my phone, which happened recently. Then I have to go
around resetting the 2FA setting, then re-enabling it with the new phone.

After a quick search, I found almost no solutions that fit this. Except
something like [0]. I would love to buy let's say, 2 of those for each account
I want to enable 2FA on, I keep one in the safe and the other one for regular
use.

So then I remembered about SC4 and thought that if I can do TOTP on it, I can
just buy 2 and put all my seeds there (or so I was thinking) and use that
instead of the phone.

That was my reasoning. Maybe I'm doing something wrong here, but I would love
to be able to de-couple 2FA from my phone for my business accounts... I guess
it's not a common use case?

[0] [https://www.protectimus.com/protectimus-slim-
mini](https://www.protectimus.com/protectimus-slim-mini)

~~~
lisper
I see. Yes, you are right that one SC4-HSM can store multiple keys. The only
missing piece is the time. The simplest solution is to feed the time into the
HSM from some external source, like a custom driver or a command line. Would
that work for you?

Adding a RTC to the hardware is probably not viable. It would increase the
cost too much. (If I were selling millions of units that would be different,
but that hasn't happened yet.)

Another possible solution is to lobby the sites you care about to implement
U2F. It's not particularly difficult. I wrote some minimalist reference code
that you/they can find here:

[https://github.com/rongarret/u2f-test/](https://github.com/rongarret/u2f-test/)

And of course you can always point them in my direction if they want to hire a
consultant :-)

------
Cyph0n
The issue of affordable HSM/TPM for general purpose use is something my
research group is trying to solve. We have most of the theory down, but the
implementation is a work in progress. The key point is trying to maintain full
physical isolation from the CPU and OS, while also providing general low-level
computing capabilities.

Do you guys think something like this could be patented and/or commercialized?

~~~
ci5er
IBM's Citadel project and Doug Tygar's group at CMU researched crypto co-
processors about 20 years ago. You can still find Bennet Yee's PhD thesis
online. It and it's bibliographical references gave a pretty good overview of
the lay-of-the-land at that time. You'd think that the theory might have
progressed some since then, but theory doesn't progress as fast as a front-end
development framework...

Bad memories of how touchy these babies were when they first came out:

    
    
      - http://www-03.ibm.com/security/cryptocards/pciecc2/overview.shtml
    

EDIT: What the hell. Here's Bennet Yee's PhD thesis. So you don't have to
convert it from PostScript. (That said - this is a nasty image scan - you
might want to do that anyway!)

    
    
      - http://www.dtic.mil/dtic/tr/fulltext/u2/a281255.pdf
    

I don't think I'm going to be able dig around for the extant Usenix papers
from that era on the topic right now.

~~~
Cyph0n
I read through Tygar and Yee's paper on secure boot during my research. Their
work was very good to be frank. They foresaw most of the recent developments
in TPM design, which I thought was quite impressive.

~~~
ci5er
Oh - cool. It wasn't clear to me from your top-level comment how far back
you'd gone. Even though it's old, I still think it's pretty good, and thought
you should be made aware if you weren't already. Good to see that you're "on
it"!

~~~
Cyph0n
Thanks for mentioning it regardless! I guess you are bound to miss something
when sifting through past work on a topic.

------
sigil
Has the author seen the SC4-HSM I wonder?
[https://sc4.us/hsm/](https://sc4.us/hsm/)

Show HN thread:
[https://news.ycombinator.com/item?id=12053181](https://news.ycombinator.com/item?id=12053181)

------
kmad
How does something like the U2F Zero[1] compare?

As I understand it, the u2f zero acts as an HID device and not as a smartcard
provider, but could one modify the firmware to do that? Isn't this basically
an open source yubikey you can make yourself for < $25?

1\. [https://github.com/conorpp/u2f-zero](https://github.com/conorpp/u2f-zero)

------
appleflaxen
This is the key quote:

    
    
      The feature table also lists various supported 
      applications, demonstrating the interest of the 
      manufacturer in programming the device for specific 
      applications, rather than providing a platform for others 
      to do so. (Imagine if manufacturers of USB drives made USB 
      drives for text files and USB drives for image files and 
      USB drives for MP3 files and so on, and the idea of selling 
      a USB block device was alien to these people. If you wanted
      to store a new kind of file on a USB drive, you had to 
      convince the manufacturer to implement support for it.) The 
      draw of the Nitrokey then is the possibility the 
      manufacturer merely incidentally allows alternate firmware 
      to be flashed, rather than the manufacturer explicitly 
      capitalising on the premise of an HSM as a general-purpose 
      platform.
    

Great point, and completely lost on manufacturers.

------
hlandau
I'm the author of the article.

After musing on the comments here I wrote a followup about improv HSMs. These
aren't tamperproof and as such are suitable for use in secure datacentres
only.
[https://www.devever.net/~hl/improvhsm](https://www.devever.net/~hl/improvhsm)

------
pzb
The author brings up many reasonable points but seems to mix issues of HSMs &
Smart Cards not providing a generic open hardware platform with possible
security problems of a platform.

There is no question that there would be value in having a hardware platform
that has certain security features, but that alone doesn't meet the
requirements of most users of HSMs and Smart cards. The primary use cases I've
seen are allowing a third party to have assurance of protection of data stored
in the device and assurance of the rules for accessing the data. In most cases
this assurance comes from a combination of the hardware itself and the
software/firmware running on the hardware. A hardware platform only solves
half the problem that most purchasers of HSMs and smart cards are asking
vendors to solve.

~~~
jaas
"A hardware platform only solves half the problem that most purchasers of HSMs
and smart cards are asking vendors to solve."

A hardware platform alone solves less than half the problem for many HSM
buyers, myself included. There's also software, then there's support. HSMs, at
least the kind we use, are niche products because relatively few people have
reasons to operate them (they're not cheap either). There aren't a lot of
people who know how to use them well. We need to be able to get support on the
phone 24/7/365 to deal with problems that come up because like most people who
own HSMs, they are critical to the functioning of our systems.

Just throwing this out there to remind people interested in open HSMs (a fine
idea) that at least when it comes to most people buying HSMs today, there
needs to be an organization backing the product with good support. Otherwise
it's probably a non-starter for critical systems.

~~~
hlandau
These are valid concerns, but they're not good reasons not to provide general-
purpose compute HSMs. If you want an external company to have certified the
software, the _policy_ which goes on a general-purpose HSM, that may be
entirely sensible from a business perspective; I'm sure if general-purpose
HSMs were a thing, with standard HSM platforms, such certified programs would
be available on the market. Many would probably be made by the manufacturers
of the HSMs themselves, providing a vertically integrated solution, support-
wise.

Fulfilling this market, with the need for the outsourcing of liability, etc.
is not mutually exclusive with providing general-purpose HSMs.

------
Spooky23
The author is not thinking about why these things are built and marketed as
they are.

The use case for the smart card is different than a HSM with FIPS 140-2 level
3 or 4 validation. The whole point is to operate in a tested, known valid
state while resisting tampering. The higher level devices are filled with
epoxy and have other anti-tampering features.

A smartcard is most often a form of MFA. It can be used as an HSM of sorts,
but offers limited benefit for that purpose.

~~~
hlandau
Yes, I know. I _want_ those anti-tamper features, and I want to be able to
take advantage of them to secure cryptographic policies designed and coded by
myself or other people in the open source community. And of course I would be
free to audit that code before making use of it.

And if you don't think a secure tamperproof general-purpose Turing-complete
execution environment in a compact form factor with contactless induction-
powered interface isn't an interesting opportunity for innovation, I really
don't know what to say.

------
konstmonst
What is the problem to take a 10$ stm32f discovery board and use it as TPM.
There are different flash protections:

1) you can read/write flash via JTAG

2) you can only write flash, but not read the old one

3) you can't rewrite flash, neigher can you read it.

You will still have to implement USB communication, but there is already a lib
from STM for it. Some models also have generous flash (in MB ranges).

You can use internal SRAM which is more than enough and use AES acceleration
peripherial. One can attach sdcard and use SPI + DMA + AES periherial to
shuffle data along if one needs alot of storage.

~~~
kosma
Send me a locked STM32F1 chip and I'll send you back the binary contained in
it. Not kidding. The problem with general purpose MCUs is that they are
_trivial_ to break.

~~~
lisper
Can you do that with an F4? If so, I'd like to take you up on your offer. I'll
even pay you if you tell me how you did it.

~~~
kosma
Security on F4 is way better. I haven't found a way to circumvent the JTAG
fuse - but to be honest, I never really tried as I don't have access to proper
glitching hardware.

~~~
lisper
What would you need?

~~~
kosma
A ChipWhisperer and some boring winter weekends, probably. I don't break these
for cash or fame; it's just for fun.

~~~
lisper
> A ChipWhisperer

OK, you've got it. Where should I have it sent?

------
nailer
Since zooming won't fix the line width, here's a quick fix - paste into the
console:

    
    
         var article = document.querySelector('article'); article.style['max-width'] = '650px'; article.style['margin'] = '0 auto';

------
bogomipz
The OP states:

"Smartcards and HSMs are essentially two “brands” for the same thing: a chip
which guards access to the data stored within it, and will only allow that
data to be accessed in certain ways or under certain conditions. HSMs are the
“enterprise” label for such devices, whereas smartcards are essentially the
same thing, only cheaper."

Yubikey(mentioned in the title) is a TOTP card that works with the HSM on the
far end though. They serve different purposes. You load the tokens into the
HSM device.

They aren't the same thing. What am I missing?

~~~
brassic
An HSM consists of some secure memory to store a secret and a program, and a
processor to run the program to perform computations using the secret.

A Yubikey consists of some secure memory to store a secret and a program, and
a processor to run the program to perform computations using the secret.

The programs are different but they are basically the same thing. The author
wonders why there isn't a simple general purpose gadget you can load your own
program on to. As long as the action of loading a program clears existing
secrets, the device could be secure.

Or to put it another way, consider a Raspberry Pi acting as a router and as a
Raspberry Pi acting as a media streamer. They have completely different
purposes, but they are the same thing.

~~~
bogomipz
I see, thanks for the clarification. That makes sense.

------
kevhito
This is a somewhat older rant (at least 2015, I think). And the title is
misleading. It is really "Why I wish there were a product similar to but
different than smartcards, HSMs, YubiKeys, etc." Because there isn't much in
there that argues why smartcards (or yubikeys, etc.) are not good at what they
do. The author just wants a different thing, and doesn't understand why this
fantasy product doesn't exist.

~~~
gcb0
you missed the point, which it easy because author is mostly rambling :)

the irony is that smart cards and even SIM cards in your phone are already
general secure computers. the problem is that only by spending a lot of money
and signing your life away on a NDA you can have access to it. the result:
inefficiency beyond belief.

------
nehcsivart
As is with many things, the business decisions that makes sense usually
overwrites the technical decisions that makes sense.

------
AgentME
It's not exactly in small card form, but someone looking for a general-purpose
programmable tamper-proof computer might be interested in the ORWL:
[https://www.crowdsupply.com/design-
shift/orwl](https://www.crowdsupply.com/design-shift/orwl)

------
audunw
For the microchip itself, I'm pretty sure this already exists.

Try looking at nRF52. It has NFC, Bluetooth radio, and hardware RNG. I'm
pretty sure it has the features he asks for (firmware can lock down and block
reading/writing from debug port. but debug can always do a complete
erase/reset of the chip)

A future SKU will probably have USB as well.

The only problem is it is probably too power hungry to be powered by the NFC
radio waves itself. And that is probably true for anything with an powerful
ARM microcontroller.

Maybe it'd be best to use a microcontroller with ARM TrustZone as well though.
That should help bring the security of the device up to a more acceptable
level.

------
jmgrosen
What about the FST-01? It's what I use and it works pretty well in my
experience.
[http://wiki.seeedstudio.com/wiki/FST-01](http://wiki.seeedstudio.com/wiki/FST-01)

~~~
rincebrain
FST-01 is an STM32F1-based board, which according to [1] can be dumped fairly
cheaply.

[1] -
[https://news.ycombinator.com/item?id=13031484](https://news.ycombinator.com/item?id=13031484)

------
dredmorbius
HSM: Hardware security module

[https://en.m.wikipedia.org/wiki/Hardware_security_module](https://en.m.wikipedia.org/wiki/Hardware_security_module)

Please expand your acronyms.

------
StavrosK
Isn't the Fidesmo card what he wants? You can write JavaCard applications for
it and run them within the secure element, as far as I know.

------
suchabag
Would that answer OP's needs: [https://www.ledgerwallet.com/products/9-ledger-
blue](https://www.ledgerwallet.com/products/9-ledger-blue) ?

------
aftbit
Could something like this be built using ARM's TrustZone features?

~~~
nicolas314
Nope, TrustZone is not tamperproof, cannot resist determined attackers who
have access to the hardware. HSMs and smart cards are designed precisely to
cover this use case.

------
akytt
The statement that "all HSMs and smartcards are the same" shows limited
understanding. High-end HSMs can take 1000s of hits per second, a smartcard
only a few.

~~~
guitarbill
why would this distinction result in a new name? my consumer switch and an
enterprise switch are both switches, because that's what they do. or e.g. all
cars, it doesn't matter if it's a ferrari or a lada, it's still a car.

------
matthiasb
I am curious to hear why the device you are looking for should be a compact
and portable device. You listed it as your very first requirement so it must
be a must-have.

------
JimmaDaRustla
Does this guy realize you can buy PCI HSM devices that fit what he describes?

~~~
rhizome
Post first, UPDATE later.

------
mtgx
Speaking of which, whatever happened to Google's Project Vault? Did it die
after Mudge quit Google? It looked so promising.

[https://www.youtube.com/watch?v=V6qrQzn8uBo](https://www.youtube.com/watch?v=V6qrQzn8uBo)

------
reffaelwallen
Do you also not like CSS?

------
gravypod
I'm quite a big fan of OPs work and I think that if they take some time with
JavaScript they will change their "Let me be clear about this: JavaScript
sucks. It’s not the worst, but it’s also not by any means good" opinion.

Check out JavaScript the Good Parts. It's a great language hidden under a
layer of horrible horrible design choices.

