Key derivation inside secure container of HSM

Question

I have to implement custom key derivation function which basically works as follows:

I have encryption key K in secure container of HSM. K can't be exported and the only way how to use it is through HSM command or PKCS#11 function.

The derived key DK is the output of encryption data with key K, so DK = E(data, K).

My problem is when I implement this function through commands or PKCS#11 function, I will get a clear-text of DK outside of HSM secure container. I need to secure the key so it never leaves the secure container.

Is it possible to implement custom functions, such as my derivation function, inside secure container of HSM so the output could be secured as a cryptographic key? How to do it without getting the clear-text output of DK?

Answer 1

Some HSM are configurable enough to allow adding functionality within the HSM. However, this will not be doable through PKCS#11, which is an API meant for invocation of cryptographic algorithm on externally provided data. What PKCS#11 offers and is closest to your problem is C_UnwrapKey() that can take as input an encrypted key (key is encrypted with another key) and decrypts it. However, chances are that the custom key derivation function that you must implement does not match any of the key unwrapping formats that your HSM knows of (if only because you derive your key with encryption, not decryption).

As for extended the HSM functionalities, it happens outside of the scope of PKCS#11, so if this is supported at all by your HSM, it will be done with methods specific to that HSM. I have some experience with Thales HSM (formerly known as "nCipher"): some of them allow custom code to be pushed into the HSM, provided that you activated (i.e. paid for) the relevant option, called CodeSafe. When I was doing that (now some years ago), development was done in C, with a much reduced subset of the standard library; the HSM CPU was not fast at all (think megahertz, not gigahertz); but there was a substantial amount of RAM (dozens of megabytes), and, most importantly, the cryptographic accelerators could be used for crypto operations.