We have safenet HSM. Our system requires us to generate AES-256 keys. Which approach shall I take ?
Instruct HSM to generate AES keys.
Use HSM to create an input key material and use HKDF to derive keys.
HSM is supposed to be able to generate high quality keys. Is there a need for the second approach ?
On
I would like to present brief purpose but before that: Yes, HSM can already generate high quality AES keys. Internally, HSM uses its own Random Number Generator to achieve entropy. However, you can seed HSM with your own random numbers (normally, you can use a true random number generator(s) like QRNG from Idquantique). Using hardware like QRNG increases the randomness of your keys.
Next, deriving (like HKDF) can generate strong keys as well but in general, deriving techniques are used to generate session symmetric keys i.e., are used to perform some cryptographic operation (like encryption/decryption) for a particular context/entity.
For eg: You have a master key (like an AES key, intern generated by key exchange mechanism) and then you can derive this master key to generate session keys to encrypt/decrypt different entities. This was you are using different session keys to perform crypto graphic operations based on the context.
So for the 2nd point: either you use own keying material (hoping your key algos are strong enough) or use master key approach as outlined above.
In any case, you need to choose the mechanism based on the goal you are trying to achieve.
Looking at the RFC 5869 for HKDF, in the Information section :
Implying that if you were to use the HRNG (Hardware Random Number Generator) of the HSM and then used the HKDF, you would essentially be injecting
Pseudo-Randomnessinto your AES Key, which totally defeats the purpose.The option #1 becomes then obviously the right choice, otherwise the whole point of using the RNG of the HSM is defeated.