I’m investigating possibility to offload SSL to GCP Cloud KMS.
If we look at a guide https://cloud.google.com/kms/docs/reference/pkcs11-nginx we can see that asymmetric-signing key is created in KMS.
gcloud kms keys create nginx-key --keyring "KEYRING" --project "PROJECT"
--location "LOCATION" --purpose "asymmetric-signing"
--default-algorithm "ec-sign-p256-sha256" --protection-level "hsm"
Then this signing key is used in NGINX:
ssl_certificate "/etc/ssl/nginx/ca.cert";
ssl_certificate_key "engine:pkcs11:pkcs11:object=nginx-key";
The questing is how decryption is done in SSL flow if we use only signing key that can’t do decryption?
Thanks!
2
Answers
As can be seen ecliptic curve signing is used. So, there is no decryption of symmetric secret during SSL handshake because Diffie–Hellman key exchange schema is used.
A ephermeral session key is established during the SSL handshake and that key is used for the encryption of messages between the client and server. The KMS key is used durting the handshake to prove (via signing) to the client that they are connected to the correct server.