skip to Main Content

I’m investigating possibility to offload SSL to GCP Cloud KMS.
If we look at a guide https://cloud.google.com/kms/docs/reference/pkcs11-nginx we can see that asymmetric-signing key is created in KMS.

gcloud kms keys create nginx-key --keyring "KEYRING" --project "PROJECT" 
  --location "LOCATION" --purpose "asymmetric-signing" 
  --default-algorithm "ec-sign-p256-sha256" --protection-level "hsm"

Then this signing key is used in NGINX:

        ssl_certificate "/etc/ssl/nginx/ca.cert";
        ssl_certificate_key "engine:pkcs11:pkcs11:object=nginx-key";

The questing is how decryption is done in SSL flow if we use only signing key that can’t do decryption?

Thanks!

2

Answers


  1. Chosen as BEST ANSWER

    As can be seen ecliptic curve signing is used. So, there is no decryption of symmetric secret during SSL handshake because Diffie–Hellman key exchange schema is used.


  2. A ephermeral session key is established during the SSL handshake and that key is used for the encryption of messages between the client and server. The KMS key is used durting the handshake to prove (via signing) to the client that they are connected to the correct server.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search