Release 3.15.1299

Release date: 9 Apr 2020

Fix for Load Value Injection (LVI) vulnerability

In Mar 2020, Intel discovered a vulnerability in modern Intel processors which allows attackers to inject malicious data into applications via transient execution attacks and steal sensitive data. This vulnerability is called Load Value Injection (LVI). Full details of the vulnerability can be found on Intel’s write-up on LVI vulnerability.

SmartKey has been working urgently on a fix. This release includes the fix for this vulnerability.

New Features

HSM (Hardware Security Module) Gateway

For clients with traditional HSMs, SmartKey has added a new function where the physical HSM can be linked to a group in SmartKey. This function allows SmartKey to act as the interface where users can obtain their encryption keys and perform other cryptographic operations with the linked HSMs acting in the background.

Setting up crypto policies

This release has also added the ability to set up crypto policies. Crypto policies can be set up for either the group level or the account level. These policies will restrict the cryptographic type, size and operations that can be performed. For group, crypto policies are accessed from Groups > Info. For account, crypto policies are accessed from Account Settings > Crypto Policies.

In the Crypto policy screen, users will be able to select:

  • security object type
  • minimum key size (dependent on the security object type)
  • the cryptographic operations that are allowed

Plugin Library

Users can now browse and implement from a library of existing plugins.

Enhancements to existing functions

Change to workflow due to Crypto Policy feature

When creating a security object, the group selection has been moved to after security object name. Previously, users select the group at the end of create security object workflow. This change is because, of the crypto policy feature, the group’s crypto policy will define the possible security object type, size and operations that can be created and thus needs to be selected first before the user can proceed further.

Bug Fixes

  • For JCE (Java Cryptography Extension), there was a bug where certificates were not saved in the JCE library. This has now been fixed.
  • Fixed a timeout error when clicking on ‘Enable’ Two-step Authentication in Profile.

Quality of Life improvements

  • Improvements to smartkey-cli, download here.
    • proxy support has been added, Initialization Vector (IV) is no longer required for AES Key Wrapping/Key Wrapping with Padding (KW, KWP).
    • Additional parameters for agree key (key-type) and import object (key-ops , ec-curve)
    • Added option (–ssl-ca-cert) to pass custom CA certificate for SSL verification
  • Plugins from SmartKey are now allowed to make outbound REST API calls.
  • In the PKCS11 library, it will now avoid creating duplicate opaque objects. The updated PKCS11 library can be found here.