[zaroth]

Yes, you need to know the password to decrypt. That's the basis of their very interesting PII protection scheme!

My point is you can brute-force the password without the HSM. And their docs specifically say this should not be possible. Isn't the whole point of the HSM to prevent that?

'hash' is derived from 'z2' and 'd' - and they give you 'd'. Password will produce 'z2'. So that's the brute-force attack.

To say it another way, the 'z1' path is secured. But there is the 'z2' path and it's wide open.

[dreae]

I've left a comment on your github issue, but the tl;dr is that the encryption document doesn't seem to reflect the code. The comment in the ruby test case suggests that the actual step is 'E = hash( Z2 + R )' instead of 'E = hash( Z2 + D )' where 'R' is the user's randomly generated 'AssignedKey' and 'D' is the masked HSM ciphertext 'KMS(R) ^ Z2'.

Perhaps somewhere during implementation someone realized the document doesn't make sense as written.