<div dir="ltr"><div><div><div><div>Hi Rickard (and all), sorry for holiday delay.<br></div><div><br>I know how PKCS#11 works, but im looking how HSM work.<br></div><div><br></div>IIUC, user talks to web, web talks to WService, WService talks with token.<br>
</div><div>Doesnt that break the rule of the "user being the only one having the PIN/access to key"<br><br></div><div>The other possibility is:<br>user attack pk11lib, pk11lib opens a secure tunnel to HSM<br>So the security is based on a local software key, which can be craked allowing someone to sniff around.<br>
</div><br></div>Am i right?<br></div><br><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 7, 2013 at 1:31 PM, Rickard Bellgrim <span dir="ltr"><<a href="mailto:rickard@opendnssec.org" target="_blank">rickard@opendnssec.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Your application will load a vendor specific PKCS#11 library. This library will expose the PKCS#11 function calls to your application. The communication to the HSM is handled internally by the library.<div>
<br>
</div><div>Objects (such as private keys) are stored in a so called token. Anyone with credentials to the token can access any object within that token. An HSM may have multiple tokens, thus being able to separate the users/applications into different compartments.<br>
<div class="gmail_extra"><br></div><div class="gmail_extra">In order to access your object, you must first load the correct PKCS#11 library, then open a session with a given slot/token, authenticate using your credentials, search for the object matching a particular set of attributes, and finally use the object for your crypto operations.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Certificates and keys for the users are usually stored in smart cards, which may be accessed using the PKCS#11 interface. Larger HSM:s are primarily for the root/issuing-CA when it comes to certificates.</div>
<span class="HOEnZb"><font color="#888888">
<div class="gmail_extra"><br></div></font></span><div class="gmail_extra"><span class="HOEnZb"><font color="#888888">// Rickard<br><br></font></span><div class="gmail_quote"><div><div class="h5">On Mon, Jun 24, 2013 at 12:42 PM, helpcrypto helpcrypto <span dir="ltr"><<a href="mailto:helpcrypto@gmail.com" target="_blank">helpcrypto@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><div><div><div><div><div>Hi.<br><br><br></div>In my office, we are considering to use an HSM to store employees x509 certificates+keys.<br>
<br></div>I found [1] and [2] very interesting.<br></div>I have 2 questions, which i'll love somebody answers me. Thanks in advance.<br>
<br></div><br>If an HSM is used "online" through PKCS#11 API, how the user "select the key container". In other words: how i select my certificate and not the one from my neighbourgs ?<br><br></div>Is there any place with a price comparison chart or some information about HSM prices (instead of contacting each provider and ask).<br>
<br><br></div>Thanks a lot!<br><div><div><div><div><br><br>[1] <a href="https://wiki.opendnssec.org/display/DOCREF/HSM+Buyers%27+Guide" target="_blank">https://wiki.opendnssec.org/display/DOCREF/HSM+Buyers%27+Guide</a><br>
[2] <a href="http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf" target="_blank">http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf</a><br>
</div></div></div></div></div>
<br></div></div><div class="im">_______________________________________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org" target="_blank">Opendnssec-user@lists.opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
<br></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>