[Opendnssec-user] A Review of Hardware Security Modules

[Rickard Bellgrim]

Hi

We would like to present the report "A Review of Hardware Security Modules" that was published today.

This report describes a technical review of four leading network based Hardware Security Modules performed during the fall of 2010. When deriving the review point set the focus was primarily on security features and functionality used for DNSSEC applications. However the more interesting findings were in different areas such as usability and management procedures.

Generally all the modules work as expected and offer the necessary functionality one needs from a secure crypto processor. Which HSM to choose depends on budget, the deployment scenario, performance requirements and other application specific facts. From an application perspective the PKCS#11 interface worked exemplary on all modules. Once set up we hardly experienced any problems with the interface. The only issue worth mentioning is the fact that we needed to execute several concurrent threads (for all modules) in order to achieve a decent HSM CPU load.

There was high level of diversity in how features such as role structure, authorization models and key backup were implemented. A more standardized security and authorization model and nomenclature would have been favourable. Instead each vendor has chosen to integrate with the PKCS#11model in different fashions. An evolvement of the PKCS#11 standard to incorporate more complex than smartcards would probably be advisable.

When performing this review it would have been very helpful to have had access to best practise recommendations for setting up and configuring HSMs. Such a text could also document certain application areas and general deployment scenarios. At the moment the user is referred primarily to vendor specific whitepapers and presentations.

You can read the full report here:
http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf

// OpenDNSSEC team