[Opendnssec-user] Looking for a "cheap" HSM

Rickard Bellgrim rickard at opendnssec.org
Wed Aug 7 11:31:41 UTC 2013


Your application will load a vendor specific PKCS#11 library. This library
will expose the PKCS#11 function calls to your application. The
communication to the HSM is handled internally by the library.

Objects (such as private keys) are stored in a so called token. Anyone with
credentials to the token can access any object within that token. An HSM
may have multiple tokens, thus being able to separate the
users/applications into different compartments.

In order to access your object, you must first load the correct PKCS#11
library, then open a session with a given slot/token, authenticate using
your credentials, search for the object matching a particular set of
attributes, and finally use the object for your crypto operations.

Certificates and keys for the users are usually stored in smart cards,
which may be accessed using the PKCS#11 interface. Larger HSM:s are
primarily for the root/issuing-CA when it comes to certificates.

// Rickard

On Mon, Jun 24, 2013 at 12:42 PM, helpcrypto helpcrypto <
helpcrypto at gmail.com> wrote:

> Hi.
>
>
> In my office, we are considering to use an HSM to store employees x509
> certificates+keys.
>
> I found [1] and [2] very interesting.
> I have 2 questions, which i'll love somebody answers me. Thanks in advance.
>
>
> If an HSM is used "online" through PKCS#11 API, how the user "select the
> key container". In other words: how i select my certificate and not the one
> from my neighbourgs ?
>
> Is there any place with a price comparison chart or some information about
> HSM prices (instead of contacting each provider and ask).
>
>
> Thanks a lot!
>
>
> [1] https://wiki.opendnssec.org/display/DOCREF/HSM+Buyers%27+Guide
> [2]
> http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130807/9bfb45e8/attachment.htm>


More information about the Opendnssec-user mailing list