[Opendnssec-user] Looking for a "cheap" HSM

helpcrypto helpcrypto helpcrypto at gmail.com
Tue Aug 20 08:01:32 UTC 2013

Hi Rickard (and all), sorry for holiday delay.

I know how PKCS#11 works, but im looking how HSM work.

IIUC, user talks to web, web talks to WService, WService talks with token.
Doesnt that break the rule of the "user being the only one having the
PIN/access to key"

The other possibility is:
user attack pk11lib, pk11lib opens a secure tunnel to HSM
So the security is based on a local software key, which can be craked
allowing someone to sniff around.

Am i right?

On Wed, Aug 7, 2013 at 1:31 PM, Rickard Bellgrim <rickard at opendnssec.org>wrote:

> Your application will load a vendor specific PKCS#11 library. This library
> will expose the PKCS#11 function calls to your application. The
> communication to the HSM is handled internally by the library.
> Objects (such as private keys) are stored in a so called token. Anyone
> with credentials to the token can access any object within that token. An
> HSM may have multiple tokens, thus being able to separate the
> users/applications into different compartments.
> In order to access your object, you must first load the correct PKCS#11
> library, then open a session with a given slot/token, authenticate using
> your credentials, search for the object matching a particular set of
> attributes, and finally use the object for your crypto operations.
> Certificates and keys for the users are usually stored in smart cards,
> which may be accessed using the PKCS#11 interface. Larger HSM:s are
> primarily for the root/issuing-CA when it comes to certificates.
> // Rickard
> On Mon, Jun 24, 2013 at 12:42 PM, helpcrypto helpcrypto <
> helpcrypto at gmail.com> wrote:
>> Hi.
>> In my office, we are considering to use an HSM to store employees x509
>> certificates+keys.
>> I found [1] and [2] very interesting.
>> I have 2 questions, which i'll love somebody answers me. Thanks in
>> advance.
>> If an HSM is used "online" through PKCS#11 API, how the user "select the
>> key container". In other words: how i select my certificate and not the one
>> from my neighbourgs ?
>> Is there any place with a price comparison chart or some information
>> about HSM prices (instead of contacting each provider and ask).
>> Thanks a lot!
>> [1] https://wiki.opendnssec.org/display/DOCREF/HSM+Buyers%27+Guide
>> [2]
>> http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130820/9f53012d/attachment.htm>

More information about the Opendnssec-user mailing list