[Opendnssec-user] Looking for a "cheap" HSM

Rickard Bellgrim rickard at opendnssec.org
Tue Aug 20 09:14:48 UTC 2013

> IIUC, user talks to web, web talks to WService, WService talks with token.
> Doesnt that break the rule of the "user being the only one having the
> PIN/access to key"

How the PIN is transferred over multiple systems to the HSM/token is out of
scope. You have to build/use a system which makes sure that the transaction
to the library is safe.

The other possibility is:
> user attack pk11lib, pk11lib opens a secure tunnel to HSM
> So the security is based on a local software key, which can be craked
> allowing someone to sniff around.

The main purpose of the PKCS#11 library is to deliver your commands over to
the HSM. Cracking the library won't give you any extra information. The
private key operations are performed on-board the HSM. If the library e.g.
acts as a HA-client for the HSM-cluster, then traffic between the HSM:s
are/should be encrypted. Thus not being able to know the contents of the

You could also have a look on the PKCS#11 Spy software from the OpenSC
project on how to tap the PKCS#11 traffic/commands.

If you want to attack an HSM, then you could e.g. try to exploit the API it
exposes to the PKCS#11 clients/libraries.

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130820/5d6c5d10/attachment.htm>

More information about the Opendnssec-user mailing list