[Opendnssec-user] Looking for a "cheap" HSM

helpcrypto helpcrypto helpcrypto at gmail.com
Tue Aug 20 09:49:21 UTC 2013

On Tue, Aug 20, 2013 at 11:14 AM, Rickard Bellgrim
<rickard at opendnssec.org>wrote:

> IIUC, user talks to web, web talks to WService, WService talks with token.
>>  Doesnt that break the rule of the "user being the only one having the
>> PIN/access to key"
> How the PIN is transferred over multiple systems to the HSM/token is out
> of scope. You have to build/use a system which makes sure that the
> transaction to the library is safe.

Thats what im looking for ;)

> The other possibility is:
>> user attack pk11lib, pk11lib opens a secure tunnel to HSM
>> So the security is based on a local software key, which can be craked
>> allowing someone to sniff around.
> The main purpose of the PKCS#11 library is to deliver your commands over
> to the HSM. Cracking the library won't give you any extra information. The
> private key operations are performed on-board the HSM. If the library e.g.
> acts as a HA-client for the HSM-cluster, then traffic between the HSM:s
> are/should be encrypted. Thus not being able to know the contents of the
> HA-traffic.
> You could also have a look on the PKCS#11 Spy software from the OpenSC
> project on how to tap the PKCS#11 traffic/commands.
> If you want to attack an HSM, then you could e.g. try to exploit the API
> it exposes to the PKCS#11 clients/libraries.

Exactly what im thinking.
If user attack application (firefox) and app has pkcs#11 lib loaded, y
could easily hook another library (like PKCS#11 SPY) and have the PIN which
give access to key usage.

Seems OTP and similar mechanisms are the only way to secure this (a bit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130820/612850fb/attachment.htm>

More information about the Opendnssec-user mailing list