Академический Документы
Профессиональный Документы
Культура Документы
!"#$"
1
What is an HSM?
!"#$"
2
What is an HSM?
Protected keystore
Crypto hardware
Protected Keystore
Keys stored in tamperproof memory
If you mess with the chip, the device will (try to)
detect it and zeroize
Implemented using
!"#$"
4
Crypto Hardware
Hardware to assist accelerate symmetric
and asymmetric crypto
API
PKCS#11 (aka Cryptoki)
OpenSSL Engine
Microsoft CAPI
Java Cryptography Extension
!"#$"
6
Native
Engine
PKCS#11 Library
Crypto Device
CPU
!"#$"
7
!"#$"
8
Compromised hosts
Disgruntled staff
Math
!"#$"
9
!"#$"
10
Residual risk
Keys can still be misused
Garbage in
Garage out
!"#$"
11
Increase trust?
Using an HSM increases trust Why?
Standards compliance
Verifiable security e.g. FIPS 140-2
!"#$"
12
!"#$"
13
Types of HSMs
Local interface e.g. PCI cards
Remote interface e.g. Ethernet
Smart cards
USB tokens
!"#$"
14
!"#$"
15
Capacity
How many keys can be stored?
Where are the keys stored?
Internal keystore
External keystore (encrypted by master key)
!"#$"
16
API
What API do you need?
!"#$"
17
Speed
Signing speed RSA
!"#$"
18
Security Certifications
FIPS 140-2
CC-EAL
!"#$"
19
FIPS 140-2
Level
Requirement
3
4
!"#$"
20
CC-EAL
What Protection Profile (PP) has been used
for the Target of Evalation (ToE)?
!"#$"
21
Key Backup
How do you backup your keystore?
Can you restore a backup elsewhere?
Examples of HSMs
!"#$"
23
SCA 6000
PCI-Express x8
Certification
Performance
13,000 sign/s
RSA-1024
System Support
Solaris, Linux
Approx price
960
!"#$"
24
Ethernet
Certification
Performance
1,200 sign/s
RSA-1024
System Support
Approx price
17,500
!"#$"
25
PCI-X
Certification
Performance
1,200 sign/s
RSA-1024
System Support
Approx price
6,600
!"#$"
26
SoftHSM
Interface
software
Certification
none
Performance
CPU-dependent
RSA-1024
System Support
Unix
Approx price
!"#$"
27
Other vendors
Thales (formerly nCipher)
netHSM, nShield
SafeNet
!"#$"
28
jakob@kirei.se
!"#$"
29