Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Interfacing with a Hardware Security Module on Linux

Tags:

c

openssl

pkcs#11

hsm

I have to work with an HSM device for security requirements in my project. I am confused about how HSM is interfaced with C on a Linux machine.

How does a user access HSM internal memory for performing different operations with it?

like image 201
Deepak Sharma Avatar asked May 29 '12 09:05

Deepak Sharma

2 Answers

Every HSM vendor supports at least one cryptographic API. PKCS#11 is a particularly common choice, but there are many other options. OpenSSL, for example, supports HSMs through an engine interface.

Often the vendor will expose a proprietary API in addition to the "standard" APIs it implements. The proprietary API typically offers a greater degree of control over key security properties and key usage than is possible to express in the standard APIs.

When using an HSM, one typically issues a command to load a key from a secure store and retrieve a handle to the key object. This handle is the layer of abstraction that allows the HSM to perform the key operations securely without exposing the key material.

With regards to your project, it is important that you don't simply "shove" the HSM somewhere in your solution to make it appear secure. Instead, think long and hard about the security properties of your system and how cryptography may help you defend against attacks. Once you've identified your attack vectors (and your associated cryptographic defences), then consider which cryptographic API can support your use cases. Only then should you select the best vendor from those who support that API.

In my experience, the standard APIs only suffice for simple security systems. For complex projects, it's almost always necessary to work with the proprietary API of a particular vendor. In such cases, lean heavily on the vendor for support and proof-of-concepts before settling on a product that truly meets your needs.

like image 104
Duncan Jones Avatar answered Sep 29 '22 15:09

Duncan Jones

I know this is a year old, but in case someone else runs across it, there is a more detailed discussion at this link:

Digital Signing using certificate and key from USB token

Including some long-form working code that I added. You are also welcome to get my code directly at this link: https://github.com/tkil/openssl-pkcs11-samples

Good luck!

like image 31
AnthonyFoiani Avatar answered Sep 29 '22 17:09

AnthonyFoiani
Sign in to Comment

Related questions

openssl aes256 encryption of a file
Converting a C byte array to a long long
How to make infinity value in C? (especially integer value)
Using int for character types when comparing with EOF
Just a loop, and 33 leaks
Tips on debugging segmentation faults when no leaks are found
How to use Long data type in C?
typedef of a multidimensional array?
Why is drawing an 8bit texture with OpenGL drawing black pixels instead of transparent?
Why ShellExecute can not find a file?
Tokenization and AST
Libzip - read file contents from zip
Subtracting Arrays
What harm can a C/asm program do to Linux when run by an unprivileged user?
2D Dynamic Array Allocation and Passing by Reference in C
Signal handling in C - interrupt in interrupt
Read from stdin write to stdout in C
how to convert from struct tm to long int in C?
How to check whether a Windows user has admin privileges in C?
Copy array to dynamically allocated memory

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!