an abbreviation for Hardware Security Module which is a security device that is compliant with PKCS11 standard and which is a secure storage for data specially private keys.
Questions tagged [hsm]
144 questions
0
votes
0 answers
How to calculate Millenage OPc value while OP stored in HSM?
ETSI TS 135 206 defines the specification of MILENAGE algorithm which is an authentication algorithm for mobile networks.
It defines 'OPc' as below:
a 128-bit value derived from OP and K and used within the computation
of the functions.
According…
VSB
- 185
- 9
0
votes
1 answer
Examples of custom key restriction policies for HSMs
Based on my understanding, some types of HSMs allow custom software to be developed that can run within the HSM's secure enclave. This capability allowed Square to do something very clever to boost the security of their cryptocurrency cold…
bnsmith
- 67
- 8
0
votes
0 answers
Handling MTLS with HSM
Scenario: I need to implement MTLS between three of my services communicating with each other.
Based on my understanding of MTLS, I need to import the certificate of target services in the trust store of the source service and the certificate of…
PratikJoshi
- 1
- 1
0
votes
1 answer
Using an HSM to protect encrypted data even when a server is compromised
Imagine a system architecture where an API server is able to send a request to an HSM, and the HSM is able to decrypt some data for a particular user/customer, in order to serve some hypothetical purpose. In this case, if the API server is…
bnsmith
- 67
- 8
0
votes
1 answer
How does a cloud based application use a TPM to authenticate hardware devices?
I have heard about this, but not sure how it would work.
I would imagine that when you register the device, the public RSA key burnt into the chip would be shared.
That way, if the application sends a challenge, the TPM uses the private key to…
Beginner
- 39
- 5
0
votes
0 answers
Better security for storing certificates in LUKS or softhsm?
What is the best place to store certificates and keys which are confidential and sensitive?
As I understand LUKS is fine and kernel transparently handles encryption/decryption. Also, the LUKS volume could contain anything and everything like a…
Baranikumar Venkatesan
- 635
- 4
- 12
0
votes
1 answer
key escrow vs secure storage(software/TPM/HSM)
From the definition of key escrow (a method to store important cryptographic keys providing data-at-rest protection), it sounds very similar to that of secure storage which could be basically software-based or hardware-based (TPM/HSM).
But, I could…
Baranikumar Venkatesan
- 635
- 4
- 12
0
votes
0 answers
Authenticate Windows/Linux process against hardware security module
I have a hardware security module connected to a host computer (Windows/Linux). The HSM contains symmetric keys used to encrypt/decrypt data (i.e. files and real-time communications); the keys are stored inside the memory of the HSM and their values…
0
votes
2 answers
Secure Authentication of Technical User to a Network-Appliance-HSM
Let's assume we have an internal environment consisting of some distributed systems, one central system and an internal PKI. The central system is serving a cluster of HSMs that shall be accessable by network in a securely controlled way. On the…
moritz1895
- 3
- 2
0
votes
1 answer
Why is YubiHSM an HSM?
What makes the YubiHSM an HSM?
Most HSMs I have seen have more memory and are faster, perhaps due to crypto-accelerators. They're generally big and inserted in data center racks, or plugged as PCIe cards.
But the YubiHSM is tiny, I was wondering…
David 天宇 Wong
- 169
- 5
0
votes
0 answers
Parameters for HSM based symmetric Key Derivation Function (KDF)
I have a quick question regarding parameters for HSM based symmetric Key Derivation.
My situation is that I have to implement HSM based symmetric key derivation for encryption of sensitive data to be stored inside DB. Each data entry should have…
Nezhull
- 1
0
votes
0 answers
Line jump with openssl s_client -connect command when using CAfile
I am trying to connect with some HSM cloud service using a specific url:port provided by the service vendor. The connection works fine if CAfile is omited from the syntax of the s_client -connect command. However, when included, the prompt simply…
0
votes
0 answers
Raspberry Pi with LAN, no WAN - Encryption Key Security - Zymbit/Zymkey
I am setting a up a Raspberry Pi that will be portable and often set up in areas without electricity or internet access and with poor cell service. I'd like to encrypt and decrypt data without retrieving keys from another server.
The solution I…
superkayrad
- 1
- 1
0
votes
2 answers
TDE - Encrypting different rows with different keys
My question is in general but related to Oracle DB. I have a single table with different companies as rows. Each row has company id and company registration number. I would like to encrypt company registraiton number, but i want to encrypt each…
ZEE
- 157
- 3
0
votes
1 answer
Windows Server: Import HSM-backed certificate into second server
Scenario:
Using Amazon CloudHSM with CloudHSM Windows Client installed and configured.
Created CSR for a Code Signing certificate with certreq.exe and provider Cavium Key Storage Provider.
Submitted CSR for signing to CA
Accepted signed…
MikeJansen
- 101
- 2