tags:

views:

410

answers:

3
Q: 

Software security Module/ toolkit replacing HSM for developing crypto functions

Hello

I worked and completed a PKI project which used a HSM for generating - storing keys and performing crypto functions. I used PKCS#11 to interface with our application for sigining/verifying and encryption/decryption. Our platform is windows.

Now we are looking to offer a low cost alternative solution by replacing the the HSM with a software security module. I must note here that i am aware of the drawbacks of not using a HSM. Its a trade off between security Vs Cost.

I found that Microsoft provides the Next Generation CryptoAPI (CNG), key store and certificate services. My senior management are not inclined to use open source software. I also found RSA and cryptomathic offering toolkits to perform software based solutions.

Has anybody come across any commercial software security module tool kits to perform key generation, key store and crypto functions?

Programming language - c/c++

Thanks

Raj

A: 

Your best option should be to find a software PKCS#11 library. There should be several implementations on the market - I know that the company I work for sells one. That way you would still be able to switch back to a PKCS#11-compliant HSM and the necessary modifications to the application should be minimal.

Your other options are CryptoAPI or CNG from Microsoft or a toolkit from RSA, Cryptomathic or another vendor. That would probably require more work to rewrite the application - I can't really see any advantage to this option, except that CryptoAPI and CNG are free.

Rasmus Faber  2009-09-09 10:39:43
Are you referring "software PKCS#11 library" as wrappers around PKCS#11 cryptoki library? If this is the case, in what way do you think this is different from the functions which i have written for sigining/encryptition etc Can you please point me to some vendors on "software PKCS#11 library". Do these vendors provide key management functions as well or do i need to rely on the OS and another library for storing/accessing the keys? In what ways para 1 of your answer differ from para2. I am actually very confused here. Apologies, if i sound too ignorant.
Raj  2009-09-09 14:31:14
PKCS#11 specifies an API (Cryptoki). You have been programming up against this API and presumably had a DLL that implemented this API with an HSM performing the operations. Several companies (including Cryptomathic, which is my employer) sell "software PKCS#11 libraries". A software PKCS#11 library would be a DLL implementing the PKCS#11 library but mapping the functions to a pure software implementation (and storing the keys in (encrypted) files). Key management can be done through the PKCS#11 API, but you might get a separate tool, too (depending on the vendor).
Rasmus Faber  2009-09-09 18:21:25
My second paragraph just relisted the options, you already knew of: other cryptographic APIs.
Rasmus Faber  2009-09-09 18:22:19
Looking around I actually can't find any vendors for software PKCS#11 libraries besides Cryptomathic (and that is hidden inside the product brochure for the PrimeInk toolkits...), but I am sure that there must be others.
Rasmus Faber  2009-09-09 18:29:42
Are you referring Keymanagement as generation,labelling and retrieving? My doubt here is - i had the HSM to store the keys, will this 3rd party library take care of the key store and its security? I have been searching for a while now, has come across PrimeInk(Thanks Rasmus) and cryptokit from Arx. I am not sure whether there are any other vendors, if you come across please share.
Raj  2009-09-10 17:28:00
I can't speak for other implementations, but I know the PrimeInk PKCS#11 library stores the key store encrypted on the hard disk with an AES key derived from the password. That is probably as good as it gets with a software library. If you do not need high throughput, another low-cost option might be a smartcard-reader with a smartcard. Those usually come with PKCS#11-libraries, too.
Rasmus Faber  2009-09-10 17:58:45
A: 

You could use SoftHSM, which is a pure-software PKCS #11 implementation. It is being used by the OpenDNSSEC project precisely to be swapped out in cases a real HSM is not available, so it might work for you too. However, it's BSD licensed, so I guess your management may not like it on that basis.

If you are looking for low-cost and yet commmercial (I'm not sure if you're specifically looking for something proprietary, which CryptoAPI is, or for something that is commercially supported, which CryptoAPI is not, unless you have a contract with Microsoft), rewriting your application to use the Win32 CryptoAPI seems the only viable option to me. RSA's toolkits are not cheap, in my experience.

Jack Lloyd  2009-09-10 13:05:43
Thanks Jack. You are right. If it is going to be case 2, i am planning to go with CNG as MS is phasingout cryptoAPI. Also Mozilla NSS has this virtual token of PKCS#11 implementation as well.
Raj  2009-09-10 17:29:27
A: 

Take a look at http://www.openssl.org/related/kits.html for LSM-PKCS11. That could be a solution.

Clizio Merli  2009-09-30 16:13:29

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security