tags:

views:

110

answers:

3
+1  Q: 

HSM - cryptoki - opening sessions overhead

I am having a query regarding sessions with HSM.

I am aware that there is an overhead if you initialise and finalise the cryptoki api for every file you want to encrypt/decrypt.

My queries are,

  1. Is there an overhead in opening and closing individual sessions for every file, you want to encrypt/decrypt.(C_Initialize/C_Finalize)

  2. How many maximum number of sessions can i have for a HSM simultaneously, with out affecting the performance?

  3. Is opening and closing the session for processing individual files the best approach or opening a session and processing multiple files and then closing the session the best approach?

Thanks

A: 

The best approach is definitely to open the session once per application start. I.e. there's no reason to close the session while your application works -- the session is private to your application and no other application can use it to access and use the device if you opened the session.

Eugene Mayevski 'EldoS Corp  2010-06-15 11:38:09
My application runs in a multi-thread so i need to open multiple sessions as multiple-threads are not supposed to work in a single session. Under these scenarios, do you think opening and closing sessions frequently will be an over head?
Raj  2010-06-15 12:16:11
Opening a session is always an overhead, so it makes sense to cache sessions and re-use them even between threads if possible.
Eugene Mayevski 'EldoS Corp  2010-06-15 13:09:33
When you say cache, how can i implement such a cache securely?
Raj  2010-06-15 15:22:03
Use some multithreaded pool class. I don't have exact references to give cause for me writing such pool class is a 15-20-minute work.
Eugene Mayevski 'EldoS Corp  2010-06-15 19:22:18
The discussion is getting very interesting here. All my applications call a webservice (which interacts with the cryptokivia my api) to automatically manage my threads. So i donot have control over which application can share which session handle unless i open a session, process and clos the session. If i open a new session every time for a new thread, i think there will be too many sessions opened as i donot have any control over the creation of threads. Any ideas?
Raj  2010-06-16 15:31:36
+1  A: 

First and foremost, PKCS#11 spec has pretty extensive documentation under general overview about threads, applications and sessions.

Secondly, it depends on your HSM hardware and PKCS#11 module implementation. How does your PKCS#11 provider represent slots? Do you use the same key all the time? What are the authentication mechanisms for the key?

  1. How to use C_Initialize (and C_Finalize) is extensively covered in the PKCS#11 spec
  2. Number of sessions depends on the PKCS#11 implementation, see ulMaxSessionCount in CK_TOKEN_INFO

Try with a single session. Are you sure your bottleneck will be the session handling?

martin  2010-06-15 13:23:07
I am initialising with C_Initialize((CK_VOID_PTR)CK_TOKEN_INFO -> ulMaxSessionCount =CK_UNAVAILABLE_INFORMATION My vendor is not sharing this information. I will use different keys(hybrid approach). CKM_SHA256_RSA_PKCS for sign/verify and AES for encryption and decryption. I will encounter around 50,000 files randomnly each of size around 2 mb. Need to verify signature, get aes key and decrypt data. As we are already in production, i want to make sure before making any significant changes such as session handling.Thanks
Raj  2010-06-15 15:00:24
A: 

There is overhead in opening and closing sessions(from my experiments). Its better not to open individual sessions for each file.

Update: From my vendor:

There is no limit or specified number of the session that you can open on a token however it could be many thousand.

It depends on what you are doing and how it is consuming the RAM of the appliance. Opening too many sessions and creating too many session objects that reaches to the limit that a RAM can hold will definitely affect the performance of the appliance.

Thanks

Raj  2010-06-17 17:16:14

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords