views:

110

answers:

3

I am having a query regarding sessions with HSM.

I am aware that there is an overhead if you initialise and finalise the cryptoki api for every file you want to encrypt/decrypt.

My queries are,

  1. Is there an overhead in opening and closing individual sessions for every file, you want to encrypt/decrypt.(C_Initialize/C_Finalize)

  2. How many maximum number of sessions can i have for a HSM simultaneously, with out affecting the performance?

  3. Is opening and closing the session for processing individual files the best approach or opening a session and processing multiple files and then closing the session the best approach?

Thanks

A: 

The best approach is definitely to open the session once per application start. I.e. there's no reason to close the session while your application works -- the session is private to your application and no other application can use it to access and use the device if you opened the session.

Eugene Mayevski 'EldoS Corp
My application runs in a multi-thread so i need to open multiple sessions as multiple-threads are not supposed to work in a single session. Under these scenarios, do you think opening and closing sessions frequently will be an over head?
Raj
Opening a session is always an overhead, so it makes sense to cache sessions and re-use them even between threads if possible.
Eugene Mayevski 'EldoS Corp
When you say cache, how can i implement such a cache securely?
Raj
Use some multithreaded pool class. I don't have exact references to give cause for me writing such pool class is a 15-20-minute work.
Eugene Mayevski 'EldoS Corp
The discussion is getting very interesting here. All my applications call a webservice (which interacts with the cryptokivia my api) to automatically manage my threads. So i donot have control over which application can share which session handle unless i open a session, process and clos the session. If i open a new session every time for a new thread, i think there will be too many sessions opened as i donot have any control over the creation of threads. Any ideas?
Raj
+1  A: 

First and foremost, PKCS#11 spec has pretty extensive documentation under general overview about threads, applications and sessions.

Secondly, it depends on your HSM hardware and PKCS#11 module implementation. How does your PKCS#11 provider represent slots? Do you use the same key all the time? What are the authentication mechanisms for the key?

  1. How to use C_Initialize (and C_Finalize) is extensively covered in the PKCS#11 spec
  2. Number of sessions depends on the PKCS#11 implementation, see ulMaxSessionCount in CK_TOKEN_INFO

Try with a single session. Are you sure your bottleneck will be the session handling?

martin
I am initialising with C_Initialize((CK_VOID_PTR)CK_TOKEN_INFO -> ulMaxSessionCount =CK_UNAVAILABLE_INFORMATION My vendor is not sharing this information. I will use different keys(hybrid approach). CKM_SHA256_RSA_PKCS for sign/verify and AES for encryption and decryption. I will encounter around 50,000 files randomnly each of size around 2 mb. Need to verify signature, get aes key and decrypt data. As we are already in production, i want to make sure before making any significant changes such as session handling.Thanks
Raj
A: 

There is overhead in opening and closing sessions(from my experiments). Its better not to open individual sessions for each file.

Update: From my vendor:

There is no limit or specified number of the session that you can open on a token however it could be many thousand.

It depends on what you are doing and how it is consuming the RAM of the appliance. Opening too many sessions and creating too many session objects that reaches to the limit that a RAM can hold will definitely affect the performance of the appliance.

Thanks

Raj