tags:

views:

58

answers:

2
Q: 

HSM - cryptoki - Sessions - Timeout

My application access the HSM via a ASP.NET web service through PKCS#11. I initialise the cryptoki library and obtain a session handle. Web-service hold on to this handle to perform encryption/decryption/signing/verifying in a batch mode.

The problem i am facing is The ASP.NET web service time-outs' after 20 minutes. This act- i think, unloads the cryptoki library and the session handle held by the web-service becomes invalid. Yes, i agree that the ASP.NET web-service can be reconfigured not to time-out, which will keep the cryptoki library always loaded.

My question is What happens to the session handle which i obtained in the first place from the HSM?. Will it be lost or will it be there unused? I am asking this because, i am not closing the opened session properly by calling c_closeSession.

The web-service is implemented via a Thread pool

Thanks

+1  A: 

From the theoretical perspective, you should read the PKCS#11 spec, it is all written there, from section 6.6 onwards

From the practical perspecgive, an application becomes a cryptoki application after it calls C_Initialize. The concept of a session and its identifier may be relayed by a small wrapper library to a longrunning PKCS#11 process, that actually talks to the HSM, but may not. If the process that was a cryptoki application dies, so will do all the virtual resources (what a session is).

Where exactly is the problem? Opening a session could be a pretty cheap operation most of the time, unless you are sure (have measured) that it is the bottleneck, don't optimize and open and close a session for a request, if you can't control the lifespan of the cryptoki process.

martin  2010-07-05 08:08:51
@Martin- My tests show that any opened session, if not closed properly using the relevant cryptoki calls, remain in the HSM; These results are inline with Rasmus explanation. I am yet to measure the overhead of individual sessions. Will update once done.
Raj  2010-07-13 22:25:16
+1  A: 

You are supposed to call C_Finalize() when you are done using the cryptoki library. A well-written implementation might be robust against you not doing so, but there are no guarantees. Your open sessions may be kept alive on the HSM and perhaps in the driver.

Strongly consider calling C_Finalize() from your Application_End().

Rasmus Faber  2010-07-12 20:30:10
@Rasmus: One of the requirements for me is that the HSM should be available 24x7; SO i donot have the flexibility to call C_Finalize() in Application_End(). Please see my update in the other thread which you have linked already. Thanks
Raj  2010-07-13 10:35:55
@Rasmus: My tests show that if a session has been opened already, and the webservice dies without having an opportunity to close the session properly, then that session remains alive in the HSM, as mentioned in your post. I also notice that it is occupying the resources.
Raj  2010-07-13 22:28:11

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?