tags:

views:

51

answers:

1
Q: 

pkcs#11 memory error - what might be the common reasons?

I am getting the CKR_DEVICE_MEMORY error code for C_Encrypt call using cryptoki library.

From the PKCS#11 spec, CKR_DEVICE_MEMORY means The token doesnot have sufficient memory to perform the requested function.

Under what circumstances, do we get the token's memory completely full?

The HSM has been working 24x7 for 7 days continuously mostly encrypting and decrypting files during the day time with 2 parallel sessions. I haven't called C_Finalize in the last 7 days. so cryptoki library has been working in its memory space from the point it has been initialised(see a related post on this).

I can see from my applications, debug log, what ever, i am allocating, i am deallocating so there is no memory leak from my application code.

UPDATE 1: There is a related detailed discussion on how i can call C_Finalize in Application_Endof the ASP.NET. The main reason i couldn't use this because after recycling/timeout, the ASP.net threads access a single session resulting in CKR_OPERATION_ACTIVE error. In my case multiple applications are accessing the HSM via a webservice.

A: 

You mention here that you are not closing your sessions. If that is true, that is most probably the cause of the CKR_DEVICE_MEMORYs.

Rasmus Faber  2010-07-12 13:13:33
Hello Rasmus - I donot close my session. I keep my session open and use the handle in Batch mode. My intention is not to close the session at all. can you please help me to understand how keeping the session open will lead to the HSM's memory being used completely? I just open only 2 sessions and hold one for these two handles, one for encryption and the other for decryption. PS: I delete my session object which is an AES128 key(though its a session object);
Raj  2010-07-12 15:54:24
@Raj: You mentioned that ASP.NET was shutting down your application every 20 minutes without you calling C_CloseSession() or C_Finalize(). Or have you changed it so it is no longer timing out?
Rasmus Faber  2010-07-12 20:21:05
@Rasmus: I no longer use default timeout. When the ASP.Net webservice receives multiple requests for performing a crypto functions - after a timeout, the threads become alive and multiple threads access a single session leading to CKR_OPERATION_ACTIVE error and undefined behaviour. I ended up with similar issues when i enabled the thread recycling in IIS, as IIS creates a new process.
Raj  2010-07-12 23:06:09

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords