HSM

HSM

关注
发信
关注(28)粉丝(399)

HSM和自定义模块

本文介绍了HSM和自定义模块的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们正在实施对安全至关重要的系统,在该系统中,需要符合 FIPS 140-2 的HSM(硬件安全模块)来生成和存储密钥材料,执行加密/解密以及使用以下命令运行自定义代码:为自定义模块设置了以下要求:

We are implementing safety-critical system, where the FIPS 140-2 compliant HSM (hardware security module) is required to generate and store key material, perform encryption/decryption and run custom code with the following requirements set for the custom module:

  • 模块可通过RPC使用
  • 模块有权访问所有HSM密钥和服务
  • 模块具有内存和持久性存储(均为1+ MB)
  • 模块内存已得到保护(FIPS 140-2 3级以上)

对于HSM服务本身,要求:

As for the HSM services itself, it is required to:

  • 支持AES,RSA和HMAC
  • 具有键的别名
  • 通过 PKCS11 界面使用别名生成新密钥
  • 通过 PKCS11 接口检索具有别名的公钥和证书
  • 通过 PKCS11 界面删除具有别名的密钥
  • Support AES, RSA and HMAC
  • Has aliases for keys
  • Generate new keys with alias over the PKCS11 interface
  • Retrieve public key and certificate with alias over the PKCS11 interface
  • Delete keys with alias over the PKCS11 interface

由于NDA所提供的关于HSM产品的信息很少,因此很难评估要求和选项.这些要求是否符合任何标准或特定于供应商的解决方案(例如 Utimaco )?

As there is very little information available about HSM products due the NDA, it is very hard to evaluate the requirements and options. Are these requirement met by any standards, or by vendor specific solutions, such as Utimaco?

推荐答案

如果您确实需要在HSM设备中运行自定义代码,则可以在多家供应商中进行多种选择:

If you really need to run custom code inside the HSM device you have several choices across several vendors:

SafeNet ProtectServer (和 SafeNet Luna Network/PCIe HSM (自7.4版起)

SafeNet ProtectServer (and SafeNet Luna Network/PCIe HSM since version 7.4)

Thales nShield ( CodeSafe )

Thales nShield (CodeSafe)

Utimaco CryptoServer ( SDK )

Utimaco CryptoServer (SDK)

我敢打赌,如果您确实需要FIPS 140认证,那么您还需要认证在HSM中运行的自定义代码(因为此类代码非常强大,并且可以例如绕过访问控制,以纯文本格式提取密钥...--这样就很容易破坏任何安全性假设.

My bet is that if you really need FIPS 140 certification you would need to certify your custom code running inside HSM as well (as such code is very powerful and can e.g. bypass access control, extract keys in plain text... -- thus it breaks any security assumptions easily).

任何产品都应满足您的要求(甚至在HSM中不运行自定义代码 –这取决于您的应用程序需要的控制级别).

Your requirements should be fulfillable by any of the products (even without running custom code inside the HSM -- it depends on the level of control your application needs).

祝你好运!

免责声明:我不是加密专家,所以请确认我的想法.

Disclaimer: I am no crypto expert, so please do validate my thoughts.

这篇关于HSM和自定义模块的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-18 23:29
Powered by LMLPHP ©2024 HSM 0.057284