Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] HSM use cases

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] HSM use cases


Chronological Thread 
  • From: Joost van Dijk <joost.vandijk AT surfnet.nl>
  • To: Alan Lewis <alan.lewis AT geant.org>
  • Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] HSM use cases
  • Date: Fri, 29 Mar 2019 09:52:03 +0000
  • Accept-language: en-GB, en-US

Hi Alan,

Some quick notes on the HSM use cases for SURFnet:

- DNSsec: We use Utimaco CryptoServer HSMs for our DNSsec signers (migrated from Safenet Luna HSMs). They manage ECDSA P.256 keys for each zone (about 2k zones).
- SAML metadata signing: We use separate slots on the same Utimaco HSMs to sign SURFconext metadata, currently 24 streams (48MB) updated on an hourly basis).
- eduroam CAT: We use a separate slot on the same Utimaco HSMs for EV Code signing. FIPS is relevant here as Digicert requires the key to be non-exportable.
- PEP: A separate set of Utimaco HSMs are used for implementing the key server component for the PEP project (pep.cs.ru.nl). These run custom firmware implementing polymorphic encryption and pseudonymisation based on Ed25519 (initially unsupported on these HSMs).

Apart from our production experiences with Safenet and Utimaco, we have somewhat tested Yubico HSMs and the Cryptech alpha board from CrowdSupply.  Both are interesting because of their lower prices compared to Safenet and Utimaco, but we haven’t evaluated their performance. Note that none of the use cases above have high performance requirements.

For the PEP project performance is more relevant for other components, which currently do not use HSMs because of problematic performance on the Utimaco HSMs. A student from Radboud University worked on an FPGA-implementation of Ed25519 on the Cryptech HSM, which I find particularly interesting but I haven’t heard back of any results yet.

Cheers,
Joost van Dijk
SURFnet



On 19 Mar 2019, at 17:44, Alan Lewis <alan.lewis AT geant.org> wrote:

Hello all,
 
Within the GEANT project we have an activity in WP5 T2 which is looking at possible use cases for HSMs (and specifically the Cryptech defined HSM) within T&I services.
If you are not familiar with Cryptech, they are an initiative to produce an open design (hardware, firmware and software) for an HSM which will be both low cost and free from any perceived trust issues that might be associated with commercial products (think Huawei). 
See https://cryptech.is/ is you are interested. 
Diamond Key Security have been established in order to support the sustainability of the Cryptech initiative by developing and selling HSMs, of which GEANT is one of three current customers.
 
One of the things I would like to understand is what requirements there might be for use of such an HSM in the R&E community and outside of those services which are currently being offered by GEANT.
 
So I would be interested to know for any services you are aware of that might benefit:
 
  1. The use cases for secure storage;
  2. The current situation – what is being done today;
  3. The data that is being stored and the quantity;
  4. The value of the information that is being protected;
  5. Specific HSM requirements for
  1. Cryptographic performance;
  2. Cryptographic algorithm support;
  3. Management, connectivity and access mechanisms;
  4. FIPS level or CC compliance;
  5. Other stuff I haven’t thought of yet.
 
I look forward to hearing your thoughts.
 
Best regards
 
Alan
 
 
Alan Lewis
Trust and Identity Services Product Manager
 
GÉANT 
Direct Tel: +44 (0)1223 371409
Mobile: +44 (0) 7500 891616

Switchboard: +44 (0)1223 371300

Networks • Services • People 
Learn more at www.geant.org​

GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.


Attachment: signature.asc
Description: Message signed with OpenPGP




Archive powered by MHonArc 2.6.19.

Top of Page