Skip to Content.

edugain-discuss - RE: [eduGAIN-discuss] HSM use cases

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive


RE: [eduGAIN-discuss] HSM use cases


Chronological Thread 
    < Chronological >      < Thread >
  • From: Alan Lewis <alan.lewis AT geant.org>
  • To: Joost van Dijk <joost.vandijk AT surfnet.nl>
  • Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: RE: [eduGAIN-discuss] HSM use cases
  • Date: Fri, 29 Mar 2019 13:32:40 +0000
  • Accept-language: en-GB, en-US
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=alan.lewis AT geant.org;

Hello Joost,

 

Thanks for the current use cases. I can see that for most of these, with the exception of PEP, performance is not an issue.

The FPGA implementation of the algorithm should certainly yield more performance than a software solution, but depending on the ultimate
performance requirement you need, may also have limitations due to the slower clock rate of an FPGA versus an ASIC.

 

Given that you have had the chance to do some evaluation work with the Cryptech alpha board (two of which are contained in the DiamondKey HSM)
I’d be interested in any observations you are happy to share on that product.

 

Best regards

 

Alan

 

Alan Lewis

Trust and Identity Services Product Manager

 

GÉANT
Direct Tel: +44 (0)1223 371409

Mobile: +44 (0) 7500 891616

Switchboard: +44 (0)1223 371300

Networks • Services • People 

Learn more at www.geant.org​

GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.

 

From: Joost van Dijk <joost.vandijk AT surfnet.nl>
Sent: 29 March 2019 09:52
To: Alan Lewis <alan.lewis AT geant.org>
Cc: edugain-discuss AT lists.geant.org
Subject: Re: [eduGAIN-discuss] HSM use cases

 

Hi Alan,

 

Some quick notes on the HSM use cases for SURFnet:

 

- DNSsec: We use Utimaco CryptoServer HSMs for our DNSsec signers (migrated from Safenet Luna HSMs). They manage ECDSA P.256 keys for each zone (about 2k zones).

- SAML metadata signing: We use separate slots on the same Utimaco HSMs to sign SURFconext metadata, currently 24 streams (48MB) updated on an hourly basis).

- eduroam CAT: We use a separate slot on the same Utimaco HSMs for EV Code signing. FIPS is relevant here as Digicert requires the key to be non-exportable.

- PEP: A separate set of Utimaco HSMs are used for implementing the key server component for the PEP project (pep.cs.ru.nl). These run custom firmware implementing polymorphic encryption and pseudonymisation based on Ed25519 (initially unsupported on these HSMs).

 

Apart from our production experiences with Safenet and Utimaco, we have somewhat tested Yubico HSMs and the Cryptech alpha board from CrowdSupply.  Both are interesting because of their lower prices compared to Safenet and Utimaco, but we haven’t evaluated their performance. Note that none of the use cases above have high performance requirements.

 

For the PEP project performance is more relevant for other components, which currently do not use HSMs because of problematic performance on the Utimaco HSMs. A student from Radboud University worked on an FPGA-implementation of Ed25519 on the Cryptech HSM, which I find particularly interesting but I haven’t heard back of any results yet.

 

Cheers,

Joost van Dijk

SURFnet

 

 



On 19 Mar 2019, at 17:44, Alan Lewis <alan.lewis AT geant.org> wrote:

 

Hello all,

 

Within the GEANT project we have an activity in WP5 T2 which is looking at possible use cases for HSMs (and specifically the Cryptech defined HSM) within T&I services.

If you are not familiar with Cryptech, they are an initiative to produce an open design (hardware, firmware and software) for an HSM which will be both low cost and free from any perceived trust issues that might be associated with commercial products (think Huawei). 

See https://cryptech.is/ is you are interested. 

Diamond Key Security have been established in order to support the sustainability of the Cryptech initiative by developing and selling HSMs, of which GEANT is one of three current customers.

 

One of the things I would like to understand is what requirements there might be for use of such an HSM in the R&E community and outside of those services which are currently being offered by GEANT.

 

So I would be interested to know for any services you are aware of that might benefit:

 

  1. The use cases for secure storage;
  2. The current situation – what is being done today;
  3. The data that is being stored and the quantity;
  4. The value of the information that is being protected;
  5. Specific HSM requirements for
    1. Cryptographic performance;
    2. Cryptographic algorithm support;
    3. Management, connectivity and access mechanisms;
    4. FIPS level or CC compliance;
    5. Other stuff I haven’t thought of yet.

     

    I look forward to hearing your thoughts.

     

    Best regards

     

    Alan

     

     

    Alan Lewis

    Trust and Identity Services Product Manager

     

    GÉANT 
    Direct Tel: +44 (0)1223 371409

    Mobile: +44 (0) 7500 891616

    Switchboard: +44 (0)1223 371300

    Networks • Services • People 

    Learn more at www.geant.org​

    GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.

     

    Attachment: smime.p7s
    Description: S/MIME cryptographic signature


    Archive powered by MHonArc 2.6.19.

    Top of Page