edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Alan Lewis <alan.lewis AT geant.org>
- To: Joost van Dijk <joost.vandijk AT surfnet.nl>
- Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: RE: [eduGAIN-discuss] HSM use cases
- Date: Fri, 29 Mar 2019 13:32:40 +0000
- Accept-language: en-GB, en-US
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=alan.lewis AT geant.org;
Hello Joost,
Thanks for the current use cases. I can see that for most of these, with the exception of PEP, performance is not an issue. The FPGA implementation of the algorithm should certainly yield more performance than a software solution, but depending on the ultimate
Given that you have had the chance to do some evaluation work with the Cryptech alpha board (two of which are contained in the DiamondKey HSM)
Best regards
Alan
Alan Lewis Trust and Identity Services Product Manager
GÉANT Mobile: +44 (0) 7500 891616 Switchboard: +44 (0)1223 371300 Networks • Services • People Learn more at www.geant.org GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.
From: Joost van Dijk <joost.vandijk AT surfnet.nl>
Hi Alan,
Some quick notes on the HSM use cases for SURFnet:
- DNSsec: We use Utimaco CryptoServer HSMs for our DNSsec signers (migrated from Safenet Luna HSMs). They manage ECDSA P.256 keys for each zone (about 2k zones). - SAML metadata signing: We use separate slots on the same Utimaco HSMs to sign SURFconext metadata, currently 24 streams (48MB) updated on an hourly basis). - eduroam CAT: We use a separate slot on the same Utimaco HSMs for EV Code signing. FIPS is relevant here as Digicert requires the key to be non-exportable. - PEP: A separate set of Utimaco HSMs are used for implementing the key server component for the PEP project (pep.cs.ru.nl). These run custom firmware implementing polymorphic encryption and pseudonymisation based on Ed25519 (initially unsupported on these HSMs).
Apart from our production experiences with Safenet and Utimaco, we have somewhat tested Yubico HSMs and the Cryptech alpha board from CrowdSupply. Both are interesting because of their lower prices compared to Safenet and Utimaco, but we haven’t evaluated their performance. Note that none of the use cases above have high performance requirements.
For the PEP project performance is more relevant for other components, which currently do not use HSMs because of problematic performance on the Utimaco HSMs. A student from Radboud University worked on an FPGA-implementation of Ed25519 on the Cryptech HSM, which I find particularly interesting but I haven’t heard back of any results yet.
Cheers, — Joost van Dijk SURFnet
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Re: [eduGAIN-discuss] HSM use cases, (continued)
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Shannon Roddy, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 29-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 03/29/2019
Archive powered by MHonArc 2.6.19.