[dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?
regnauld at nsrc.org
Mon Oct 15 14:55:18 UTC 2012
Alexander Gall (gall) writes:
> > But why would a hardware implementation be better than, for instance, SoftHSM?
> A hardware HSM allows you to detect when your keys get stolen
> (provided the hardware does not implement extraction of the keys, of
> course). In our case, this is the *only* reason we use a HSM at all.
Does HSM imply tamper-proof ? If so, then yes, otherwise, you could very
well embed a small Atom device running SoftHSM with a smart card reader
for key import/export, drown the entire thing in epoxy, package the thing
in a tamper proof cabinet, and you've got an HSM.
I think the main idea with doing it with an FPGA is: speed, power
consumption, reduced size. That makes it easier to audit, easier to
protect. But arguably this could all be done with a Raspberry Pi as
well, if you're not in a hurry.
More information about the dns-operations