[dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?
Paul Wouters
paul at cypherpunks.ca
Mon Oct 15 15:31:09 UTC 2012
On Mon, 15 Oct 2012, Alexander Gall wrote:
> A hardware HSM allows you to detect when your keys get stolen
> (provided the hardware does not implement extraction of the keys, of
> course).
Provided they are not vulnerable to the recent variations of the
Bierbach attack, like:
http://hal.inria.fr/docs/00/69/19/58/PDF/RR-7944.pdf
I don't know of any HSMs that you can instruct to disable encryption
and only allow signing to protect against this attack, nor have I
personally heard from HSM vendors that they are not vulnerable to this
attack.
The result of this attack is that in fact, you can no longer know if
your private keys were stolen or not after detecting an unauthorized
login to a machine on the same LAN as the HSM.
Paul
More information about the dns-operations
mailing list