[dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

Paul Wouters paul at cypherpunks.ca
Mon Oct 15 15:31:09 UTC 2012

On Mon, 15 Oct 2012, Alexander Gall wrote:

> A hardware HSM allows you to detect when your keys get stolen
> (provided the hardware does not implement extraction of the keys, of
> course).

Provided they are not vulnerable to the recent variations of the 
Bierbach attack, like:


I don't know of any HSMs that you can instruct to disable encryption
and only allow signing to protect against this attack, nor have I
personally heard from HSM vendors that they are not vulnerable to this

The result of this attack is that in fact, you can no longer know if
your private keys were stolen or not after detecting an unauthorized
login to a machine on the same LAN as the HSM.


More information about the dns-operations mailing list