Hardware Security module / Crypto Accelerator

I think this is a very interesting topic, I have just started to learn this, But as I am going through this I have found couple of links as well as documents which are really interesting. These articles talk about openssl, Hardware Security module, SSL Accelerator and information about provider companies

  1. Blog post : http://jadickinson.co.uk/2007/11/02/using-hardware-security-modules/
  2. Article on HSM, http://nlnetlabs.nl/downloads/publications/hsm/hsm.pdf
  3. Wiki http://en.wikipedia.org/wiki/SSL_acceleration
  4. Wiki http://en.wikipedia.org/wiki/Hardware_Security_Module
  5. SSL programming tutorial http://h71000.www7.hp.com/doc/83final/BA554_90007/ch04s03.html
  6. VIA PadLock support for Linux http://www.logix.cz/michal/devel/padlock/
  7. Something from safenet http://www.safenet-inc.com/products/pki/psGold_API.asp

I will write about my findings, An how to do , Short cut of course. But let me look in to it more carefully. Thanks to Jad.

HTTP over SSL / TLS or HTTPS

HTTP is an application Layer protocol from TCP/IP protocol layer’s perspective. Http is implemented on top of TCP, which means HTTP usages TCP as transport protocol. TLS/SSL is a security mechanism/protocol to secure the transport layer and basically TCP. The term “to secure” in the previous sentence does not mean that it will change the TCP protocol and make it secure instead it will add an extra layer of protocol on top TCP to provide security. Now the application protocol HTTP who were using TCP directly will use TLS APIs to call TCP API calls and make them secure from communication security perspective. The protocol stack can represented as in the figure below, which shows how the new TLS/SSL stack is introduced horizontally between the HTTP and TCP.

Now as communication security is concerned, how does HTTP achieves them is can be described with respect to the three basic goals of communication security i.e. (1) End point Authentication, (2) Confidentiality and (3) Data Integrity. TLS/SSL defines how these goals can be achieved.

Now most important and probably difficult part is the “End point Authentication”, because it deals with certificates and some very complicated concepts. In this step the client and server authenticated their identity. But most of the case, does not do a client authentication because it is not required from the application logic point of view and also makes the process more difficult.

Some nice readings on TLS/SSL and programming TLS with openSSL

PSK-TLS and TLS comparision : when to use what?

I was going through the RFC of Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) http://tools.ietf.org/html/rfc4279, and was trying to compare them when to use what?
It actually depends on two main aspects to analyse:-

  1. What is the target environment?
  2. Who is going to use your solution?

Following are the properties, we should have a look, before we think about deploying:-

  1. Does that target environment has enough CPU to process initial Public/Private or Asymatric key cryptography operation? If it is a 256Mhz processor and a new session establishment trigered inbetween a critical task execution, you can not imagine that. Because such devices are alawys assigned to do real time activity?
  2. Is it feasible to update or revoke certificate their / on the target environment?
  3. What is more important ? Availabity or Information Security?

Now, when it comes to end user, who is going to use the solution, Is it a web browser like application or a set of API, which you will sell by adding TLS to it, or a stand alone application running on a small box.

For resource constrained, controlled and where certificate revocation is a pain, and using phony certificate is not granted by IT security policy it is alwys better to go with PSK-TLS, just like IPsec-Preshared key (which also proven to be worked out nicely).