HSMs are Bullshit.
Simon Vans-Colina
133

Interesting article from someone who is clearly is feeling the pain for having to integrate an HSM as part of cryptographic services. Having had to do similiar things in the past, mostly been saved by OpenSSL. From the days when RSA wasnt available in Java JCE to having to write wrappers in C++ for .Net to get cryptoservices use HSM in Windows.

HSM are by product of security having grown out areas where physical security had lot more importance. Security of HSM have been looked a bit by some of the security researchers from Cambridge , esp Mike Bond. The security of devices have at least shown that not all the claims that have been made might be true.

The security industry doesnt seem to have seem as much innovation as with other areas in technology (the author may be biased here). The driver in this space has been regulation, the number of choices one has is limited, e.g. Ncipher got bought by Thales. This reduces the drive to innovate.

Shall admit to not having looked functionality nor security of Yubikey, given some by CTO ofcryptocurrency company which I advice, which shared investors with Yubikey, a couple of years ago. It looks like it has exposed all the PKCS11 features which HSM’s charge tons of money for. Shall admit to wondering why someone couldnt have such functionality as opensource or even a kickstarter project.

May be the future of security is more about understanding risks and not about ceritifications. The story of OpenSSL would be a good example why certifications does not give anyone any protection.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.