HSM devices and FreeBSD
Eirik Øverby
ltning at anduin.net
Tue May 23 14:04:40 PDT 2006
Hello all,
first, if this is disallowed by the rules for this list (I'm a bit
uncertain..), then please forgive me.
I am working for a company doing services for the credit card
industry. Among other things, we specialize in authentication systems
(3-D Secure) for internet-based trade, and are subject to very strict
security requirements (obviously).
The relevant systems are all running on FreeBSD, and so far we have
had little or no problems passing all the requirements, save for one
thing: HSM devices.
When the system was originally set up about 4 years ago, an agreement
was made with Thales e-Security, Inc. that they should deliver a
FreeBSD version of their pkcs#11 libraries and OpenSSL engine
implementation for their WebSentry devices. This was indeed done, but
there has been no support or updates since, and the software vendor
we are using have since started moving to other ways of interacting
with their supported HSMs - meaning that we are slowly being left in
the dust.
I am therefore researching other possible vendors of HSM devices.
They need to be external and network-attached (i.e. no kernel mode
drivers necessary), and they need to fulfill certain requirements,
first and foremost the FIPS 140-1 levels 2 and (for some
applications) 3. In addition, the software APIs supplied should
include a pkcs#11 library, an openssl engine implementation, and a
Java implementation (possibly using JNI for the communications, ref.
the pkcs#11 library).
Does anyone know of any such products that have any sort of FreeBSD
support at all? Please note that these are not simply crypto
accelerators; they also store keys etc. securely.
With best regards,
Eirik Øverby
Unicore AS
Oslo, Norway
More information about the freebsd-security
mailing list