• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Hsm

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware

View previous topic :: View next topic  
Author Message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Sun Feb 01, 2009 6:28 pm    Post subject: Hsm Reply with quote

I need to install HSM on a currently built CA. The CA was built by a third party. Is there anyway I can export the keys to HSM, or should I go back to the third pary to build it up for me?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Sun Feb 01, 2009 7:17 pm    Post subject: Reply with quote

I worked with nCipher and you can import a p12 into the security world. What CA software and what HSM are you using? What is CA used for? I wouldn't normally move the key, I would start from scratch with a key generated and protected by the HSM. This way you can guarantee security.

Matt_s
Back to top
View user's profile Send private message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Sun Feb 01, 2009 8:55 pm    Post subject: Reply with quote

I am using windows server 2003 for the CA. Do you think I should carry the whol CA to the third party company and let them deal with it. Or just provide them with the HSM. When I receive the HSM should I continue with the process, or let the third pary company deal with the whole thing
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Mon Feb 02, 2009 2:48 pm    Post subject: Reply with quote

Well setting up a HSM is no small task. They will provide documentation which you could follow but there should be a number of processes/procedures in place build and initialise the HSM and ensure that security is kept throughout the build. Is the 3rd party qualified to setup the HSM? I don't want to over complicate things. How import is the root certificate private key? What is the cost, financial and otherwise, of a compromise?
Back to top
View user's profile Send private message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Mon Feb 02, 2009 5:25 pm    Post subject: Reply with quote

well, The third party is qualified to set up the HSM, being able to build the Root CA, they should be able to do the same with the HSM. The thing is I am trying to save money here, by implementing a solution by our people with the least risk. The root CA is very important, and loosing the keys would have a great impact, we can't live with the root certiificates for one second. I am looking for a safe solution with less expenses and guaranteed results.

The other thing is I know that a CA built by a third pary is very much similar to a black box. If there is a process to build the HSM from our side, would it be possible in this case, where the third party has started the process from the first place?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Feb 03, 2009 11:13 am    Post subject: Reply with quote

I can appreciate that everyone wants to save money, especially in these times but you have a trade of to make.

Price vs Guaranteed Results

You mentioned that the keys have a major importance to your organisation, this suggests to me that you should let a professional do this. I would be wary of any 'black box' if you have to support it in the future. Maybe you could work with the 3rd party at building the HSM and CA, this way you get some training for free and should allay some of your fears. Building a CA with HSM is no mean feat, if you get it wrong you could compromise your company to all sorts of problems. Saying that, if you do not have good controls around your use of the CA then any build exposure is a moot point.

You haven't mentioned the name of the CA software or the HSM.

Matt_s
Back to top
View user's profile Send private message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Tue Feb 03, 2009 2:52 pm    Post subject: Reply with quote

CA software is sever 2003
HSM is aladdin e-token
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Feb 03, 2009 3:17 pm    Post subject: Reply with quote

I have to say that I am not familiar with the Aladdin or its products other than the 2-factor USB keys. If it is as easy to implement then I would say spend some time playing with the hardware and software and see what you can come up with.

Matt_s
Back to top
View user's profile Send private message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Tue Feb 03, 2009 5:27 pm    Post subject: Reply with quote

Thank you for your feed back and suggestions, it's helpful. I'll see what I can do.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register