performance

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

performance

J.Witvliet

Hi all,

 

There is a fair chance that my Q is slightly off-topic; if so apologies in advance…

 

Some time ago there was much todo about the heartbleed issue in the openssl area.

In general, it was said that if you kept your private-key on a security device, like token, smartcard, hsm they key never enters the mem of the node under attack.

This is very when for end-users (browsers, ipsec/strongswan, openvpn, and others) but I was wondering about the server-side.

A question on the openvpn-ML learned that if you were expecting even modest traffic, it will have drastic performance impact.

 

So, has anybody ever looked at performance?

I know that with certain cards with Infineon chips internally, any transaction (like showing a stored certificate), takes several seconds.

Having said that, it might be cause by  sub-optimal applet/middleware…

 

My initial idea was when using 8 processes, each requiring their own keys, attach 8 cards or tokes to that server.

Thus avoiding simulataneous requests from several processes at a single device and sprheading the load.

Other idea was about HSM’s. But I got the impression that these were more for storing large numbers of keys, but less about using those keys. And their price-tag is such that it is impossible to get one to experiment with them J

 

If anybody has ever looked at/measured performance I would be grateful if you would share this info.

 

Kind regards, Hans

 


Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: performance

Andreas Schwier (ML)
Hi Hans,

we've done this kind of setup with 8 SmartCard-HSMs using our own
lightweight PKCS#11 implementation [1]. Crypto performance scales well
if you are using a good USB-hub. I don't have the figures at hand
(somewhere around 10 RSA 2048 ops per second), but you can try yourself
with the sc-hsm-pkcs11-test program which contains the multithreading /
multi-device setup.

In Germany all trustcenter for QES use a rack of Smartcards to implement
OCSP response signing, so it's quite common to use Smartcards as secure
key store on a server under load.

Distributing keys between SmartCard-HSM can be done using DKEK
export/import between devices initialized with the same DKEK.

One issue to solve is how to connect to devices from virtual machines.
We've used USBIP to solve that issue.

Andreas

[1] https://github.com/CardContact/sc-hsm-embedded

Btw. OpenSC uses a global lock and does not support multithreading
access to cards.


On 05/20/2014 10:34 AM, [hidden email] wrote:

> Hi all,
>
> There is a fair chance that my Q is slightly off-topic; if so apologies in advance...
>
> Some time ago there was much todo about the heartbleed issue in the openssl area.
> In general, it was said that if you kept your private-key on a security device, like token, smartcard, hsm they key never enters the mem of the node under attack.
> This is very when for end-users (browsers, ipsec/strongswan, openvpn, and others) but I was wondering about the server-side.
> A question on the openvpn-ML learned that if you were expecting even modest traffic, it will have drastic performance impact.
>
> So, has anybody ever looked at performance?
> I know that with certain cards with Infineon chips internally, any transaction (like showing a stored certificate), takes several seconds.
> Having said that, it might be cause by  sub-optimal applet/middleware...
>
> My initial idea was when using 8 processes, each requiring their own keys, attach 8 cards or tokes to that server.
> Thus avoiding simulataneous requests from several processes at a single device and sprheading the load.
> Other idea was about HSM's. But I got the impression that these were more for storing large numbers of keys, but less about using those keys. And their price-tag is such that it is impossible to get one to experiment with them :)
>
> If anybody has ever looked at/measured performance I would be grateful if you would share this info.
>
> Kind regards, Hans
>
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: performance

Nikos Mavrogiannopoulos-2
In reply to this post by J.Witvliet
On Tue, May 20, 2014 at 10:34 AM,  <[hidden email]> wrote:

> Hi all,
> There is a fair chance that my Q is slightly off-topic; if so apologies in
> advance...
> Some time ago there was much todo about the heartbleed issue in the openssl
> area.
> In general, it was said that if you kept your private-key on a security
> device, like token, smartcard, hsm they key never enters the mem of the node
> under attack.
> This is very when for end-users (browsers, ipsec/strongswan, openvpn, and
> others) but I was wondering about the server-side.

Hello,
 Note, that while a hardware security module or smart card is an ideal
solution, it is not required to avoid the impact of the heartbleed
attack. The openssh design for example is not vulnerable to this type
of attack, and we have followed that design in the openconnect vpn
server and I see no significant performance hit.

> A question on the openvpn-ML learned that if you were expecting even modest
> traffic, it will have drastic performance impact.

It depends how you define modest traffic. You don't need the isolated
component/HSM for the traffic, you only need it during the connection
establishment and not on the resumed sessions (on an SSL vpn). You'll
see a performance hit if you have more than 100 new connections per
second, and that would come as a lag during authentication, not as an
overall performance hit.

regards,
Nikos

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel