[Cryptech Tech] goals / use cases

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Jan 25 04:54:24 UTC 2015


Leif Johansson <leifj at sunet.se> writes:

>Me neither. Even if this was a price issue at this point (which it is not
>really) paying on the order of 1-2k for an HSM is still almost 2 orders of
>magnitude cheaper that what I pay now for commercial HSMs

Uhh, you're paying $100K for an HSM?  I didn't know Faberge made HSMs :-).

Most of the cost of an HSM is the certification and fancy paperwork, not the
hardware.  The certification is often pretty worthless (coughFIPS 140cough),
but for compliance reasons you need to get something with the appropriate
paperwork.  So you can buy $10K HSMs, but you can also buy sub-$1K ones that
offer the same security and possibly better performance.

This leads to another question about requirements (alongside my earlier ones),
who's the target audience for this?  If you're going for commercial users then
they're going to be paying for the certification paperwork and not the
hardware, so you can't really compete in that market.  OTOH if you're aiming
for people who just want to have their own HSM regardless of whether it's
FIPS/CC/EMV accredited then you'll probably need to aim for the < $100-200
segment that you'd find on Tindie and the like.  Anyone with $1-2K to spend on
an HSM will presumably be spending their employer's money rather than their
own, which means they'd be buying the product with the extensive paperwork.

Peter.



More information about the Tech mailing list