[Cryptech Tech] "ksng" branch of Cryptech Alpha firmware now available as a binary package

Peter Stuge peter at stuge.se
Mon Jan 2 21:46:04 UTC 2017


Yuri Schaeffer wrote:
> The enforcer daemon will not start (blocks, presumably on opening the
> HSM) when the signer daemon is running and the other way around.

What are the two daemons doing, respectively?

Or: Why do two applications need (concurrent?) access to the HSM?


Rob Austein wrote:
> We actually wrote the multiplexer daemon for this before the Berlin
> workshop, but ended up disabling it because it doesn't run on OSX (it
> uses PF_UNIX SOCK_SEQPACKET, which OSX doesn't support).  Sounds like
> we ought to dust that off and get it running.

In practice PF_UNIX SOCK_DGRAM works pretty well.

I'd like to completely understand our need for multiplexing to keep
that in mind for anything USB.

Is it simply that different applications can use different slots?


> > And it seems that every interaction OpenDNSSEC has with the HSM is super
> > slow. Logging in to the mgmt console is also slow. Like a 10 second
> > pause after typing in your password. I feel these two are probably related?
> 
> C_Login() (and the underlying hal_rpc_login() which implements it) are
> slow, to make brute force attacks on PINs unproductive.

It only needs to be slow on failure, right? Or is there a strong
argument for artificially slowing down successful logins too?


//Peter


More information about the Tech mailing list