[Cryptech Tech] Firewalls

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Jun 4 01:27:10 UTC 2017


Peter Stuge <peter at stuge.se> writes:

>According to the original poster the firewall appliance communicates with
>those HSMs exclusively via network.

Sure, they're networked HSMs since you can't plug them directly into the
firewall.

>The vendor documentation that I linked to seems to support that. In any case,
>there is no mention of PKCS#11 whatsoever on those few documentation pages,
>which seem the most relevant ones to HSM use with that firewall product.

It doesn't matter whether the docs mention it or not, if the native API of the
Luna devices is PKCS #11 then that would indicate that you talk to it via PKCS
#11, whether it's over a network or a local bus (historically it was SCSI and
PCMCIA).  The Luna driver just marshalls the data and sends it to the Luna
device, whether it's over SCSI, PCMCIA, PCI, or TCP/IP.

What you could in theory do is take a standard cryst201.dll and call each
function in it and see what the marshalled form comes out as that's sent to
the Luna token, either via lunacr0 or lunavpn for the networked version.  I
don't think it's worth the effort, but if you were really desperate...

Peter.


More information about the Tech mailing list