[Dnssec-deployment] More than 90k DNSSEC domains in .CZ
Paul Wouters
paul at xelerance.com
Thu Mar 11 16:40:29 EST 2010
On Fri, 12 Mar 2010, Sebastian Castro wrote:
> Anyone knows how many keys a typical HSM can handle? is it in the order
> of hundreds? thousands? How current key management software/products
> behave with lots (order of hundreds) keys?
For example, the SCA-6000 stores all keys within the OS, encrypted to
an HSM key. This gives you support for basically unlimited keys while
still being guaranteed no private key material is ever stored within
the OS or RAM unencrypted.
Be aware that some vendors take the term HSM very losely and still
end up with private key material in RAM to be accessed by the main CPU.
Those "HSMs" are vulnerable to very simple cold boot attacks, as
demonstrated by various people, eg: http://citp.princeton.edu/memory/
Amusingly it took only 6 months for this attack to be used in a
television series ("numb3rs"), makes you wonder what lead time real
criminals have these days.
Paul
More information about the Dnssec-deployment
mailing list