From owner-freebsd-security@FreeBSD.ORG Tue May 23 21:04:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0460A16ABF5 for ; Tue, 23 May 2006 21:04:36 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from anduin.net (anduin.net [213.225.74.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9E6E43D7C for ; Tue, 23 May 2006 21:04:23 +0000 (GMT) (envelope-from ltning@anduin.net) Received: from box248146.sdsl.no ([212.62.248.146] helo=[192.168.1.107]) by anduin.net with esmtpa (Exim 4.54 (FreeBSD)) id 1Fie34-000C46-G2 for freebsd-security@freebsd.org; Tue, 23 May 2006 23:04:22 +0200 Mime-Version: 1.0 (Apple Message framework v750) Content-Transfer-Encoding: quoted-printable Message-Id: <626F25E3-D4B6-4EEB-9361-DC70D49CFAA4@anduin.net> Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: =?ISO-8859-1?Q?Eirik_=D8verby?= Date: Tue, 23 May 2006 23:03:59 +0200 X-Mailer: Apple Mail (2.750) X-Spam-Score: -4.0 X-Spam-Level: ---- Subject: HSM devices and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 21:04:40 -0000 Hello all, first, if this is disallowed by the rules for this list (I'm a bit =20 uncertain..), then please forgive me. I am working for a company doing services for the credit card =20 industry. Among other things, we specialize in authentication systems =20= (3-D Secure) for internet-based trade, and are subject to very strict =20= security requirements (obviously). The relevant systems are all running on FreeBSD, and so far we have =20 had little or no problems passing all the requirements, save for one =20 thing: HSM devices. When the system was originally set up about 4 years ago, an agreement =20= was made with Thales e-Security, Inc. that they should deliver a =20 FreeBSD version of their pkcs#11 libraries and OpenSSL engine =20 implementation for their WebSentry devices. This was indeed done, but =20= there has been no support or updates since, and the software vendor =20 we are using have since started moving to other ways of interacting =20 with their supported HSMs - meaning that we are slowly being left in =20 the dust. I am therefore researching other possible vendors of HSM devices. =20 They need to be external and network-attached (i.e. no kernel mode =20 drivers necessary), and they need to fulfill certain requirements, =20 first and foremost the FIPS 140-1 levels 2 and (for some =20 applications) 3. In addition, the software APIs supplied should =20 include a pkcs#11 library, an openssl engine implementation, and a =20 Java implementation (possibly using JNI for the communications, ref. =20 the pkcs#11 library). Does anyone know of any such products that have any sort of FreeBSD =20 support at all? Please note that these are not simply crypto =20 accelerators; they also store keys etc. securely. With best regards, Eirik =D8verby Unicore AS Oslo, Norway=