开发者

HSM - cryptoki - Sessions - Timeout

My application access the HSM via a ASP.NET web service through PKCS#11. I initialise the cryptoki library and obtain a session handle. Web-service hold on to this handle to perform encryption/decryption/signing/verifying in a batch mode.

The problem i am facing is The ASP.NET web service time-outs' after 20 minutes. This act- i think, unloads the cryptoki library and the session handle held by the web-service becomes invalid. Yes, i agree that the ASP.NET web-service can be reconfigured not to time-out, which will keep the cryptoki library always loaded.

My question is What happens to the session handle which i obtained in the first place from the HSM?. Will it be lost or will it be there unused? I am asking this b开发者_如何学运维ecause, i am not closing the opened session properly by calling c_closeSession.

The web-service is implemented via a Thread pool

Thanks


You are supposed to call C_Finalize() when you are done using the cryptoki library. A well-written implementation might be robust against you not doing so, but there are no guarantees. Your open sessions may be kept alive on the HSM and perhaps in the driver.

Strongly consider calling C_Finalize() from your Application_End().


From the theoretical perspective, you should read the PKCS#11 spec, it is all written there, from section 6.6 onwards

From the practical perspecgive, an application becomes a cryptoki application after it calls C_Initialize. The concept of a session and its identifier may be relayed by a small wrapper library to a longrunning PKCS#11 process, that actually talks to the HSM, but may not. If the process that was a cryptoki application dies, so will do all the virtual resources (what a session is).

Where exactly is the problem? Opening a session could be a pretty cheap operation most of the time, unless you are sure (have measured) that it is the bottleneck, don't optimize and open and close a session for a request, if you can't control the lifespan of the cryptoki process.


if i understood that, you need to create a "global" login for that session. Furthermore you need to open/close session for each local session.

So, - Global variable with "Login" (Once on startup or when u want) - Check global login status when you will create a new sessión. - Create Individual sessions for each action (closing the "local" sessión not the global login)

With this you obtain a global variable with a logged session and individual session using that global login.

Good luck


I have also this problem and year is 2020 :S .Net Framework + Rest Api couple have this problem this time. I'm using HSM for decrypt method. I have a login method interactive channel, and we need to make performance test. The service has an instance from Pkcs11

pkcs11 = new Pkcs11(hsmPath, true);
slot = GetUsableSlot(pkcs11);
TokenInfo tokenInfo = slot.GetTokenInfo();
session = slot.OpenSession(true);
session.Login(CKU.CKU_USER, userLoginPin);
secretKey = GenerateKey(session);

And this is the Decrypt method.

public byte[] Decrypt(byte[] encryptedTextByteArray) {

    Mechanism mechanism = new Mechanism(CKM.CKM_AES_ECB);
    byte[] sourceData = encryptedTextByteArray;
    byte[] decryptedData = null;

    using (MemoryStream inputStream = new MemoryStream(sourceData), outputStream = new MemoryStream())
    {
        try
        {                
            session.Decrypt(mechanism, secretKey, inputStream, outputStream, 4096);
        }
        catch (Pkcs11Exception ex)
        {
            throw;
        }
        decryptedData = outputStream.ToArray();
    }
    return decryptedData;
}

When I try to make performance test using Postman runner, there is no problem for one thread. If I increase thread count, It appears these errors. First error: CKR_OPERATION_ACTIVE Next error: CKR_DEVICE_MEMORY

I tried these methods. -For every request closed session. And also opened session for new request. But not succeeed. The same errors appeared. (Of course request and response time increased) -For evey request closed the conenction. And also opened new connection for new request. The same errors appeared. (Of course request and response time increased)

Anyone helps me? :)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜