0

I am exploring HSM devices to check their feasibility with blockchain platforms. I haven't found a good resource which tells how an end user who does not own a HSM but he's keys are stored on it, using a mobile application can authenticate himself to the HSM in order to get a signature from his private key.

Possible solutions could be a PIN/password. But I feel this would still be unsafe. Although an HSM only gives out signatures, anyone gaining access to the users PIN/password will be able to get a signature.

I would like to know what authentication methods are currently being used to access a HSM and what methods could be possible to use in the above scenario.

Another thing I was wondering about was: How can a mobile device communicate with the HSM? Does the HSM support HTTPS for a mobile device to interact with it?

Hypothetical answers are fine as well :)

mrSaraf
  • 123
  • 1
  • 13

1 Answers1

0

HSM vendors provide various tools to login. In case of Gemalto (now thales) HSM, you have a java api : JCProv using which you can login to the hsm. Using such API's you can login to the token (hsm) by creating session and login with the slot number and password.

Amarnath Chigurupati
  • 91
  • 6
  • Ahh, but these login methods you are for the organisation owning the HSM right? I wanted to know how an end user who does not own the HSM, But has his keys stored on the HSM can authenticate himself to get a signature from his private key. (Edited the question for more clarity) – mrSaraf Apr 11 '19 at 05:02
  • yes, those methods are for those own HSM. I believed you own one. In order to understand you better, your keys stored on hsm so how do you access them currently? or how do you know that your keys are store on hsm?. normally, objects are stored on hsm on partitions/slots which are password protected. you can't ask hsm to perform some operation without login via api by specifying the slot number and password. – Amarnath Chigurupati Apr 11 '19 at 19:33
  • I'll explain with a scenario: An organisation provides a certain service to end users which requires the user to have a key pair. The organisation owns an HSM which is used to generate and store the keys of end users. The keys are not stored on the users device but on the HSM of the organisation. Now whenever the user wants to avail the service provided by the organisation, he must provide a signature. He can obtain a signature only from the HSM by authenticating himself. How can this be achieved? – mrSaraf Apr 12 '19 at 04:56
  • I believe key pair is generated for you in the HSM during registration process for the orgs services. If so, you might be returned something at the end of registration process which can be used to authenticate and obtain required info to avail services? – Amarnath Chigurupati Apr 16 '19 at 16:59