Nshield Pkcs #11 Library - Entrust nShield Security Manual
Hide thumbs
Also See for nShield:
- Installation manual (73 pages) ,
- Hardware and setup manual (26 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
7.9.1. Installing the nShield JCA/JCE CSP
Security configuration guidance for using unlimited strength JCE jurisdiction policy files
and the correct preference order for nShield in the Java security configuration file is
provided in-situ in the User Guide. See the Installing the nShield JCA/JCE CSP in the User
Guide for your HSM for details.
7.10. nShield PKCS #11 library
7.10.1. Symmetric encryption
The nShield PKCS #11 library can use the nShield HSM to perform symmetric encryption
with the following algorithms:
• DES
• Triple DES
• AES.
Because of limitations on throughput, these operations can be slower on the nShield
HSM than on the host computer. However, although the nShield HSM may be slower than
the host under a light load, you may find that under a heavy load the advantage gained
from off-loading the symmetric cryptography (which frees the host CPU for other tasks)
means that you achieve better overall performance.
Performing symmetric encryption on the host increases the threat of key compromise as
the security protection provided by the host will be less than the nShield HSM.
Additionally there may be a lack of key lifecycle management of the application keys on
the host.
For these reasons we recommend performing symmetric operations on the nShield HSM.
If symmetric encryption is performed on the host, technical and procedural access
controls should be deployed to protect the host, in order to mitigate the higher threat of
key compromise.
7.10.2. PKCS #11 library with Security Assurance Mechanism
It is possible for an application to use the PKCS #11 API in ways that do not necessarily
provide the expected security benefits, or which might introduce additional weaknesses.
The PKCS #11 library with the Security Assurance Mechanism (SAM), libcknfast, can help
users to identify potential weaknesses, and help developers create secure PKCS #11
applications more easily.
The SAM in the PKCS #11 library is intended to detect operations that reveal questionable
nShield® Security Manual
54 of 90
Advertisement
Table of Contents
Need help?
Do you have a question about the nShield and is the answer not in the manual?
Questions and answers