Are there any plans for a firmware update (or possibly an HSM 3) that supports a richer subset of AES functionality?
For the price, I have no complaints about what the HSM 2 can do because AES key generation, and CBC encryption do just fine encrypting/decrypting simple single-part data.
Multi-part data can be a bit tricky since the token doesn’t support it, but you can get around this by breaking up your data and sending it in chunks to the PKCS#11 C_Encrypt
function. Unfortunately, the memory on the token seems a bit limited and it will reject blocks a little larger than 1,024 bytes. Nonetheless, if you’re only dealing with small amounts of data (a few MB or so), this isn’t a terrible issue.
For future enhancements, I think it would be nice to see:
- CBC with padding offloaded to the token instead of the user.
- Stream ciphers such as CTR.
- Authenticated ciphers such as GCM.
- Multi-part support.
These might be features better suited to the NetHSM, but I figured I’d ask anyways.
Thanks!