HSM2: AES Feature Request

Are there any plans for a firmware update (or possibly an HSM 3) that supports a richer subset of AES functionality?

For the price, I have no complaints about what the HSM 2 can do because AES key generation, and CBC encryption do just fine encrypting/decrypting simple single-part data.

Multi-part data can be a bit tricky since the token doesn’t support it, but you can get around this by breaking up your data and sending it in chunks to the PKCS#11 C_Encrypt function. Unfortunately, the memory on the token seems a bit limited and it will reject blocks a little larger than 1,024 bytes. Nonetheless, if you’re only dealing with small amounts of data (a few MB or so), this isn’t a terrible issue.

For future enhancements, I think it would be nice to see:

  • CBC with padding offloaded to the token instead of the user.
  • Stream ciphers such as CTR.
  • Authenticated ciphers such as GCM.
  • Multi-part support.

These might be features better suited to the NetHSM, but I figured I’d ask anyways.


1 Like