HSM2 takes 2.5 seconds to RSA decrypt with 2048 key (w/ pkcs11-tool.exe)

The specs say that the performance without hashing for RSA-2048 should be 250 ms.

Is there a faster way for me to use my HSM2 to decrypt my data?

This is how I use pkcs11-tool.exe:

pkcs11-tool.exe --login --decrypt --input-file temp\ciphertext.dat --output-file temp\plaintext.txt

Sometimes this takes 1.5 seconds, sometimes 2.5 seconds.

Are you encrypting a whole file with RSA? How large is the file?
Normally files are encrypted with a fast symmetric algorithm and then the key is encrypted with RSA only.

If you know how to configure openssl to use PKCS#11 engine you could use openssl cms to encrypt/decrypt. Or GnuPG (gpg).

Thanks for being so quick! It’s a very short message, up to 20 bytes or so. I understand how RSA is used to encrypt a symmetric key - there’s no need for that here but it’s an option I may consider.

Would openssl be faster? If so, why?

My goal is simplicity, with the least moving parts if you will. I have the openssl binary for public key encryption, with only 2 dlls in the same directory. If I want to decrypt with the PCKS11 engine and openssl, don’t I have to point to a PKCS11 driver? Is that something I need to install on the machine or can I just point to a dll? I will have to investigate.

Edit: I tried specifying object ID --id 10 and that does not speed anything up. The delays are still 1.5 and 2.5 seconds.

If it is only 20 bytes, then it should not be a problem, forget what I said. My Nitrokeys are slow when they have more than 2-3 objects on them. It takes a long time for the PKCS#11 engine to read the objects first off the card and only then it comes to work. One could turn on extra logging (my favourite is running the daemon with pcscd -adf on Unix) and see what is going.

Thank you Saper. I only have the one object, but thanks for the heads up. What you’re saying makes sense - that the engine is slow to work with the card. I think I will try openssl to see if it operates differently but if the issue is with how PCKS11 operates, it may be the same.

I measured how long it takes to create a process in Windows, and openssl RSA encryption takes about 0.025 seconds. So that delay is acceptable. Clearly the issue isn’t with how long it takes to launch a new process but I had to consider that.

I think it will not be faster with OpenSSL. It uses the same PKCS#11 interface you are probably using already. One can try to swap opensc with sc-hsm PKCS#11 engine but I don’t think it matters much. Maybe get some logs out of the system and see the actual operations (APDUs being sent).

I don’t know anything about APDU, what it is or what it means. But it looks like messages between host and smart card. I found this link: Trace APDU on Windows - My Smart Logon

I may give that a try. Thank you for all the information.

1 Like

10 posts were split to a new topic: Problem with accessing over RDP a Nitrokey HSM2 connected to the Windows’ server