[Nitrokey HSM] First access to HSM slow with many stored objects

Hello,

we use Nitrokey HSMs to generate and store multiple key pairs (EC, 30+ objects per HSM) for message signing/encryption and noticed that the first time a HSM is accessed by any application, e.g. OpenSC’s pkcs11-tool or by our application using OpenSC’s pkcs11 engine implemention in OpenSSL it takes a long time (almost 3 minutes with two HSM connected) until that request is answered. After that, all further requests only take a fraction of a second.

I did some debugging and it looks like every object is read once during the first access and the APDU requests to read a key’s information takes around 2 seconds each to read ~500 bytes of data.

I am aware, this might be more of a OpenSC related issue, but I wanted to at least know first, if these access times are indeed unusual.

Also, any hints on how to speed up access would be appreciated. I already tried to enable file caching in opensc.conf as a workaround, but it looks like it isn’t even used in this case.

Kind regards,
Marc

Additional info:
Nitrokey HSM hardware version 24.13, firmware version 4.0
OpenSC 0.25.0, OpenSSL 1.1.1,
Can be reproduced on both Linux (Ubuntu 20.04) + Windows 11

Yes, this is a slow device - you can try using sc-hsm-embedded PKCS#11 driver Performance of Nitrokey HSM2 - can it be improved? What am I doing wrong? - #2 by jan but that is only a bit faster.

PKCS#11 drivers read a whole device at once and this seem to be slow.

Newer Nitrokey HSM with Smart-Card HSM 4.0 on board Cannot Initialize new Nitrokey HSM - #11 by daringer should be faster.

Thanks for the clarification and hints.

I tested with sc-hsm-embedded and it reduced initialization time by around 30% in my test environment. As you suspected, this mitgates the issue, but I’m not sure it really makes a difference in our case. It’s also not quite a drop-in replacement for OpenSC, since it’s a bit picky about how to address objects on the HSM and it would require a least some workarounds in our application.

I had somehow assumed we already got the newer HSM revision, since they were purchased very recently. I will see if I can get one for further testing.

I conducted some speed test with the latest firmware 4.1 and OpenSC-0.25.0 on the same PC using dual boot Windows 10 Home / Ubuntu 20.04.6 LTS. Speed is x5 faster with Windows compare to Linux!

Windows:

PS > Measure-Command { & 'C:\Program Files\OpenSC Project\OpenSC\tools\pkcs15-tool.exe' -D -s }
Using reader with a card: Nitrokey Nitrokey HSM 0

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 6
Milliseconds      : 508
Ticks             : 65082097
TotalDays         : 7,53265011574074E-05
TotalHours        : 0,00180783602777778
TotalMinutes      : 0,108470161666667
TotalSeconds      : 6,5082097
TotalMilliseconds : 6508,2097

PS > Measure-Command { & 'C:\Program Files\OpenSC Project\OpenSC\tools\pkcs11-tool.exe' -O }
Using slot 0 with a present token (0x0)

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 11
Milliseconds      : 558
Ticks             : 115581254
TotalDays         : 0,000133774599537037
TotalHours        : 0,00321059038888889
TotalMinutes      : 0,192635423333333
TotalSeconds      : 11,5581254
TotalMilliseconds : 11558,1254

Linux:

~$ time /opt/opensc-25/bin/pkcs15-tool -D -s >/dev/null
Using reader with a card: Nitrokey Nitrokey HSM (DENK02008890000         ) 00 00

real	0m30,356s
user	0m0,025s
sys	0m0,007s

$ time /opt/opensc-25/bin/pkcs11-tool -O >/dev/null
Using slot 0 with a present token (0x0)

real	0m57,055s
user	0m0,024s
sys	0m0,023s