Thank you for your reply Stephen. In that is the case, then how would you explain the following phenomenon-
1. Start a SSL connection using private key stored on a HSM, protected using a smart-card, 2. Let the SSL connection run for a bit 3. Unplug the smart card from HSM, 4. SSL connection stops after a couple of minutes. In my understanding, the pre-master secret is only negotiated at the beginning of the connection, and the private key shouldn't be used for any other operation during the course of the connection. I'm interfacing the HSM to OpenSSL through the CAPI engine. Is that doing some magic under the covers? Thank you, Sunjeet On 2012-04-13, at 6:23 PM, Dr. Stephen Henson wrote: > On Fri, Apr 13, 2012, Sunjeet Singh wrote: > >> Hi, >> >> Stupid question- >> >> If I use a HSM to store private key used for SSL connections using the >> CryptoAPI engine for OpenSSL, is all data to be encrypted/decrypted going >> through my HSM? I'm- >> >> 1. Registering my HSM as a Cryptographic Service Provider, and >> 2. Setting my application code to initialize structural and functional >> references to the CAPI engine and bringing up a connection using the private >> key stored in the HSM. >> >> Rest of the code just uses OpenSSL functions like SSL_write() and SSL_read(). >> >> Since the key resides on the HSM, is data going to my HSM to get >> encrypted/decrypted, or is there a session key being made on the HSM for >> each SSL session that is being passed to the OS and is the OS >> encrypting/decrypting data in memory? >> >> > > The CryptoAPI ENGINE only handles private key operations so your HSM is only > used to either decrypt the premaster secret (RSA key exchange ciphersuites) or > used to sign a DH or ECDH public key (ephemeral ciphersuites). The rest is > handled in software using OpenSSLs cryptographic algorithm implementations. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
