hsms | JavaScript driver for HSMS protocol | Networking library
kandi X-RAY | hsms Summary
kandi X-RAY | hsms Summary
SEMI E37 High-Speed SECS Message Services (HSMS) is the primary SEMI SECS/GEM transport protocol standard used. HSMS defines a TCP/IP based Ethernet connection used by GEM for host/equipment communication. It is intended as an alternative to SEMI E4 (SECS-I) for applications where higher speed communication is needed and the facilitated hardware setup is convenient. The driver can do every that the standard requires: defines message exchange procedures for using the TCP/IP network protocol. In addition, the SEMI E37 standard describes special considerations, such as network timeouts, and handling multiple connections, which should be taken into account in a TCP/IP implementation. Assuming you’ve already installed Node.js, create a directory to hold your application, and make that your working directory. Use the npm init command to create a package.json file for your application. For more information on how package.json works, see Specifics of npm’s package.json handling. This command prompts you for a number of things, such as the name and version of your application. For now, you can simply hit RETURN to accept all of them.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of hsms
hsms Key Features
hsms Examples and Code Snippets
Community Discussions
Trending Discussions on hsms
QUESTION
I'm looking to obtain an certificate from an AATL authority to use in iText to perform tamper-proofing signatures to PDF documents as part of a cloud application that I'm working on.
As best as I'm able to determine, AATL certificates can be delivered as USB HSMs to customers after a standard Adobe AATL verification process. Unfortunately, this restricts the usage to devices I have physical access to, which obviously isn't feasible for a cloud application.
I've been trying to research what my best options are on this front, but haven't been able to find any clear guidance on best practices or impartial sources for knowledge. I've come up with two possible ideas to illustrate in slightly more concrete terms what I am looking for.
Obviously any answer that results in the same outcome of either of these ideas is more than welcome as well!
1st IdeaIs there any way for me to obtain an AATL certificate by generating a CSR from Azure Key Vault, or Azure HSM (Gemalto) and having an AATL provider issue their response such that the certificate is loaded into the Azure's standards compliant store?
By doing this, my hope would be that I could then code my Application using the Azure Key Vault APIs or the Gemalto HSM to perform signatures.
2nd IdeaIf a USB HSM is my best option, is it possible to derive another certificate from my USB HSM and then load that into Azure Key vault? Will a key derived from one issued to my company by an AATL authority still pass Acrobat (and any other) authenticity checks? Or will any certificate with intermediaries between it and the AATL authority fail?
...ANSWER
Answered 2020-Nov-18 at 13:24I've been digging into this since I have a very similar requirement at the moment. YES it is possible to store an AATL Document Signing certificate in Azure KeyVault because it is a FIPS 140-2 level 2 compliant HSM. You do not need the dedicated HSM although it is also supported (Azure dedicated HSM is FIPS 140-2 level 3 compliant).
As for the process, you are correct that you would need to issue a CSR from KeyVault directly. If your certificate is delivered on a USB HSM, you will not be able to transfer it to Azure KeyVault since it will be locked to the HSM.
I do not want to list any certificate providers in this answer but I was easily able to find at least 4 that supported my use-case with a quick Google search. I'm currently in the process of getting quotes from each of these vendors.
QUESTION
It is understood that yugabyte-db secures both data on transit and data at rest from https://docs.yugabyte.com/v1.1/secure/tls-encryption/ and https://docs.yugabyte.com/latest/secure/encryption-at-rest/.
It is observed that:
a) shown max key length option is 48bits. Whether it can be configured to use 128bits key or 256 bits key or higher bits? How to minimize its effect on performance?
b) Whether all tablets are decrypted with old key and encrypted with new key whenever key is rotated or how it is done? How performance is affected while rotating the key? How to minimize its effect on performance?
c) How to configure yugabyte-db to use keys from HSMs against using keys from disks for both data on wire and data at rest?
...ANSWER
Answered 2019-Dec-07 at 20:53a) This is incorrect, it can be configured to use 128/256 bit keys. Docs should be updated soon to reflect this.
b) In general when the rotate_universe_key_in_memory yb-admin command is run, only newly-written data files utilize the universe key that was rotated to (whether on enabling encryption at rest for the first time, or any subsequent key rotations). All previously existing data files still have a reference to the universe key that had been the current key when the files had been written, and the files continue to use their respective universe keys until they are flushed or compacted at which point the newly-written files will use the current universe key. So no, there is no tablet-wide decryption happening every time a key rotation occurs, and the time it takes for all data files to be using the current universe key is dependent on the write workload on the given universe.
c) Right now the Yugabyte yb-admin commands only support reading in a universe key from the contents of a file on disk for encryption at rest. Important to note that the key only needs to be persisted on disk up to the point of it being loaded into memory with add_universe_key_to_all_masters. After this, the key file can be moved from the master node and stored remotely elsewhere. Only other time this key file will be required to re-upload the key into memory is if all masters simultaneously go down. The Yugabyte Platform (https://www.yugabyte.com/platform/) offers integration support for AWS KMS that uses a CMK to generate universe keys (and you can use an AWS CloudHSM as a HSM custom key store for your AWS KMS CMK) as well as integration support for Equinix SmartKey; so this might fit your use case?
QUESTION
I have a .sic-File whose structure is like XML but not completely. There I have a section Channel2 where I want to read some elements. The section is like this:
ANSWER
Answered 2019-Nov-06 at 08:49Document _myDoc = null;
LSInput input = implLS.createLSInput();
input.setStringData(requestXML);
_myDoc = parser.parse(input);
SI = ((NodeList)_myDoc.getElementsByTagName("MessageFilters")).item(0).getFirstChild().getNodeValue();
QUESTION
My application is acting as a switchboard to transfer very sensitive messages between two parties and I'm trying to figure out how I can do this without "looking" at the message they're trying to send.
I have a HSM, and I've generated a keypair for the sender - they're going to encrypt the message with their public key that I gave them, and I can decrypt the message using the private key I have in the HSM.
I'm going to then pass that message on by encrypting it with the public key of the ultimate receiver, which I have.
Is there any way to chain these two operations inside the HSM, without having the decrypted message anywhere near my application memory? I would like the plaintext content to never leave the boundaries of the HSM.
I know that some HSMs have a CodeSafe / SEE machine feature that lets me write embedded system code and run it inside the HSM, before I get into that I'd like to see if there's a way using the general PKCS / JCE / CNG APIs to do this safely.
...ANSWER
Answered 2019-Aug-04 at 15:12If all you need is to re-encrypt the same secret under a different key, you can use C_Unwrap to create a temporal HSM object with value of the translated secret and then use C_Wrap to encrypt the value of this temporal HSM object for all the recipients.
This way the secret will never leave HSM.
Something like this (verified to be working on SafeNet Luna 7 with RSA-OAEP):
QUESTION
ANSWER
Answered 2019-May-15 at 12:13CloudHSM is currently not supported by CloudFormation.
You can find a list of supported services and ressource types here.
QUESTION
We are using Pkcs11Interop API in our application to sign digest using the private keys stored in Thales nShield HSM.
To cater the DR Scenarios, our digital signatures application hosted server is enrolled as HSM client to both Primary Thales nShield HSM and DR(Secondary) Thales nShield HSM. Here, the IP Addresses for the both Thales nShield HSMs are different based on the assumption that the secure world software installed will detect the active HSM before creating HSM connection.
While we are testing the DR(fail-over) scenario by switching off the Primary Thales nShield HSM, the Pkcs11Interop is giving error:
Method C_Initialize returned CKR_FUNCTION_FAILED.
I would like to know whether the code written using Pkcs11Interop should check which HSM is active then send requests to active HSM OR the secure world software installed on the server should check the active HSM before opening active connection.
Please advise us the right direction to handle this scenario.
...ANSWER
Answered 2018-Aug-01 at 21:08I would like to know whether the code written using Pkcs11Interop should check which HSM is active then send requests to active HSM OR the secure world software installed on the server should check the active HSM before opening active connection
IMO you should first ask Thales support whether their PKCS#11 library can perform automatic failover. If their answer is yes then you don't need to add any failover related code into your application.
QUESTION
So I'm attempting to make a game using C++, and I've read a ton of articles on Finite State Machines (FSM), and Hierarchical State Machines (HSM). However I will admit most of the stuff I've read is a bit dense and hard to understand, so I was hoping someone can simplify it for me. Is this answer an FSM or an HSM?
From what I would like to clear up:
...
How is an HSM different from a normal FSM, and why is it better for games?
Regarding C++, How do you implement a basic HSM following the state pattern? (I might be incorrect on this/using the wrong words.)
How exactly do you handle transitions? What is the on_exit and on_enter method I keep hearing a lot about?
Do I need one HSM for my entire game? (e.g. Handling all enemies, player actions, game menus) or do I use multiple HSMs?
When implementing player entities, would they all be a subset of an Entity state?
Lastly if someone could give some pseudo-code to help visualize these questions, I would appreciate it.
ANSWER
Answered 2018-May-04 at 21:23It's just about nesting. An HSM is basically an FSM, but where each state in turn can be a separate FSM.
For an example in a game, consider an NPC. It has multiple states:
- Walk to point A
- Wait a minute
- Walk to point B
- Wait a minute
- Continue from 1
- Fighting with PC
This FSM is simple, but all states needs to have a transition to state 6 (Fighting with PC) for when the NPC is attacked by a PC. This makes the FSM kind of ugly. So instead lets have this much more simple FSM:
- Walking about
- Fighting with PC
This FSM is very simple, there's only two transitions, and it's easy to understand. The major parts of state 1 is then a secondary FSM:
- Walk to point A
- Wait a minute
- Walk to point B
- Wait a minute
If there's an event which doesn't match the secondary FSM transitions, like a PC attacking, you go up a level to the top-level FSM to match the event and find a suitable transition.
You could in a way think about it as a stack, each state in a higher level could push a new lower-level FSM. If there's an even that doesn't match any possible transitions, pop the stack and go back up a level. Continue until there's a matching transition.
In short, it's a way to simplify an FSM.
QUESTION
So I read this
...ANSWER
Answered 2018-Mar-13 at 20:06Access to a HSM is timebound. If you lose your keys, anybody that has them can encrypt/decrypt data, produce signatures or perform any other cryptography as long as they want. Of course you can revoke a certificate, but that does not affect a key in many cases (for example it is still good for decryption after certificate revocation).
If you use a HSM, when you discover access compromise, you can disable the attacker's access to the HSM very quickly, and no further data is compromised. Of course the attacker can fully use your keys as long as they have access to the HSM, but not afterwards.
Also securing and equally importantly, auditing access to a HSM is much easier than to a key stored somewhere else. As a key never leaves a HSM, you don't have to care about auditing things like copied key usage (practically impossible) - you have information on exactly who accessed what key, for what purpose. You can grant and revoke such access at will.
A HSM usually provides other aspects of key management as well, for example key distribution may become much easier.
So yes, of course you still need to guard access to the HSM and contained keys. But for the reasons above, it still makes key management much more secure if used properly.
QUESTION
I'm using the NCryptoki dll to manage the acccess to our HSMs.
I use a C# windows service. This service is a socket: it listens for requests and it access to the HSMs, doing stuff.
Using my code to acccess HSM, I randomly get this message:
Cryptware.NCryptoki.CryptokiException: Error n. 145
Only few calls on the total get this message, but it is quite annoying. Do you know why this is happening?
I found 145 is 0x00000091 CKR_OPERATION_NOT_INITIALIZED: There is no active operation of an appropriate type in the specified session
I get this error, for example, when I call the find method:
Cryptware.NCryptoki.CryptokiException: Error n. 145 at Cryptware.NCryptoki.CryptokiObjects.Find(CryptokiCollection attList, Int32 nMaxCount)
It seems like the session isn't valid.
Our service is a listening socket. It gets a big load of requests and, few of them, fail with this message. Do you know why?
The weird point is the same request rarely fails and all the other times works.
...ANSWER
Answered 2017-Apr-26 at 19:24You are most likely not using PKCS#11 library and PKCS#11 sessions in multi-threaded environment correctly. See my older answer to similar question for more details.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install hsms
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
