HSM - cryptoki - 会话 - 超时
我的应用程序通过 PKCS#11 通过 ASP.NET Web 服务访问 HSM。我初始化 cryptoki 库并获取会话句柄。 Web服务持有该句柄以批量模式执行加密/解密/签名/验证。
我面临的问题是 ASP.NET Web 服务在 20 分钟后超时。我认为此行为会卸载 cryptoki 库,并且 Web 服务持有的会话句柄将变得无效。是的,我同意 ASP.NET Web 服务可以重新配置为不超时,这将使 cryptoki 库始终加载。
我的问题是我首先从 HSM 获得的会话句柄会发生什么?它会丢失还是会被闲置?我问这个是因为,我没有通过调用 c_closeSession 正确关闭打开的会话。
Web 服务是通过线程池实现的,
谢谢
My application access the HSM via a ASP.NET web service through PKCS#11. I initialise the cryptoki library and obtain a session handle. Web-service hold on to this handle to perform encryption/decryption/signing/verifying in a batch mode.
The problem i am facing is
The ASP.NET web service time-outs' after 20 minutes. This act- i think, unloads the cryptoki library and the session handle held by the web-service becomes invalid. Yes, i agree that the ASP.NET web-service can be reconfigured not to time-out, which will keep the cryptoki library always loaded.
My question is What happens to the session handle which i obtained in the first place from the HSM?. Will it be lost or will it be there unused? I am asking this because, i am not closing the opened session properly by calling c_closeSession.
The web-service is implemented via a Thread pool
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
使用完 cryptoki 库后,您应该调用
C_Finalize()。一个编写良好的实现可能会阻止您不这样做,但不能保证。您的开放会话可能会在 HSM 上或者驱动程序中保持活动状态。强烈考虑从您的
调用。C_Finalize()Application_End()You are supposed to call
C_Finalize()when you are done using the cryptoki library. A well-written implementation might be robust against you not doing so, but there are no guarantees. Your open sessions may be kept alive on the HSM and perhaps in the driver.Strongly consider calling
C_Finalize()from yourApplication_End().从理论角度来看,您应该阅读 PKCS#11 规范,从 6.6 节开始,所有内容都写在那里。
从实际角度来看,应用程序在调用 C_Initialize 后就成为 cryptoki 应用程序。会话及其标识符的概念可以由小型包装器库转发到长期运行的 PKCS#11 进程,该进程实际上与 HSM 对话,但也可能不会。如果 cryptoki 应用程序进程终止,所有虚拟资源(会话是什么)也将终止。
问题到底出在哪里?大多数情况下,打开会话可能是一个相当便宜的操作,除非您确定(已经测量)它是瓶颈,如果您无法控制生命周期,请不要优化以及打开和关闭请求的会话cryptoki 进程的。
From the theoretical perspective, you should read the PKCS#11 spec, it is all written there, from section 6.6 onwards
From the practical perspecgive, an application becomes a cryptoki application after it calls C_Initialize. The concept of a session and its identifier may be relayed by a small wrapper library to a longrunning PKCS#11 process, that actually talks to the HSM, but may not. If the process that was a cryptoki application dies, so will do all the virtual resources (what a session is).
Where exactly is the problem? Opening a session could be a pretty cheap operation most of the time, unless you are sure (have measured) that it is the bottleneck, don't optimize and open and close a session for a request, if you can't control the lifespan of the cryptoki process.
如果我理解这一点,您需要为该会话创建一个“全局”登录。
此外,您需要为每个本地会话打开/关闭会话。
所以,
- 带有“登录”的全局变量(启动时或您需要时)
- 创建新会话时检查全局登录状态。
- 为每个操作创建单独的会话(关闭“本地”会话而不是全局登录)
通过此操作,您将获得一个全局变量,其中包含记录的会话和使用该全局登录的单独会话。
祝你好运
if i understood that, you need to create a "global" login for that session.
Furthermore you need to open/close session for each local session.
So,
- Global variable with "Login" (Once on startup or when u want)
- Check global login status when you will create a new sessión.
- Create Individual sessions for each action (closing the "local" sessión not the global login)
With this you obtain a global variable with a logged session and individual session using that global login.
Good luck
我也有这个问题,年份是 2020 :S
.Net Framework + Rest Api 这对组合这次遇到了这个问题。
我使用 HSM 进行解密方法。我有一个登录方式的交互频道,我们需要进行性能测试。该服务有一个来自 Pkcs11 的实例
,这是 Decrypt 方法。
公共字节[]解密(字节[]加密的TextByteArray)
{
当我尝试使用 Postman runner 进行性能测试时,一个线程没有问题。
如果我增加线程数,就会出现这些错误。
第一个错误:CKR_OPERATION_ACTIVE
下一个错误:CKR_DEVICE_MEMORY
我尝试了这些方法。
-对于每个请求关闭会话。并且还为新请求打开了会话。但没有成功。出现了同样的错误。 (当然请求和响应时间增加了)
-对于每个请求都关闭了连接。并且还为新请求打开了新连接。出现了同样的错误。 (当然请求和响应时间增加了)
有人帮助我吗? :)
I have also this problem and year is 2020 :S
.Net Framework + Rest Api couple have this problem this time.
I'm using HSM for decrypt method. I have a login method interactive channel, and we need to make performance test. The service has an instance from Pkcs11
And this is the Decrypt method.
public byte[] Decrypt(byte[] encryptedTextByteArray)
{
When I try to make performance test using Postman runner, there is no problem for one thread.
If I increase thread count, It appears these errors.
First error: CKR_OPERATION_ACTIVE
Next error: CKR_DEVICE_MEMORY
I tried these methods.
-For every request closed session. And also opened session for new request. But not succeeed. The same errors appeared. (Of course request and response time increased)
-For evey request closed the conenction. And also opened new connection for new request. The same errors appeared. (Of course request and response time increased)
Anyone helps me? :)