Collaborate Disseminate
My management requested to investigate about security of HSM Thales Payshield.
Have you ever heard of any security bugs on the HSM Thales Payshield? I mean, except for the known bugs reported in their documentation, it seems impossible to … Continue reading HSM Thales PayShield vulnerabilities
I need to store a large amount of AES keys and provide an API to decrypt user-provided ciphertext.
The application flow is as follows:
The user authenticates
The user makes a POST request with some cyphertext and a MAC signature (cleartex… Continue reading How to secure hundreds of AES keys
Password error while loading LMK to the new HSM from the existing one. Is there a way to reset the password of the card with the backup LMK? The existing HSM failed and can’t power on. We have 3 components to load the LMK and only the seco… Continue reading Thales HSM 9000 existing HSM 1 power failed. password error loading LMK to the new HSM 2 [closed]
I need to use the CVK Key (in key block format) to calculate the CVV2.
In the past, I have always used single keys in variant format for this purpose (CVKa + CVKb), and the calculation procedure is standard (there are also many online calc… Continue reading CVV2 calculation with TR-31 Key
we have a concern about a key export. We completed the migration to Key Block LMK in our environment (with HSM Thales 10K). Now, we have to exchange keys with third-parties that still use Keys in variant form. We generated the keys and for… Continue reading PCI compliance – use of ANSI X9.17 for export keys
I use a Thales PayShield 10K with a LMK KeyBlock 3DES. I have to send a CVK Key to a Scheme for the valorization of CVV2 value. Now, in my envorinment i generated a CVK Key with "Key Usage"= C0 and encrypted it under a ZMK (Key s… Continue reading Management of CVK key in Key Block format
When ephemeral Diffie-Hellman (DHE) is used with TLS, the key-exchange key can/will be discarded after a key-exchange. right?
Is there good reason to use HSM for generating and storing DHE key, when the block cipher key is still stored in … Continue reading Does saving of ECDHE keypairs to HSM increase security of TLS?
When using cloud HSM (eg: AWS CloudHSM, Google Cloud HSM etc) for client-side encryption, they always refer to Envelope encryption. In this encryption approach, the data encryption key (DEK) is created locally and will be wrapped with a ke… Continue reading Data Encryption Key protection during transmission in Envelope-Based Encryption
I have a system (lets call it signer) that has private keys for doing Authenticode code signing. I have bunch of build systems that want to sign generated build artifacts. Obviously I can’t use signtool directly on build systems as private… Continue reading Windows CSP for remote signing
Context: I’m trying to design an SRS solution for your personal secrets – "Anki for passwords." (This is mostly a learning-exercise, to help me develop my intuition for writing secure(-ish?) code, and to explore the problem-spac… Continue reading Is there a way to store a verification-hash of a secret on a ‘consumer HSM’ like Yubikey or another WebAuthn device?