by benevol on 11/2/17, 7:24 AM
How useful are such measures when Intel has backdoored each and everyone of their CPUs with its "Intel Management Engine" [0] (and AMD has a similar mechanism)?
If Intel/AMD have a backdoor into every PC and server, then so does the US gov't (NSA, CIA, FBI, etc.) and of course other uninvited hackers from even hostile countries.
And how did Western society just accept all of this anti-democratic craziness?
[0] https://libreboot.org/faq.html#intel
by confounded on 11/2/17, 5:05 AM
by unwind on 11/2/17, 9:39 AM
No mention of the actual hardware (processor) they've used. I guess the bill of materials would be funny (although of course I realize that the value is in their expertise and software etc).
The performance specs [1] say "HMAC-SHA-(1|256): ~4ms avg" which I guess is for 256 bits [2], compared to [3] which list a 6th gen Skylake 3.1 GHz doing it at 535 MB/s.
[1]: https://www.yubico.com/products/yubihsm/
[2]: But I have no idea, perhaps this is a stupid interpretation, in which case I'll turn around and blame them for being unclear.
[3]: https://www.cryptopp.com/benchmarks.html
by Shtirlic on 11/2/17, 4:28 PM
by lisper on 11/2/17, 5:00 PM
An even lower cost (and open-source) alternative:
https://sc4.us/hsm
The SC4-HSM also includes dedicated I/O (a display and two buttons) which makes it more secure than the Yubikey.
Disclosure: this is my product.
by synicalx on 11/2/17, 6:00 AM
Never really touched one of these HSMs before, what happens if you're using one in production and it dies?
by davidpelaez on 11/2/17, 2:51 PM
This is amazing and literally filling a void for companies aware of the benefits but lacking the budget. There's one last barrier though: how to use this in the cloud? A partnership with AWS to have this as a service would be amazing because their HSM offering is not affordable and also because for many compliance reasons companies use AWS (PCI DSS for example) and there would be no way to include HSM 2 there. Let's hope this happens!
by hdhzy on 11/2/17, 9:04 AM
I hope te EdDSA curve 25519 support in YubiHSM2 means we'll see the curve also in Yubikeys (e.g. OpenPGP applet). Currently Yubico's OpenPGP supports only RSA but there are already tokens supporting this modern crypto [0].
[0]: https://debconf17.debconf.org/talks/162/
by wav-part on 11/2/17, 11:33 AM
How can HSMs be considered MITM-proof if does not have dedicated input system (touchscreen/keyboard) ?
by gumby on 11/2/17, 6:13 AM
Think there's a chance we could get a Type C key someday that's as small as that (well, literally smaller, but I'm thinking something not much larger than the shell that will stick out of my machine about as much as that Type A one does.
by babar on 11/2/17, 5:22 AM
How much of a market is there for HSMs that are not FIPS 140-2 certified?
by xelxebar on 11/2/17, 11:21 AM
I know very little about hardware security. What are some of the issues that HSMs address that make R&D so challenging?
by nikolay on 11/2/17, 5:00 AM
$650 is cheap?
by yosito on 11/2/17, 1:01 PM
I bought a Yubico key once. The thing was so cheap that between the time I set it up and the first time I actually had to use it, it had disintegrated just from sitting in my pocket every day on my keychain. The plastic was brittle and fell apart piece by piece until eventually the electronics fell apart too.
by xchaotic on 11/2/17, 6:17 AM
More generally why is this not $3. Can we get a Kickstarter for this please?