Building a SmartCard-HSM Cluster
Andreas Schwier | 20 Nov 2015
Building a SmartCard-HSM cluster is a very cost-effective way to increase cryptographic processing power. The ability to securely migrate keys from one SmartCard-HSM to another allows adding devices as the demand increases.
A great device to implement a cluster of SmartCard-HSMs is the myUTN-80 Dongleserver from SEH. The Dongleserver is a networked USB hub, available with 8 or 20 ports. It can be used as a desktop device or mounted in a 19-inch rack. The myUTN-80 supports a range of client operating systems and is in particular useful to give your virtual machines access to a SmartCard-HSM.
To find out how well cryptographic processing scales in a cluster, we equipped a myUTN-80 with 8 SmartCard-HSM EA+ token. The tokens were initialized with an ECC and RSA test key and then cloned using the KeyManager from the SDK. For the test we used the multi-threading tests from the sc-hsm-embedded PKCS#11 module.
To access a SmartCard-HSM installed in a myUTN-80 Dongleserver, you need to install the UTN-Manager for your operating system. On Linux you need the seh-utn-driver, seh-utn-service and seh-utn-clitool packages.
Using the utnm command line tools, you can list the devices inserted into the Dongleserver.
asc@calzone:~/projects/sc-hsm-embedded/src/tests$ utnm -c "getlist 192.168.223.118"
Port VID PID Manufacturer Product
.--- ------ ------ ----------------------------- -----------------------------
1 0x04e6 0x5817 CardContact SmartCard-HSM EA+
2 0x04e6 0x5817 CardContact SmartCard-HSM EA+
3 0x04e6 0x5817 CardContact SmartCard-HSM EA+
4 0x04e6 0x5817 CardContact SmartCard-HSM EA+
5 0x04e6 0x5817 CardContact SmartCard-HSM EA+
6 0x04e6 0x5817 CardContact SmartCard-HSM EA+
7 0x04e6 0x5817 CardContact SmartCard-HSM EA+
8 0x04e6 0x5817 CardContact SmartCard-HSM EA+
Port State Owner Class Port name
.--- --------------- ------------------------- ----- -------------------------
1 Activated asc 0x0b
2 Activated asc 0x0b
3 Activated asc 0x0b
4 Activated asc 0x0b
5 Activated asc 0x0b
6 Activated asc 0x0b
7 Activated asc 0x0b
8 Activated asc 0x0b
Activating the connection with a SmartCard-HSM in the myUTN-80 is as simple as
utnm -c "activate 192.168.223.118 1"
which connects the device in port 1 to the local machine. The PC/SC daemon detects the new device and makes it available to the application.
In a burn-in test, the 8 SmartCard-HSMs were put under load for 1.000.000 RSA signatures with 2048 bit keys. The test took 23 hours and completed without a single failure.
Testing with 8 threads on 8 token
Multithreading test started at Sat Nov 21 00:03:25 2015
Multithreading test stopped at Sat Nov 21 23:06:19 2015
Elapsed time is 82974.00 seconds.
Calling C_Finalize - CKR_OK : Passed
Unit test finished.
9500022 tests performed.
0 tests failed.
The average throughput was 12 signatures per second.
Further tests were conducted with RSA and ECC keys in different configurations.
Configuration (RSA) | Signatures | Duration / sec | RSA / sec |
---|---|---|---|
8 HSMs with 2048 bit RSA | 1.000.000 | 82974 | 12,1 |
1 HSMs with 2048 bit RSA | 1.000 | 658 | 1,5 |
2 HSMs with 2048 bit RSA | 2.000 | 659 | 3,0 |
4 HSMs with 2048 bit RSA | 4.000 | 659 | 6,1 |
8 HSMs with 2048 bit RSA | 8.000 | 663 | 12,1 |
Same setup with ECC key on BrainpoolP256r1.
Configuration (ECC) | Signatures | Duration / sec | ECC / sec |
---|---|---|---|
8 HSMs with 256 bit ECC | 500.000 | 12185 | 32,8 |
1 HSMs with 256 bit ECC | 1.000 | 241 | 4,1 |
2 HSMs with 256 bit ECC | 2.000 | 242 | 8,4 |
4 HSMs with 256 bit ECC | 4.000 | 241 | 16,6 |
8 HSMs with 256 bit ECC | 8.000 | 243 | 32,9 |
Generally there is a linear performance increase by adding SmartCard-HSMs to the cluster, at least up to the tested configuration of 8 SmartCard-HSMs. Small differences are caused by performance variations in the token itself, which is caused by the external clock applied to the secure element.
As expected, ECDSA signatures are three times faster than RSA signatures at an equal level of security.
Tests were performed with direct connection using CT-API via libusb and with PC/SC daemon. Tests with PC/SC daemon did not show a performance degration over direct connections.
Network connectivity with the myUTN-80 was very stable during the tests and the device performed perfectly.