A PKCS #11 Signing Provider for OpenSSL - Reinhard Buendgen, IBM

A PKCS #11 Signing Provider for OpenSSL - Reinhard Buendgen, IBM In this presentation, the authors describe how a hardware security module (HSM) can be used to strengthen the security of a TLS connection implemented with openSSL 3.x. The presentation points out that the openSSL and PKCS #11 APIs are not really compatible. This is due to openSSL and PKCS #11 data structures for keys, the openSSL 3.0 provider architectures and how physical HSMs implement the PKCS #11 standard. One conclusion from this analysis is that implementing a generic PKCS #11 provider for today's openSSL provider scheme leads to complications in many ways. However, it is possible to separate the keys used in a TLS protocol into two key subspaces: non-ephemeral keys used in the handshake all other keys. It is possible to implement a provider for the first key subspace which comprises the signing keys used by TLS. The pkcs11-sign provider described in this presentation uses a PKCS #11 interface to call signing functions in an HSM. We hope this presentation triggers a fruitful discussion on how to better combine the two most popular cryptographic APIs.

Join Today
Enabling Hardware-Assisted Shields for Linux Security Subsystems - Zahra Tarkhani, Microsoft
▶︎

Enabling Hardware-Assisted Shields for Linux Security Subsystems - Zahra Tarkhani, Microsoft

Protect your private keys with inexpensive crypto devices by Marlon Dutra
▶︎

Protect your private keys with inexpensive crypto devices by Marlon Dutra

Building an OpenSSL 3 provider for PKCS11 - DevConf.CZ 2023
▶︎

Building an OpenSSL 3 provider for PKCS11 - DevConf.CZ 2023

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker
▶︎

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker

Keynote: After the AI Hype – What’s Real, and What’s Next - Richard Campbell - 2026
▶︎

Keynote: After the AI Hype – What’s Real, and What’s Next - Richard Campbell - 2026

What Nobody Tells You About Being a Quant
▶︎

What Nobody Tells You About Being a Quant

Leveraging OP-TEE as a generic HSM via PKCS#11 for secure OTA - Ricardo Salveti
▶︎

Leveraging OP-TEE as a generic HSM via PKCS#11 for secure OTA - Ricardo Salveti

Cybersecurity Architecture: Five Principles to Follow (and One to Avoid)
▶︎

Cybersecurity Architecture: Five Principles to Follow (and One to Avoid)

Masterclass in openSSL
▶︎

Masterclass in openSSL

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup
▶︎

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup

PKCS#11 Tutorial for Beginners | Video-10 : Encrypting and Decrypting Data.
▶︎

PKCS#11 Tutorial for Beginners | Video-10 : Encrypting and Decrypting Data.

OpenSSL Meets PKCS#11: Working with Hardware-Backed Keys (Dmitrii Misharov)
▶︎

OpenSSL Meets PKCS#11: Working with Hardware-Backed Keys (Dmitrii Misharov)

Passkeys Explained: Are They Actually Better Than Passwords?
▶︎

Passkeys Explained: Are They Actually Better Than Passwords?

The Mind Behind Linux | Linus Torvalds | TED
▶︎

The Mind Behind Linux | Linus Torvalds | TED

Billionaire's WARNING: I'm SELLING. The Crash Is Already Here!
▶︎

Billionaire's WARNING: I'm SELLING. The Crash Is Already Here!

Palantir and Switzerland – Between Data and Power | Reporter | SRF
▶︎

Palantir and Switzerland – Between Data and Power | Reporter | SRF

Chip design from the bottom up – Reiner Pope
▶︎

Chip design from the bottom up – Reiner Pope

Building Security into Your SoC with Hardware Secure Modules | Synopsys
▶︎

Building Security into Your SoC with Hardware Secure Modules | Synopsys