HSM - cryptoki - opening sessions overhead
https://stackoverflow.com/questions/3044490
-
27-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am having a query regarding sessions with HSM.
I am aware that there is an overhead if you initialise and finalise the cryptoki api for every file you want to encrypt/decrypt.
My queries are,
Is there an overhead in opening and closing individual sessions for every file, you want to encrypt/decrypt.(C_Initialize/C_Finalize)
How many maximum number of sessions can i have for a HSM simultaneously, with out affecting the performance?
Is opening and closing the session for processing individual files the best approach or opening a session and processing multiple files and then closing the session the best approach?
Thanks
Solution 3
There is overhead in opening and closing sessions(from my experiments). Its better not to open individual sessions for each file.
Update: From my vendor:
There is no limit or specified number of the session that you can open on a token however it could be many thousand.
It depends on what you are doing and how it is consuming the RAM of the appliance. Opening too many sessions and creating too many session objects that reaches to the limit that a RAM can hold will definitely affect the performance of the appliance.
Thanks
OTHER TIPS
First and foremost, PKCS#11 spec has pretty extensive documentation under general overview about threads, applications and sessions.
Secondly, it depends on your HSM hardware and PKCS#11 module implementation. How does your PKCS#11 provider represent slots? Do you use the same key all the time? What are the authentication mechanisms for the key?
- How to use C_Initialize (and C_Finalize) is extensively covered in the PKCS#11 spec
- Number of sessions depends on the PKCS#11 implementation, see ulMaxSessionCount in CK_TOKEN_INFO
Try with a single session. Are you sure your bottleneck will be the session handling?
The best approach is definitely to open the session once per application start. I.e. there's no reason to close the session while your application works -- the session is private to your application and no other application can use it to access and use the device if you opened the session.
