Encryption for DNSSec

print
We have recently come across a nice check-list for whoever wants to use DNSSec and establish a good security baseline with a hardware security module (HSM), i.e., never get encryption keys compromised.

We will include detailed comparison of our platform to enigmabridge.com a little bit later but here is an initial comparison.

Feature – Required / Optional – Supported by Enigma Bridge

  • PKCS #11 API – required – YES (wrapper)
  • MS CryptoAPI – not required – NO
  • OpenSSL engine support – not required – NO
  • Minimum key size ≤ 1024 bits – required – YES
  • Maximum key size ≥ 2048 bits – Required – YES
  • RSA algorithm support – Required – YES
  • DSA algorithm support – Optional – YES
  • Symmetric algorithm support (AES, DES, etc.) – Optional – YES
  • FIPS 140-2 (level 2 or 3) – Recommended* – Yes, Level 3 (optional)
  • Common Criteria (EAL 4 or up) – Recommended* – YES, EAL5+
  • Backup mechanisms – Required – YES (part of key management)

Enigma Bridge is a service so you don’t have to buy your own hardware and manage it.

Published by

Dan Cvrcek

Co-founder of Radical Prime and Enigma Bridge. Engineer, entrepreneur, cryptography SME, security architect, and professor.