Encryption for DNSSec

print
We have recently come across a nice check-list for whoever wants to use DNSSec and establish a good security baseline with a hardware security module (HSM), i.e., never get encryption keys compromised.

We will include detailed comparison of our platform to enigmabridge.com a little bit later but here is an initial comparison.

Feature – Required / Optional – Supported by Enigma Bridge

  • PKCS #11 API – required – YES (wrapper)
  • MS CryptoAPI – not required – NO
  • OpenSSL engine support – not required – NO
  • Minimum key size ≤ 1024 bits – required – YES
  • Maximum key size ≥ 2048 bits – Required – YES
  • RSA algorithm support – Required – YES
  • DSA algorithm support – Optional – YES
  • Symmetric algorithm support (AES, DES, etc.) – Optional – YES
  • FIPS 140-2 (level 2 or 3) – Recommended* – Yes, Level 3 (optional)
  • Common Criteria (EAL 4 or up) – Recommended* – YES, EAL5+
  • Backup mechanisms – Required – YES (part of key management)

Enigma Bridge is a service so you don’t have to buy your own hardware and manage it.

Published by

Dan Cvrcek

Founder and CEO of Enigma Bridge, engineer, entrepreneur, cryptography SME, security architect, and professor.