How useful are such measures when Intel has backdoored each and everyone of their CPUs with its "Intel Management Engine" [0] (and AMD has a similar mechanism)?<p>If Intel/AMD have a backdoor into every PC and server, then so does the US gov't (NSA, CIA, FBI, etc.) and of course other uninvited hackers from even hostile countries.<p>And how did Western society just accept all of this anti-democratic craziness?<p>[0] <a href="https://libreboot.org/faq.html#intel" rel="nofollow">https://libreboot.org/faq.html#intel</a>
What's the advantage of this over the ~$100 open source NitroKey HSM?<p><a href="https://www.nitrokey.com/files/doc/Nitrokey_HSM_English.pdf" rel="nofollow">https://www.nitrokey.com/files/doc/Nitrokey_HSM_English.pdf</a>
No mention of the actual hardware (processor) they've used. I guess the bill of materials would be funny (although of course I realize that the value is in their expertise and software etc).<p>The performance specs [1] say "HMAC-SHA-(1|256): ~4ms avg" which I guess is for 256 bits [2], compared to [3] which list a 6th gen Skylake 3.1 GHz doing it at 535 MB/s.<p>[1]: <a href="https://www.yubico.com/products/yubihsm/" rel="nofollow">https://www.yubico.com/products/yubihsm/</a><p>[2]: But I have no idea, perhaps this is a stupid interpretation, in which case I'll turn around and blame them for being unclear.<p>[3]: <a href="https://www.cryptopp.com/benchmarks.html" rel="nofollow">https://www.cryptopp.com/benchmarks.html</a>
I must add this post
<a href="https://plus.google.com/+gregkroahhartman/posts/WK6ZLEhfQo5" rel="nofollow">https://plus.google.com/+gregkroahhartman/posts/WK6ZLEhfQo5</a>
Is it open source?
"Yubico has replaced all open-source components that made yubikey NEOs so awesome with proprietary closed-source code in Yubikey 4s"
An even lower cost (and open-source) alternative:<p><a href="https://sc4.us/hsm" rel="nofollow">https://sc4.us/hsm</a><p>The SC4-HSM also includes dedicated I/O (a display and two buttons) which makes it more secure than the Yubikey.<p>Disclosure: this is my product.
This is amazing and literally filling a void for companies aware of the benefits but lacking the budget. There's one last barrier though: how to use this in the cloud? A partnership with AWS to have this as a service would be amazing because their HSM offering is not affordable and also because for many compliance reasons companies use AWS (PCI DSS for example) and there would be no way to include HSM 2 there. Let's hope this happens!
I hope te EdDSA curve 25519 support in YubiHSM2 means we'll see the curve also in Yubikeys (e.g. OpenPGP applet). Currently Yubico's OpenPGP supports only RSA but there are already tokens supporting this modern crypto [0].<p>[0]: <a href="https://debconf17.debconf.org/talks/162/" rel="nofollow">https://debconf17.debconf.org/talks/162/</a>
Think there's a chance we could get a Type C key someday that's as small as that (well, literally smaller, but I'm thinking something not much larger than the shell that will stick out of my machine about as much as that Type A one does.
I bought a Yubico key once. The thing was so cheap that between the time I set it up and the first time I actually had to use it, it had disintegrated just from sitting in my pocket every day on my keychain. The plastic was brittle and fell apart piece by piece until eventually the electronics fell apart too.