The Heartbleed vulnerability made one thing very clear, current TLS stacks lack
an efficient way to isolate the cryptographic material from the application
layer. Hence, this vulnerability required the massive renewal of private keys
and certificates. This sure was a costly and painful process for IT
departments. The most efficient approach consists of using Hardware Security
Modules or smartcards to store the cryptographic material. Keys remain
confidential while being usable through an API to perform cryptographic
operations.
PKCS#11 is a standardized security API that is widely adopted by
device vendors. However, deployment of such hardware can be costly and
inconvenient in many scenarios. We propose using Caml Crush, a PKCS#11
filtering proxy, in combination with software PKCS#11 tokens. This architecture
leverages process isolation between the TLS stack and the cryptographic
material. This low-cost alternative is immediately applicable to PKCS#11
compliant software. We demonstrate that this architecture has a low performance
overhead by benchmarking the impact on web hosting scenarios.