NCryptoki and multithreading issues

11/21/2017 5:17:59 PM
Gravatar
Total Posts 3

NCryptoki and multithreading issues

Hi,

I am using NCryptoki to access the unamanaged PKCS#11 library from SafeNet, Version 5.1.0.
I created a console application, which encrypts data in a loop, using the HSM emulator on my local machine.
The application uses multiple threads (Parallel.ForEach()), I called "_cryptoki.Initialize(true)" to initialize NCryptoki for multithreaded operations.

What it does:
- Get the active slot from the emulator with a specific name
- Get a public key from that slot
- Encrypt data with that key

Sometimes (20 of 50000 times) the call to the Property 'ICryptoki.ActiveSlots' fails.
The returned error code is: 0x150 (CKR_BUFFER_TOO_SMALL)
I implemented a retry-mechanism since I found out, when I do the same operation again, it succeeds!

When the call was successful, I am getting the token from the active slot and call: 
token.OpenSession(Session.CKF_SERIAL_SESSION | Session.CKF_RW_SESSION, null, null); // CKF_SERIAL_SESSION

This again most of the time succeeds but 3 times of 50000 it returned with error code 0xB3 (CKR_SESSION_HANDLE_INVALID).
I added a retry-mechanism here too but I have the feeling that something is not behaving as it should be.

Why does a call to the 'ActiveSlots' Property sometimes return 0x150?

For testing I reduced the threads to use to 1 and this "solved" the problem.
Now querying the ActiveSlots and getting a session always works.

BUT: I am providing the implemented functionality in a library which will also be used in an ASP.net application, which per default is "multithreaded" (threads where the app runns can change) so I have to make sure that this will not be a problem.

best regards,
Hannes

11/21/2017 5:43:17 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: NCryptoki and multithreading issues

Hi Annes,

your report is very detailed and clear. I appreciate your precision.

Your scenario is really complex and the issue is very hard to find. 

NCryptoki works as a wrapper that gets the calls from .NET, forwards them to the undelying PKCS#11 module that calls the HSM and finally the result is returned back to .NET.

I guess the issue is related to memory allocation. It seems that somewhere in the calling flow the allocated memory is rewritten with something else causing CKR_BUFFER_TOO_SMALL and CKR_SESSION_HANDLE_INVALID.

Because the issue happens so few times over 50000 attempts, there are a lot of memory allocation/deallocation, both in .NET side (when NCryptoki allocates the memory to pass to the underlying PKCS#11) as well as inside the underlying PKCS#11. For this reason it is very hard for us to understand where is it.

Do you have access to the PKCS#11 log? This may help us to understand what is happening.

Anyway, we'll try to reproduce in some way your scenario with another PKCS#11 module in order to check if the problem is inside NCryptoki or not

 

 

 

 

11/22/2017 2:45:35 PM
Gravatar
Total Posts 3

Re: NCryptoki and multithreading issues

Thanks for your fast reply!

Since everything, including the emulator is running on my local machine, I should have access to all log files?
How can I enable logging of the HSM device itself?

I found http://www.ncryptoki.com/Forums/Thread.aspx?pageid=9&mid=22&ItemID=1&thread=39&postid=189 but this only mentions how to enable logging for Cryptware.
I am using Safenet and there is no registry entry to enable logging. (The Safenet entry exists under HKLM\Software).

best regards,
Hannes