Hardware Security Module

tags Tamper protection

The tamper evidence, resistance, and response tamper protection are the crucial and main differences HSMs have from usual server computers acting as cryptographic accelerators.

Whereas there are some standards covering security requirements for cryptographic modules, the most widely accepted (each as clients decision and government requests) is the NIST FIPS 140-2.

HSM application APIs

Beneath is a list of well-liked cryptography APIs that can be used with hardware modules from distinct vendors.

PKCS#11 RSA’s API, designed to be platform independent, defining a generic interface to HSMs. Also recognized as ‘cryptoki’

OpenSSL OpenSSL engine API

JCE/JCA Java’s cryptography API

Microsoft CAPI Microsoft’s API as utilised by IIS, CA and other individuals, also offered in .NET.

Microsoft CNG API Microsoft’s subsequent-generation crypto API accessible for Windows Vista onwards, utilized by IIS, ADCS and other people.

HSM major utilizes

HSMs can be employed in any application that utilizes digital keys. Usually the keys must be of high-value – meaning there would be a considerable, adverse influence to the owner of the important if it were compromised. The list of applications are endless, but some of the major uses incorporate:

PKI atmosphere (CA HSMs)

Older Luna HSMs (PCMCIA)

On the PKI atmosphere, the HSMs are typically utilised by all certification authorities (CAs) and registration authorities (RAs) to produce, store, and deal with crucial pairs. In this scenario, there are some fundamental functions a device should have, namely:

Logical and physical higher level protection

Multi-component user authorization schema (see Blakley-Shamir secret sharing)

Complete audit and log traces

Safe important backup

In the PKI atmosphere, the device efficiency is considerably much less essential in both on the internet and offline operations as Registration Authority procedures represent the overall performance bottleneck of the Infrastructure.

Card payment program HSMs (bank HSMs)

ARX network-attached PrivateServer HSM

Restricted-feature HSMs are utilised in card processing systems. These systems are generally much less complex than CA HSMs and typically do not function a standard API. These devices can be grouped in two principal classes:

OEM or integrated modules for automated teller machines and POS terminals:

to encrypt the PIN entered when making use of the card

to load keys into protected memory

Authorisation and personalisation modules may possibly be utilised to:

verify an on-line PIN by comparing with an encrypted PIN block

in conjunction with an ATM controller, verify credit/debit card transactions by checking card safety codes or by performing host processing element of an EMV based transaction

help a crypto-API with a smart card (such as an EMV)

re-encrypt a PIN block to send it to one more authorisation host

help a protocol of POS ATM network management

help de-facto standards of host-host key|data exchange API

create and print a “PIN mailer”

produce data for a magnetic stripe card (PVV, CVV)

generate a card keyset and support the personalisation method for intelligent cards

The significant organization that produces and maintains requirements for HSMs on banking marketplace is the Payment Card Industry Safety Standards Council.

SSL connectivity

There are applications where performance is a bottleneck but security should not be forgotten. These applications usually are presented as safe Net solutions served via HTTPS (SSL/TLS). In this atmosphere, SSL Acceleration HSMs are employed. Standard performance numbers for these applications range from 50 to 1,000 1024-bit RSA signs/second, even though some devices can reach numbers as high as +7,000 operations per second.


An increasing number of registries use HSMs to retailer the crucial material that is used to sign big zonefiles. For example OpenDNSSEC is a designated DNSSEC signer tool employing PKCS#11 to interface with HSMs.

See also

Secure cryptoprocessor

Electronic funds transfer

Public key infrastructure

Security token

IBM 4764

External hyperlinks

Wikimedia Commons has media associated to: Hardware security modules

Bull Group, CRYPT2pay

Existing NIST FIPS-140 certificates

AEP Networks FIPS 140-2 Level four Validated

Thales Group, nCipher goods

HP, Atalla Security

ARX (Algorithmic Study) – PrivateServer HSM, FIPS 140-two Level three Validated

Utimaco, SafeGuard CryptoServer HSM

Understanding Security APIs (a excellent summary of HSMs)

Categories: Cryptographic hardware | Banking technologyHidden categories: All articles with unsourced statements | Articles with unsourced statements from June 2009