The tamper evidence, resistance, and response tamper protection are the key and major differences HSMs have from usual server computers acting as cryptographic accelerators.
Whereas there are some standards covering security requirements for cryptographic modules, the most widely accepted (both as customers choice and government requests) is the NIST FIPS 140-2.
HSM software APIs
Below is a list of popular cryptography APIs that can be used with hardware modules from different vendors.
PKCS#11 RSA’s API, designed to be platform independent, defining a generic interface to HSMs. Also known as ‘cryptoki’
OpenSSL OpenSSL engine API
JCE/JCA Java’s cryptography API
Microsoft CAPI Microsoft’s API as used by IIS, CA and others, also available in .NET.
Microsoft CNG API Microsoft’s next-generation crypto API available for Windows Vista onwards, used by IIS, ADCS and others.
HSM main uses
HSMs can be employed in any application that uses digital keys. Typically the keys must be of high-value – meaning there would be a significant, negative impact to the owner of the key if it were compromised. The list of applications are endless, but some of the primary uses include:
PKI environment (CA HSMs)
Older Luna HSMs (PCMCIA)
On the PKI environment, the HSMs are usually used by all certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle key pairs. In this scenario, there are some fundamental features a device must have, namely:
Logical and physical high level protection
Multi-part user authorization schema (see Blakley-Shamir secret sharing)
Full audit and log traces
Secure key backup
In the PKI environment, the device performance is much less important in both online and offline operations as Registration Authority procedures represent the performance bottleneck of the Infrastructure.
Card payment system HSMs (bank HSMs)
ARX network-attached PrivateServer HSM
Limited-feature HSMs are used in card processing systems. These systems are usually less complex than CA HSMs and normally do not feature a standard API. These devices can be grouped in two main classes:
OEM or integrated modules for automated teller machines and POS terminals:
to encrypt the PIN entered when using the card
to load keys into protected memory
Authorisation and personalisation modules may be used to:
check an on-line PIN by comparing with an encrypted PIN block
in conjunction with an ATM controller, verify credit/debit card transactions by checking card security codes or by performing host processing component of an EMV based transaction
support a crypto-API with a smart card (such as an EMV)
re-encrypt a PIN block to send it to another authorisation host
support a protocol of POS ATM network management
support de-facto standards of host-host key|data exchange API
generate and print a “PIN mailer”
generate data for a magnetic stripe card (PVV, CVV)
generate a card keyset and support the personalisation process for smart cards
The major organization that produces and maintains standards for HSMs on banking market is the Payment Card Industry Security Standards Council.
There are applications where performance is a bottleneck but security must not be forgotten. These applications usually are presented as secure Web services served through HTTPS (SSL/TLS). In this environment, SSL Acceleration HSMs are employed. Typical performance numbers for these applications range from 50 to 1,000 1024-bit RSA signs/second, although some devices can reach numbers as high as +7,000 operations per second.
An increasing number of registries use HSMs to store the key material that is used to sign large zonefiles. For example OpenDNSSEC is a designated DNSSEC signer tool using PKCS#11 to interface with HSMs.
Electronic funds transfer
Public key infrastructure
Wikimedia Commons has media related to: Hardware security modules
Bull Group, CRYPT2pay
Current NIST FIPS-140 certificates
AEP Networks FIPS 140-2 Level 4 Validated
Thales Group, nCipher products
HP, Atalla Security
ARX (Algorithmic Research) – PrivateServer HSM, FIPS 140-2 Level 3 Validated
Utimaco, SafeGuard CryptoServer HSM
Understanding Security APIs (a good summary of HSMs)
Categories: Cryptographic hardware | Banking technologyHidden categories: All articles with unsourced statements | Articles with unsourced statements from June 2009
I am China Manufacturers writer, reports some information about moeller circuit breaker , hv circuit breakers.