3667313236 e8f02b0877 m Hardware Security Module
by valentin.d

Tamper protection

The tamper evidence, resistance, and response tamper protection are the key and major differences HSMs have from usual server computers acting as cryptographic accelerators.

Whereas there are some standards covering security requirements for cryptographic modules, the most widely accepted (both as customers choice and government requests) is the NIST FIPS 140-2.

HSM software APIs

Below is a list of popular cryptography APIs that can be used with hardware modules from different vendors.

PKCS#11 RSA’s API, designed to be platform independent, defining a generic interface to HSMs. Also known as ‘cryptoki’

OpenSSL OpenSSL engine API

JCE/JCA Java’s cryptography API

Microsoft CAPI Microsoft’s API as used by IIS, CA and others, also available in .NET.

Microsoft CNG API Microsoft’s next-generation crypto API available for Windows Vista onwards, used by IIS, ADCS and others.

HSM main uses

HSMs can be employed in any application that uses digital keys. Typically the keys must be of high-value – meaning there would be a significant, negative impact to the owner of the key if it were compromised. The list of applications are endless, but some of the primary uses include:

PKI environment (CA HSMs)

Older Luna HSMs (PCMCIA)

On the PKI environment, the HSMs are usually used by all certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle key pairs. In this scenario, there are some fundamental features a device must have, namely:

Logical and physical high level protection

Multi-part user authorization schema (see Blakley-Shamir secret sharing)

Full audit and log traces

Secure key backup

In the PKI environment, the device performance is much less important in both online and offline operations as Registration Authority procedures represent the performance bottleneck of the Infrastructure.

Card payment system HSMs (bank HSMs)

ARX network-attached PrivateServer HSM

Limited-feature HSMs are used in card processing systems. These systems are usually less complex than CA HSMs and normally do not feature a standard API. These devices can be grouped in two main classes:

OEM or integrated modules for automated teller machines and POS terminals:

to encrypt the PIN entered when using the card

to load keys into protected memory

Authorisation and personalisation modules may be used to:

check an on-line PIN by comparing with an encrypted PIN block

in conjunction with an ATM controller, verify credit/debit card transactions by checking card security codes or by performing host processing component of an EMV based transaction

support a crypto-API with a smart card (such as an EMV)

re-encrypt a PIN block to send it to another authorisation host

support a protocol of POS ATM network management

support de-facto standards of host-host key|data exchange API

generate and print a “PIN mailer”

generate data for a magnetic stripe card (PVV, CVV)

generate a card keyset and support the personalisation process for smart cards

The major organization that produces and maintains standards for HSMs on banking market is the Payment Card Industry Security Standards Council.

SSL connectivity

There are applications where performance is a bottleneck but security must not be forgotten. These applications usually are presented as secure Web services served through HTTPS (SSL/TLS). In this environment, SSL Acceleration HSMs are employed. Typical performance numbers for these applications range from 50 to 1,000 1024-bit RSA signs/second, although some devices can reach numbers as high as +7,000 operations per second.


An increasing number of registries use HSMs to store the key material that is used to sign large zonefiles. For example OpenDNSSEC is a designated DNSSEC signer tool using PKCS#11 to interface with HSMs.

See also

Secure cryptoprocessor

Electronic funds transfer

Public key infrastructure

Security token

IBM 4764

External links

Wikimedia Commons has media related to: Hardware security modules

Bull Group, CRYPT2pay

Current NIST FIPS-140 certificates

AEP Networks FIPS 140-2 Level 4 Validated

Thales Group, nCipher products

HP, Atalla Security

ARX (Algorithmic Research) – PrivateServer HSM, FIPS 140-2 Level 3 Validated

Utimaco, SafeGuard CryptoServer HSM

Understanding Security APIs (a good summary of HSMs)

Categories: Cryptographic hardware | Banking technologyHidden categories: All articles with unsourced statements | Articles with unsourced statements from June 2009

I am China Manufacturers writer, reports some information about moeller circuit breaker , hv circuit breakers.

Incoming search terms: