April 24, 2008
Tutorial - What is a HSM?
Using debit cards at a self-service terminal means that you'll be sending encypted pin data somewhere to be decoded/transacted. At that server enpoint will sit the HSM which will do that. ATM people know it well. Kiosk people are just beginning to learn about it.
A Hardware Security Module (often abbreviated to HSM, also often called a Host Security Module) is a plug-in card (PCI) or external device (RS232/SCSI/IP/USB/PCMCIA) for a general purpose computer and may even be an embedded system itself.
The job of the HSM is to securely generate and/or store long term secrets for use in cryptography and physically protect the access to and use of those secrets over time. Generally these are private keys used in Public-key cryptography; some HSMs also allow for hardware protection of symmetric keys.
Many HSM systems have a means to securely backup the keys either in a wrapped form via the computer's operating system or externally using a smartcard or some other USB token. The most robust HSM systems are those when secrets are not exported even when migrating between HSMs or performing backup operations.
Most HSM systems are also hardware cryptographic accelerators. Since they do not allow the keys to be removed from the device in an unencrypted form, they must be able to perform the common cryptographic operations, as a happy consequence these HSMs will accelerate the intense maths (especially the case in Public-key cryptography) and provide better performance than a normal software based crypto system.
It is important to note that keys protected by HSM are only truly 'hardware protected' if they were generated inside the hardware itself, importing a standard software protected key into an HSM will still mean that a non-hardware protected copy of the key material might still exist on old backups.
The physical security of the HSM is usually assigned as a level of the FIPS 140-2 validation, being FIPS 140-2 Level 3 and the recent FIPS 140-2 Level 4 the ones preferred by customers, since they assure high physical security.
HSM Software APIs
Ingrian Networks, RSA, Sun/IBM Java, Microsoft and OpenSSL all provide or implement API level hooks that allow software to make use of a HSM. Below is a list of popular cryptography APIs that can be used with hardware modules from different vendors.
* PKCS#11 - RSA's API, designed to be platform independent, defining a generic interface to HSMs. Also known as 'cryptoki'