A Hardware Security Module (often abbreviated to HSM, also often called a Host Security Module) is a plug-in card (PCI) or external device (RS232/SCSI/IP/USB/PCMCIA) for a general purpose computer and may even be an embedded system itself. The Peripheral Component Interconnect, or PCI Standard (commonly PCI) specifies a Computer bus for attaching peripheral devices to a Computer In Telecommunications, RS-232 (Recommended Standard 232 is a standard for serial binary data signals connecting between a DTE ( Data Terminal Equipment The Internet Protocol ( IP) is a protocol used for communicating data across a Packet-switched Internetwork using the Internet Protocol A computer is a Machine that manipulates data according to a list of instructions.

The job of the HSM is to securely generate and/or store long term secrets for use in cryptography and physically protect the access to and use of those secrets over time. Cryptography (or cryptology; from Greek grc κρυπτός kryptos, "hidden secret" and grc γράφω gráphō, "I write" Generally these are private keys used in Public-key cryptography; some HSMs also allow for hardware protection of symmetric keys. Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key

Many HSM systems have a means to securely backup the keys either in a wrapped form via the computer's operating system or externally using a smartcard or some other USB token. A smart card, chip card, or Integrated circuit card ( ICC) is any pocket-sized card with embedded integrated The most robust HSM systems are those when secrets are not exported even when migrating between HSMs or performing backup operations.

Most HSM systems are also hardware cryptographic accelerators. SSL acceleration is a method of offloading the processor-intensive public key encryption algorithms involved in SSL transactions to a hardware accelerator Since they do not allow the keys to be removed from the device in an unencrypted form, they must be able to perform the common cryptographic operations, as a happy consequence these HSMs will accelerate the intense maths (especially the case in Public-key cryptography) and provide better performance than a completely software based crypto system. Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key

It is important to note that keys protected by HSM are only truly 'hardware protected' if they were generated inside the hardware itself, importing a standard software protected key into an HSM will still mean that a non-hardware protected copy of the key material might still exist on old backups.

Contents 1 Tamper Resistance 2 HSM Software APIs 3 Card Payment System HSMs 4 Organizations Manufacturing HSMs 5 External links

Tamper Resistance

The physical security of the HSM is usually assigned as a level of the FIPS 140-2 validation, being FIPS 140-2 Level 3 and the recent FIPS 140-2 Level 4 the ones preferred by customers, since they assure high physical security. The Federal Information Processing Standard ( '''FIPS''') Publication 140-2 FIPS PUB 140-2 is a U The Federal Information Processing Standard ( '''FIPS''') Publication 140-2 FIPS PUB 140-2 is a U

HSM Software APIs

Ingrian Networks, RSA, Sun/IBM Java, Microsoft, Mozilla Foundation and OpenSSL all provide or implement API level hooks that allow software to make use of a HSM. Below is a list of popular cryptography APIs that can be used with hardware modules from different vendors.

• PKCS#11 - RSA's API, designed to be platform independent, defining a generic interface to HSMs. In Cryptography, PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS, published by RSA Laboratories. Also known as 'cryptoki'
• JCE/JCA - Java's Cryptography API
• Microsoft CAPI - Microsoft's API as used by IIS, CA and others, also available from . The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an Application net

Card Payment System HSMs

Special HSMs are used in card processing systems, that do not use the PKCS#11 API. In Cryptography, PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS, published by RSA Laboratories. While there is no global standard on the low level API for "payment" HSMs, common principles are shared among HSM software developers.

There are two main groups of HSMs used here:

OEM or integrated modules for automated teller machines and POS terminals:

• to encrypt the PIN entered when using the card. Point of sale or point of service ( POS or PoS) can mean a retail shop, a checkout counter in a shop or the location where a transaction
• to load keys into protected memory.

Authorisation and personalisation modules may be used to:

• check an on-line PIN by comparing with an encrypted PIN block.
• verify credit/debit card transactions by checking card security codes or by performing host processing component of an EMV based transaction
• support a crypto-API with a Smart Card (such as an EMV). A smart card, chip card, or Integrated circuit card ( ICC) is any pocket-sized card with embedded integrated EMV is a standard for interoperation of IC cards ("Chip cards" and IC capable POS terminals and ATM 's for authenticating credit
• re-encrypt a PIN block to send it to another authorisation host.
• support a protocol of POS ATM network management.
• support de-facto standards of host-host key|data exchange API.
• generate and print a "PIN mailer".
• generate data for a magnetic stripe card (PVV, CVV).
• generate a card keyset and support the personalisation process for Smart Cards. A smart card, chip card, or Integrated circuit card ( ICC) is any pocket-sized card with embedded integrated

Organizations Manufacturing HSMs

• AEP Keyper FIPS Level 4 HSM - AEP Keyper FIPS Level 4 HSM
• Atalla Security Products of HP A8150 A9150 A10150 FIPS 140-2 Level Three Validation
• True Access - Net D-Fence ST/XR, ICP Brazil
• ARX (Algorithmic Research) - PrivateServer HSM, FIPS 140-2 Level 3 Validated
• Banksys DEP - Banksys DEP
• Bull - CRYPT2Pay
• Crypto Accelerator 6000 - Sun
• ERACOM (now a SafeNet subsidiary - CSA8000, protectserver orange,. History Founded in 1987 by Amos Fiat and Yossi Tulpan - students of Adi Shamir from the Weizmann Institute of Science. . .
• Futurex Hardware Security Modules - SSP Series HSM, RMC9000 HSM
• Ingrian Networks - Ingrian DataSecure Appliances, Ingrian KeySecure Appliances and Ingrian EdgeSecure Appliances
• IBM - 4764 FIPS 140-2 Level 4 (superseding 4758)
• nCipher - netHSM, miniHSM, nShield, nForce
• REALSEC - Cryptosec 2048
• SafeNet - Luna SA, Luna CA (CC EAL4+), Luna SP, Luna PCI, Luna PCM, ProtectServer Gold, ProtectServer External, ProtectHost White, ProtectHost EFT
• Smart Card Technology Inc.SPK2032 Smart Key/Smart Disc
• SPYRUS, Inc. LYNKS Series II HSM (USB or PCMCIA)

• Thales e-Security - HSM 8000, P3 Crypto Module, WebSentry, SafeSign Crypto Module
• Utimaco - SafeGuard CryptoServer
• xyzmo - xyzmo SIGNificant server

External links

• Current NIST FIPS-140 certificates
• Current Common Criteria evaluated products

The IBM 4758 PCI Cryptographic Coprocessor is a Secure cryptoprocessor implemented on a high-security programmable

---

© 2009 citizendia.org; parts available under the terms of GNU Free Documentation License, from http://en.wikipedia.org
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic