A Hardware Security Module (often abbreviated to HSM, also often called a Host Security Module) is a plug-in card (PCI) or external device (RS232/SCSI/IP/USB/PCMCIA) for a general purpose computer and may even be an embedded system itself. The Peripheral Component Interconnect, or PCI Standard (commonly PCI) specifies a Computer bus for attaching peripheral devices to a Computer In Telecommunications, RS-232 (Recommended Standard 232 is a standard for serial binary data signals connecting between a DTE ( Data Terminal Equipment The Internet Protocol ( IP) is a protocol used for communicating data across a Packet-switched Internetwork using the Internet Protocol A computer is a Machine that manipulates data according to a list of instructions.
The job of the HSM is to securely generate and/or store long term secrets for use in cryptography and physically protect the access to and use of those secrets over time. Cryptography (or cryptology; from Greek grc κρυπτός kryptos, "hidden secret" and grc γράφω gráphō, "I write" Generally these are private keys used in Public-key cryptography; some HSMs also allow for hardware protection of symmetric keys. Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key
Many HSM systems have a means to securely backup the keys either in a wrapped form via the computer's operating system or externally using a smartcard or some other USB token. A smart card, chip card, or Integrated circuit card ( ICC) is any pocket-sized card with embedded integrated The most robust HSM systems are those when secrets are not exported even when migrating between HSMs or performing backup operations.
Most HSM systems are also hardware cryptographic accelerators. SSL acceleration is a method of offloading the processor-intensive public key encryption algorithms involved in SSL transactions to a hardware accelerator Since they do not allow the keys to be removed from the device in an unencrypted form, they must be able to perform the common cryptographic operations, as a happy consequence these HSMs will accelerate the intense maths (especially the case in Public-key cryptography) and provide better performance than a completely software based crypto system. Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key
It is important to note that keys protected by HSM are only truly 'hardware protected' if they were generated inside the hardware itself, importing a standard software protected key into an HSM will still mean that a non-hardware protected copy of the key material might still exist on old backups.
The physical security of the HSM is usually assigned as a level of the FIPS 140-2 validation, being FIPS 140-2 Level 3 and the recent FIPS 140-2 Level 4 the ones preferred by customers, since they assure high physical security. The Federal Information Processing Standard ( '''FIPS''') Publication 140-2 FIPS PUB 140-2 is a U The Federal Information Processing Standard ( '''FIPS''') Publication 140-2 FIPS PUB 140-2 is a U
Ingrian Networks, RSA, Sun/IBM Java, Microsoft, Mozilla Foundation and OpenSSL all provide or implement API level hooks that allow software to make use of a HSM. Below is a list of popular cryptography APIs that can be used with hardware modules from different vendors.
Special HSMs are used in card processing systems, that do not use the PKCS#11 API. In Cryptography, PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS, published by RSA Laboratories. While there is no global standard on the low level API for "payment" HSMs, common principles are shared among HSM software developers.
There are two main groups of HSMs used here:
Authorisation and personalisation modules may be used to: