Hardware Security Module

From Wikipedia, the free encyclopedia

This article does not adequately cite its references or sources.
Please help improve this article by adding citations to reliable sources. (help, get involved!)
This article has been tagged since January 2007.

The term Hardware Security Module (abbreviated to HSM) is usually used to refer to a plug-in card (PCI) or external device (RS232/SCSI / IP) for a general purpose computer.

Sometimes abbreviation HSM decoded as Host Security Module.

The job of the HSM is to securely generate|store long term secrets for use in cryptography and usually physically protect the access to and use of those secrets over time. Generally these are private keys used in Public-key cryptography; some HSMs also allow for hardware protection of symmetric keys.

Many HSM systems have a means to securely backup the keys either in a wrapped form via the computer's operating system or externally using a smartcard or some other USB token.

Most HSM systems are also hardware cryptographic accelerators. Since they do not allow the keys to be removed from the device in an unencrypted form they must be able to perform the common cryptographic operations.

HSMs are not only locally attached devices, several companies produce network attached HSMs to protect key material for multiple systems.

It is important to note that keys protected by HSM are only truly 'hardware protected' if they were generated inside the hardware itself, importing a standard software protected key into an HSM will still mean that a non-hardware protected copy of the key material might still exist on old backups.

PKCS#11 is an API, designed to be platform independent, defining a generic interface to HSMs.

[edit] Card Paymen System HSM

Special rang of HSM used in a paymen cards processing systems. (Processing of [VISA], [MasterCard],...) Such HSM do't used PKCS#11 API. There is't a global standarts on the low level API for "payment" HSM. But a common principles is shared among HSM software developers. There is two grop of "security module":

OEM or integrated modules for Automated teller machine and POS Terminal PINPAD.

to encrypt payment card PIN (make PIN block) entering on PINPAD.
to suport a scheme of loading keys to protected memory.

Authorisation and personalisation HSM.

< authorisation >
to check on-line PIN from encrypted PIN block.
to support crypto-API with Smart Card (EMV as example)
to recrypt PIN block to send one to another authorisation host.
to support a protocol of POS ATM network management.
to support de-facto standart of host-host key|data exchange API.
< personalisation >
to generate and print a "PIN mail".
to generate a card data for a magnetic stripe card (PVV, CVV).
to generate a card keyset and support personalisation process for Smart Card (EMV as example)