What is Hardware Security Module? A Brief Explanation
I would like to discuss about Hardware Security Module (HSM) and several technologies around it. This will contains brief explanation about HSM, where to learn about it and code example of how to use it.
Definition
HSM is a physical device that protect and manage digital keys and provides crypto-processing function. To put it simply, HSM will provision your secret digital key from generating the key, store the key, using the key for decrypt/encrypt operation, and discarding the key. Basically, the secret key will never leave HSM in unencrypted format.
Why do we need it?
We mostly need it to keep our cryptography key secure. Most rigid standard like PCI-DSS mandated to have secure device to save cryptography key. This is where HSM fit in.
Type of HSM
HSM came in many different forms, with its own advantage and disadvantages. Below are several of HSM available in the market:
- PCIe, where the HSM came in PCIe form to be embedded in server. Example: Thales Luna PCIe HSM
- Standalone appliance, where the HSM came in the form of standalone appliance. Example: Utimaco Cryptoserver CP5
- USB, where the HSM came in the form of USB stick. Example: YubiHSM 2
Which one to choose?
With many forms of HSM, then arise the question: which one to choose? It will depends on many things, like your budget and purpose. Usually in strict-compliance business like banking, they will specified the standard level of HSM that must be achieved. This standard usually refers to FIPS 140. There are 4 levels of FIPS 140, with level 4 is the highest. Every HSM in the market usually comply with one of the level in FIPS 140.
Use Cases
HSM can be used in many use cases. Usually the use cases is tied up with regulatory requirement to have an secure cryptographic storage device. Below are several use cases of HSM Usage:
- Generation ,storage and operation of private key of Certificate Authority (CA)
- Generation ,storage and operation of private key for https operation of an web server
- Digitally sign a PDF file,
- …And many other operations that involves cryptography key storage and operation
Protocols Used
To interact with the HSM, we need some kind of protocol. The common protocol used is called PKCS#11. PKCS#11 itself specifies Cryptographic APIs (Cryptoki). HSM Vendors will expose its function through this Cryptoki.
Usually, HSM Vendors also have their own proprietary protocol and SDK for developer to use. But for portability, it is better if we use PKCS#11, because it is a more common protocol to use in every kind of HSM (a kind of like http/https protocol for web server).
Where to learn PKCS#11?
It is an interesting question. My experience learning this protocol is by using simulator that sometimes provided by the HSM Vendor. Usually you have to buy that HSM first before you get the simulator. So, the cheapest way to try out PKCS#11 is by using SoftHSM.
What is SoftHSM? You can think it as a software-based implementation of HSM. And yes, they also came with PKCS#11 protocol. You can find out all about it in here.
Examples of Using SoftHSM
This is a quite lengthy explanation. That is why I will talk more thoroughly about it in separate article. For now, you can check this github for example of how to interact with SoftHSM through PKCS#11 protocol.
