1

I am a newbie with HSM. I would like to use HSM in one of my product to store key database. I have following questions:

1) Does all HSM support HTTPS(SSL)?
2) Do we have userspace on HSM where we can run our own programs?
3) Any standard API to access HSM through HTPPS?

NOTE: The user can have any HSM from any service provider.

stuartd
  • 70,509
  • 14
  • 132
  • 163
JDP
  • 56
  • 2
  • 10

3 Answers3

5

It is very much vendor dependent.

You are assuming that the HSM has a linux or desktop-like kernel and GUI. Nope. The HSM is probably an embedded system running a roll-your-own (proprietary) operating system.

The Utimaco 'CryptoServer' line does not support HTTPS or SSL, but that is an answer to an incorrect question. Does the software (called SecurityServer) implement a secure connection between the host application and the firmware, running on the HSM? Yes. But it isn't over HTTPS (as of 4.20) and it doesn't use TLS. And the encrypted connection is between your application and the firmware on the HSM, not the OS that the HSM is plugged into. Ie, there is no 'man-in-the-middle'.

Does the HSM provide "user space"? No, because the OS on the CryptoServer is an embedded OS and it does not have the concept of a User (as defined by a linux or other desktop OS). If you write custom code (CryptoServers support custom code in C and in Lua), C modules run in kernel space, Lua modules run in a Lua sandbox.

SecurityServer supports CXI (Utimaco proprietary), Java_CXI, JCE, PKCS#11, CSP, CNG, EKM. But not RESTful, which is what an HTTPS connection would be.

So: Ask the vendor.

(note: Yes, I work for Utimaco).

rip...
  • 996
  • 5
  • 20
5

(To give a more vendor neutral answer)

1a) Does all HSM support securing HTTPS(SSL)?

  • I suppose most HSMs supporting RSA encryption are usable for HTTPS/SSL/TLS acceleration

  • Note that HSM is usually used only for initial key exchange (e.g. RSA) and consecutive encryption (e.g. AES) is done by the application

1b) Does all HSM support HTTPS(SSL) as a communication channel between application and HSM hardware?

  • As far as I know only Thales supports SSL/TLS for end-to-end connection into HSM firmware

  • Other vendors use their own proprietary protocols for securing communication between application and HSM firmware

2) Do we have userspace on HSM where we can run our own programs?

  • Some HSM models allow running custom code inside HSM hardware -- see this answer

  • Note that running custom code inside HSM hardware may break security certifications

3) Any standard API to access HSM through HTTPS?

  • The 'gold standard' API to access HSMs is PKCS#11

  • Alternative APIs are Java's JCA/JCE, Microsoft's CryptoAPI/CNF

  • Some vendors provide alternative APIs or proprietary extensions to abovementioned APIs

  • I am not aware of any standardized API to access HSM via HTTPS


Disclaimer: It's been some time since I dealt with this, so please do validate my thoughts...

Good luck!

mrSaraf
  • 123
  • 1
  • 13
vlp
  • 7,811
  • 2
  • 23
  • 51
  • re #2 -- yes, as soon as you load custom firmware any certifications (FIPS 140-2/3, CC, PCIe, etc) the hardware/software carry are no longer relevant. You have to get the new firmware certified, along with the existing, to get back into "FIPS" or CC or whatever. – rip... Mar 07 '21 at 02:58
2

I agree that HSM functionality changes from user to user. I can talk about Network HSM provided by Gemalto.

  1. They access the HSM in a network through static IP or DNS.
  2. The standard used by the provider is PKCS #11 2.20 and 2.30 - cryptoki library. You can basically use the SDK provided to develop your applications and the functionality and usage is based on PKCS, but the vendor may have their on additions or subtractions. You can also write custom functions(Functionality Module - FM) and download into the HSM.
  3. In Gemalto Network HSM case Message Dispatch library provided by Gemalto is used for communicating with FM inside an HSM