Menu
I worked and completed a PKI project which used a HSM for generating - storing keys and performing crypto functions. I used PKCS#11 to interface with our application for sigining/verifying and encryption/decryption. Our platform is windows.
Now we are looking to offer a low cost alternative solution by replacing the the HSM with a software security module. I must note here that i am aware of the drawbacks of not using a HSM. Its a trade off between security Vs Cost.
I found that Microsoft provides the Next Generation CryptoAPI (CNG), key store and certificate services. My senior management are not inclined to use open source software. I also found RSA and cryptomathic offering toolkits to perform software based solutions.
Has anybody come across any commercial software security module tool kits to perform key generation, key store and crypto functions?
Programming language - c/c++
Thanks
Raj
704
Purpose of hardware security module Businesses mostly use HSMs to hide their digital keys and certificates. Hardware security modules protect data, identities, and transactions within the network by strengthening encryption processes. They onboard secure cryptographic key generation, storage, and management.
A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle.
A hardware security module (HSM) is a physical device that provides extra security for sensitive data. This type of device is used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.
Hardware security modules (HSMs) are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.
You could use SoftHSM, which is a pure-software PKCS #11 implementation. It is being used by the OpenDNSSEC project precisely to be swapped out in cases a real HSM is not available, so it might work for you too. However, it's BSD licensed, so I guess your management may not like it on that basis.
If you are looking for low-cost and yet commmercial (I'm not sure if you're specifically looking for something proprietary, which CryptoAPI is, or for something that is commercially supported, which CryptoAPI is not, unless you have a contract with Microsoft), rewriting your application to use the Win32 CryptoAPI seems the only viable option to me. RSA's toolkits are not cheap, in my experience.
51
Your best option should be to find a software PKCS#11 library. There should be several implementations on the market - I know that the company I work for sells one. That way you would still be able to switch back to a PKCS#11-compliant HSM and the necessary modifications to the application should be minimal.
Your other options are CryptoAPI or CNG from Microsoft or a toolkit from RSA, Cryptomathic or another vendor. That would probably require more work to rewrite the application - I can't really see any advantage to this option, except that CryptoAPI and CNG are free.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
