how to extend features of HSM (Linux) using MSCAPI in Windows?

Question

I am newbie for HSM.

I want to access crypto functionality from HSM in Linux environment using MSCAPI.

My client requirement is HSM should be accessible using MSCAPI.

So I am in great confusion with how to extend HSM (HSM running in Linux) features in Windows using MSCAPI

Please help.

Regards, Virudhai Paul

Answer 1

The reason someone buys a PCIe HSM is because you can not access it from off the platform in which it is installed. This is referred to as "offline", and it is the preferred operational case for the "offline root certificate authority" use. You do not want someone to be able to access it, except when they are logged into that machine.

The opposite of "offline" is "online" access, and this is in general provided by the HSM vendors, by selling appliances that come with two things:

1. A PCIe HSM
2. The server daemon that sits on a socket and passes incoming traffic to the HSM, and returns the results.

If you need to access the PCIe HSM from any other system, regardless of what OS it is running, then there needs to be a server running on the HSM's host.

No server? No access.

You could certainly implement a server somehow, such that the server would provide the necessary access. I wouldn't though -- if you don't know exactly what you are doing, you can open up security holes and allow your HSM access to be compromised.

The risk and liability on rolling your own server are why the HSM vendor charges so much for the Appliance (ie, the premium for the Appliance over the PCIe card seems very, very high for what you get in hardware), since really the cost is covering the risk and liability aspects of the server daemon.

So the first step to access: Does the vendor provide a Server application that makes the PCIe HSM "visible" to the rest of the network.