Software security Module/ toolkit replacing HSM for developing crypto functions
https://stackoverflow.com/questions/1335030
-
20-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I worked and completed a PKI project which used a HSM for generating - storing keys and performing crypto functions. I used PKCS#11 to interface with our application for sigining/verifying and encryption/decryption. Our platform is windows.
Now we are looking to offer a low cost alternative solution by replacing the the HSM with a software security module. I must note here that i am aware of the drawbacks of not using a HSM. Its a trade off between security Vs Cost.
I found that Microsoft provides the Next Generation CryptoAPI (CNG), key store and certificate services. My senior management are not inclined to use open source software. I also found RSA and cryptomathic offering toolkits to perform software based solutions.
Has anybody come across any commercial software security module tool kits to perform key generation, key store and crypto functions?
Programming language - c/c++
Thanks
Raj
Solution
Your best option should be to find a software PKCS#11 library. There should be several implementations on the market - I know that the company I work for sells one. That way you would still be able to switch back to a PKCS#11-compliant HSM and the necessary modifications to the application should be minimal.
Your other options are CryptoAPI or CNG from Microsoft or a toolkit from RSA, Cryptomathic or another vendor. That would probably require more work to rewrite the application - I can't really see any advantage to this option, except that CryptoAPI and CNG are free.
OTHER TIPS
You could use SoftHSM, which is a pure-software PKCS #11 implementation. It is being used by the OpenDNSSEC project precisely to be swapped out in cases a real HSM is not available, so it might work for you too. However, it's BSD licensed, so I guess your management may not like it on that basis.
If you are looking for low-cost and yet commmercial (I'm not sure if you're specifically looking for something proprietary, which CryptoAPI is, or for something that is commercially supported, which CryptoAPI is not, unless you have a contract with Microsoft), rewriting your application to use the Win32 CryptoAPI seems the only viable option to me. RSA's toolkits are not cheap, in my experience.
I have a customer who used the software PKCS#11 implementation that comes with Mozilla's NSS as a drop-in replacement for the HSM. They're on Linux using ruby-pkcs11, so your mileage may vary.
Take a look at http://www.openssl.org/related/kits.html for LSM-PKCS11. That could be a solution.
