SECURING KEYS WITH
CRYPTOPRO HSM
CryptoPro HSM is a highly productive hardware security module, equipped with tamper detection, key protection based on shared secret (3 out of 5 administrator keys), secure operating system and trusted mechanisms for auditing and port monitoring.
All user keys are stored in the HSM in an encrypted form with the use of special master encryption keys. Master keys are encrypted with the HSM activation key, which is protected with “3 out of 5” key sharing scheme. Parts of this key are stored on smart cards, distributed among security officers of a company.
User’s secret key decryption is performed in the HSM’s RAM on their request only. Users can access the HSM only after activation of HSM (providing the protection parts of the activation key) and successful authentication procedure, based on standard two-way authentication TLS protocol. Users form TLS access keys on smart cards or on USB-tokens. It is also possible to store these keys in OS Windows registry on user’s workstation.
HSM provides CryptoAPI, PKCS#11 and JCA interfaces, available after authentication through secure channel from access server.
It seamlessly integrates with widely available software from major vendors, delivering secure key storage and operation for Certification Authorities, OCSP servers, Time Stamping Authorities and other Trust Service Providers.
It ensures the implementation of the following operations:
- Digital signature generation and verification
- Data encryption and decryption
- According to the national and international standards
- Hash function calculation
- ECC operations, including Diffie-Hellman key agreement
- on Twisted Edwards curves
- MAC mechanisms