Hadware Security Module (HSM)
Overview
The Hardware Security Module (HSM) is a highly secure physical device specifically designed and used for cryptographic processing and strong authentication. It encrypts, decrypts, creates, stores, and manages digital keys and is used for signing and authentication. HSMs may be accessed via PKCS11 and JCE interfaces.
To simulate HSM, the default sandbox installation uses SoftHSM. SoftHSM supports PKCS11 but not JCE.
JCE
JCE is a Java keystore class implementation that connects to HSMs. HSM vendors should provide JCE support.
Specification
MOSIP highly recommends the following specifications for HSM:
Must support cryptographic offloading and acceleration.
Should provide authenticated multi-role access control.
Must have a strong separation of administration and operator roles.
Capability to support client authentication.
Must have secure key wrapping, backup, replication, and recovery.
Must support 2048, 4096-bit RSA private keys, and 256-bit AES keys on the FIPS 140-2 Level 3 Certified Memory of the Cryptographic Module.
Must support at least 10000+ 2048 RSA private keys on FIPS 140-2 Level 3 Certified Memory of the Cryptographic Module.
Must support clustering and load balancing.
Should support the cryptographic separation of application keys using logical partitions.
Must support M of N multi-factor authentication.
PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI, and CNG
Minimum dual Gigabit Ethernet ports (to service two network segments) and, optionally, 10G Fibre ports could be available.
Asymmetric public key algorithms: RSA, Diffie-Hellman, DSA, KCDSA, ECDSA, ECDH, and ECIES
Symmetric algorithms: AES, ARIA, CAST, HMAC, SEED, Triple DES, DUKPT, and BIP32
Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bits).
Full Suite B implementation with fully licensed ECC, including Brainpool, custom curves, and safe curves
Safety and environmental compliance
Compliance with UL, CE, and FCC Part 15 Class B.
Compliance with RoHS2 and WEEE.
Management and monitoring
Support remote administration —including adding applications, updating firmware, and checking the status— from NoC.
Syslog diagnostics support
Command Line Interface (CLI) or Graphical User Interface (GUI)
Support the SNMP monitoring agent.
Physical characteristics
Standard 1U 19-inch rack mount with integrated PIN ENTRY Device or Smart Card or any equivalent security.
Performance
RSA 2048 signing performance: 10,000 per second.
RSA 2048 key generation performance: 10+ per second.
RSA 2048 encryption or decryption performance: 20000+ per second.
RSA 4096 signing performance: 2000+ per second.
RSA 4096 key generation performance: 2+ per second.
RSA 4096 encryption or decryption performance: 20000+ per second.
Should be able to backup keys, replicate keys, and store keys in offline locker facilities for DR. The total capacity is in line with the total number of keys prescribed.
Clustering minimum of 20 HSMs.
Less than 30 seconds for key replication across the cluster.
A minimum of 30 logical partitions and their license should be included in the cost.
Guide to Integrate HSM
Configuration
Keystore
mosip.kernel.keymanager.hsm.keystore-type
mosip.kernel.keymanager.hsm.config-path
mosip.kernel.keymanager.hsm.keystore-pass
JCE
mosip.kernel.keymanager.hsm.jce.className
mosip.kernel.keymanager.hsm.jce.keyStoreType
mosip.kernel.keymanager.hsm.jce.keyStoreFile
mosip.kernel.keymanager.hsm.jce.<ANY_OTHER_PARAM_01>
mosip.kernel.keymanager.hsm.jce.<ANY_OTHER_PARAM_02>
Last updated