The Hardware Security Module (HSM) is a highly secure physical device specifically designed and used for cryptographic processing and strong authentication. It encrypts, decrypts, creates, stores, and manages digital keys and is used for signing and authentication. HSMs may be accessed via PKCS11 and JCE interfaces.
To simulate HSM, the default sandbox installation uses SoftHSM. SoftHSM supports PKCS11 but not JCE.
JCE is a Java keystore class implementation that connects to HSMs. HSM vendors should provide JCE support.
MOSIP highly recommends the following specifications for HSM:
Must support cryptographic offloading and acceleration.
Should provide authenticated multi-role access control.
Must have a strong separation of administration and operator roles.
Capability to support client authentication.
Keystore
mosip.kernel.keymanager.hsm.keystore-type
mosip.kernel.keymanager.hsm.config-path
Must have secure key wrapping, backup, replication, and recovery.
Must support 2048, 4096-bit RSA private keys, and 256-bit AES keys on the FIPS 140-2 Level 3 Certified Memory of the Cryptographic Module.
Must support clustering and load balancing.
Should support the cryptographic separation of application keys using logical partitions.
Must support M of N multi-factor authentication.
PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI, and CNG
Minimum dual Gigabit Ethernet ports (to service two network segments) and, optionally, 10G Fibre ports could be available.
Asymmetric public key algorithms: RSA, Diffie-Hellman, DSA, KCDSA, ECDSA, ECDH, and ECIES
Symmetric algorithms: AES, ARIA, CAST, HMAC, SEED, Triple DES, DUKPT, and BIP32
Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bits).
Full Suite B implementation with fully licensed ECC, including Brainpool, custom curves, and safe curves
Safety and environmental compliance
Compliance with UL, CE, and FCC Part 15 Class B.
Compliance with RoHS2 and WEEE.
Management and monitoring
Support remote administration —including adding applications, updating firmware, and checking the status— from NoC.
Syslog diagnostics support
Command Line Interface (CLI) or Graphical User Interface (GUI)
Physical characteristics
Standard 1U 19-inch rack mount with integrated PIN ENTRY Device or Smart Card or any equivalent security.
Performance
RSA 2048 signing performance: 10,000 per second.
RSA 2048 key generation performance: 10+ per second.
RSA 2048 encryption or decryption performance: 20000+ per second.
RSA 4096 signing performance: 2000+ per second.
RSA 4096 key generation performance: 2+ per second.
RSA 4096 encryption or decryption performance: 20000+ per second.
Should be able to backup keys, replicate keys, and store keys in offline locker facilities for DR. The total capacity is in line with the total number of keys prescribed.
Less than 30 seconds for key replication across the cluster.
mosip.kernel.keymanager.hsm.keystore-pass
JCE
mosip.kernel.keymanager.hsm.jce.className
mosip.kernel.keymanager.hsm.jce.keyStoreType
mosip.kernel.keymanager.hsm.jce.keyStoreFile
mosip.kernel.keymanager.hsm.jce.<ANY_OTHER_PARAM_01>
mosip.kernel.keymanager.hsm.jce.<ANY_OTHER_PARAM_02>
The Key Manager Service provides secure storage, provisioning and management of secret data. It provides all the cryptographic operations like encryption/decryption and digital signature/verification making one trust store for all partner trust path validation. It manages the lifecycle of encryption/decryption keys, including generation, distribution, administration, and deletion.
This includes keying material such as symmetric keys, asymmetric keys, certificates and algorithm data. It is a web-based key management solution that helps consolidate, control, manage, monitor, all key generation and maintenance of key life cycle required in MOSIP.
Key Manager interfaces with key store like Hardware Security Module (HSM) and mosip_keymgr DB.
RSA-2048 for all data encryption
AES-256 for
Root and Module keys reside in HSM while Base key pair reside in the DB encrypted by Module keys. All references (aliases) containing metadata of keys are present in table. The table contains encrypted Base keys.
The keys are identified as tuple of app_id and ref_id.
app_id (or applicationId): Typically, module name e.g. REGISTRATION.
ref_id (or referenceId): Specified only for Base keys (except SIGN*). Eg. 10001_110011
* SIGN: TBD
Root and Module keys are generated by any one of these methods:
Using Key Generator job or
Using Key Manager option in .
After the deployment, the initial set of pre-requisite keys has to be generated by the Administrator to complete the Key Manager setup. This generation is a one-time activity, and afterwards, the Key Manager will auto-generate all the required Root key and Module master keys upon expiry of key duration.
Base keys are auto-generated (and updaded on expiry) - the administrator is not required to request for generation. The keys reside in the DB. A new key pair is generated if not found in the DB.
The default validity of the keys may be modified by updating before generating keys.
You can revoke Root or Module key by invoking API with force attribute as true. API invalidates existing key and immediately generates new key.
You can revoke Base key by invoking API with the respective applicationId and referenceId.
Random AES 256-bit key will be generated, generated random key will be used to encrypt the actual registration packet.
Random generated key will be encrypted using the certificate received from server. Certificate contains RSA 2048 bit key.
Certificate Thumbprint will be computed.
Thumbprint will be prepend to encrypted random key for key identification.
Registration packet data will be split to get the encrypted random key, encrypted registration data, certificate thumbprint.
Identifies the respective private key to decryption process.
Identified private key will be decrypted with the mapped master key.
Decrypted private key will be used to decrypt the encrypted random key.
sends request to sync data service for the client configuration data.
Sync Data service requests Key Manager service to provide the reg-client specific certificate. Key identifier will be APP_ID - REGISTRATION, REF_ID - CENTER-ID_MACHINE-ID.
Key Manager service generate a new key pair, encrypts the private key with REGISTRATION master key and creates a new certificate using same master.
To know more about the developer setup, read .
Refer .
.
Root
Signing, encryption of Base keys
Key Generator job or Admin Portal
Automatic
3 years
Base
Database
Module
Encryption of registration packet etc.
Automatic
Automatic
2 years
Finally, the encrypted random key with prepended thumbprint will be concated with encrypted registration packet using #KEY_SPLITTER# as separator.
Decrypt the registration packet using the decrypted random key.
Returns the decrypted data to REG_PROC.
Sync data service sends the certificate to Registration Client.
The registration packet will be encrypted using the certificate received from the server after collecting all the required data for registration, including adding the digital signatures required to the registration data, and before saving/writing the data on the Registration Client hard-disk.
REG_PROC sends request to decrypt the data to Key Manager service with same app_id and ref_id.
Key type
Location
Issuer
Purpose
Example
Updation method(on expiry)
Root
Self signed
Root
Key Generator job or Admin Portal
Automatic
5 years
Module
To get an overview of Key Manager, refer Key Manager.
Below is a list of tools required in Key Manager:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
PostgreSQL
Any DB client (like DBeaver, pgAdmin)
Postman (any HTTP Client)
Git
Any Editor (like Vscode, Notepad++ etc optional)
lombok.jar (jar file)
settings.xml (document)
1. Download and .
2. Unzip Apache Maven and move settings.xml to "conf" folder <apache maven unzip path>\conf.
3. Install Eclipse, open the lombok.jar file and then click Install/Update.
4. Check the Eclipse installation folder to see if the lombok.jar is added.
5. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.
For the code setup, clone the repository and follow the guidelines mentioned in the .
Open the project folder where pom.xml is present.
Open the command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project.
Download and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close.
Clone .
Refer to deploy local DB.
Key Manager uses two property files, kernel-default and application-default, configure them accordingly. For instance,
Key Manager needs a Keystore to store keys. Supported Keystore types: PKCS11, PKCS12, Offline, JCE.
Secrets can be encrypted using .
Update URL's in property files.(It can be either pointed to any remotely or locally deployed services)
Download . For Windows, download , Linux users can run java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:{mosip-config-mt_folder_path}/config -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 {jarName} .
Run the server by opening the config-server-start.bat file.
http://localhost:51000/config/{spring.profiles.active}/{spring.cloud.config.name}/{spring.cloud.config.label} for instance http://localhost:51000/config/kernel/env/master.
Key Manager REST service consists of bootstrap.properties file in src/main/resources.
Below properties needed to be modified in order to connect to the config server:
Services can be run using Run As -> Spring Boot App/Java Application.
Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.After successful importing of project, update the project by right-click on Project → Maven → Update Project.
For API documentation, refer here.
The API's can be tried with the help of Swagger-UI and Postman.
Swagger-UI service can be accessed from (https/http)://(<domain>/<host>:<port>)/<context-path>/swagger-ui/index.html?configUrl=<contect-path>/v3/api-docs/swagger-config for instance https://dev2.mosip.net/v1/auditmanager/swagger-ui/index.html?configUrl=/v1/keymanager/v3/api-docs/swagger-config.
The API's can be tried using Postman. URLs and Body structures can be found in swagger or curl command can be copied and imported in Postman.
# For PKCS11 provide Path of config file.
# For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only file path and file name.
# For Offline & JCE property can be left blank, specified value will be ignored.
mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
# Passkey of keystore for PKCS11, PKCS12
# For Offline & JCE property can be left blank. JCE password use other JCE specific properties.
mosip.kernel.keymanager.hsm.keystore-pass={cipher}2d6aa328be521b2be6f33f476f7df2ea39c7ae1a3e2146ec169c5fac3225da3fspring.cloud.config.uri=<config server uri>
spring.cloud.config.label=<branch of config repo>
spring.profiles.active=defaultIn MOSIP every cryptographic key is referred by an Application ID and Reference ID.
Refer Key Manager for further details.
Country
Auto generated by key generator
K2
Registration
REGISTRATION
-
RSA 2048
Private key, certifcate signed by Kernel Root
HSM-1
Country
Auto generated by key generator
K3
PreReg
PRE_REGISTRATION
-
RSA 2048
Private key, certifcate signed by Kernel Root
HSM-1
Country
Auto generated by key generator
K4
Kernel Sign
KERNEL
SIGN
RSA 2048
Private key, certifcate signed by Kernel Root
HSM-1
Country
Auto generated by key generator
K5
Registration Processor
REGISTRATION_PROCESSOR
-
RSA 2048
Private key, certifcate signed by Kernel Root
HSM-1
Country
Auto generated by key generator
K6
PMS
PMS
-
RSA 2048
Private key, certifcate signed by Kernel Root
HSM-1
Country
Auto generated by key generator
K7
ID Repo
ID_REPO
-
RSA 2048
Private key, certifcate signed by Kernel Root
HSM-1
Country
Auto generated by key generator
K7.1
ID Repo
ID_REPO
demographic_data
RSA 2048
Private key, certifcate signed by ID Repo
KeyMgr DB
System
Auto-generated when accessed
K7.2
ID Repo
ID_REPO
biometric_data
RSA 2048
Private key, certifcate signed by ID Repo
KeyMgr DB
System
Auto-generated when accessed
K7.3
ID Repo
ID_REPO
identity_data
RSA 2048
Private key, certifcate signed by ID Repo
KeyMgr DB
System
Auto-generated when accessed
K7.4
ID Repo
ID_REPO
uin
RSA 2048
Private key, certifcate signed by ID Repo
KeyMgr DB
System
Auto-generated when accessed
K7.5
ID Repo
ID_REPO
credential_request
RSA 2048
Private key, certifcate signed by ID Repo
KeyMgr DB
System
Auto-generated when accessed
K8
Resident Services
RESIDENT
-
RSA 2048
Private key, certifcate signed by Kernel Root
HSM-1
Country
Auto generated by key generator
K9
Kernel Identity Cache
KERNEL
IDENTITY_CACHE
AES 256
Symmetric key
HSM-1
Country
Auto generated by key generator
K10
Registration Client (TPM)
-
-
RSA 2048
Private key, certificate
Client TPM (private key), Server DB (Certificate)
Registration Client Software
Auto generatde by Registration Client Software in TPM
K11
Registration Client Packet Encryption
REGISTRATION
CenterID_MachineID
RSA 2048
Private key, certificate signed by registration
Server DB (private key), Client DB (Certificate)
System
Auto-generated when accessed
K12
Data Share (10000 keys) for zero knowledge encryption
-
-
AES 256
Symmetric key, encrypted by Kernel Identity Cache
KeyMgr DB
System
Auto generated by key generator
K13
CA / Sub-CA certificates
-
-
X.509
Certificates
PMS DB
CA
Manually Uploaded
K14
PARTNER
PartnerID
X.509
Certificates signed by CA
PMS DB
Partners
Manually Uploaded
K15
IDA Root
ROOT
-
RSA 2048
Private key, self signed certificate
HSM-2
Country
Auto generated by key generator
K16
IDA
IDA
-
RSA 2048
Private key, certificate signed by IDA Root
HSM-2
Country/IDA Partner
Auto generated by key generator
K17
IDA Sign
IDA
SIGN
RSA 2048
Private key, certificate signed by IDA Root
HSM-2
Country
Auto generated by key generator
K18
IDA Identity Cache
IDA
IDENTITY_CACHE
AES 256
Symmetric key
HSM-2
Country
Auto generated by key generator
K19
IDA Internal
IDA
INTERNAL
RSA 2048
Private key, certificate signed by IDA
IDA DB
System
Auto-generated when accessed
K20
IDA Partner
IDA
PARTNER
RSA 2048
Private key, certificate signed by IDA
IDA DB
System
Auto-generated when accessed
K21
IDA FIR
IDA
FIR
RSA 2048
Private key, certificate signed by IDA
IDA DB
System
Auto-generated when accessed
K22
IDA Cred Service
IDA
CRED_SERVICE
RSA 2048
Private key, certificate signed by IDA
IDA DB
System
Auto-generated when accessed
DEVICE
Device_Provider
PK3
Print Service Provider
PARTNER
mpartner-default-print (or partner ID)
AUTH
Credential_Partner
PK4
Auth Providers or Relying Party
PARTNER
Partner ID
AUTH
Auth_Partner
PK5
FTM Providers (per Chip Model)
PARTNER
Partner ID
FTM
FTM_Provider
PK6
MISP
PARTNER
Partner ID
AUTH
MISP_Partner
PK7
Manual Adjudicator
PARTNER
mpartner-default-manual-adjudication (or partner ID)
AUTH
Manual_Adjudication
PK8
IDA system
PARTNER
mpartner-default-auth (or partner ID)
AUTH
Online_Verification_Partner
PK9
Resident Services
PARTNER
mpartner-default-resident (or partner ID)
AUTH
Credential_Partner
RSA 2048
Private key, self signed certificate
SBI Service
Auto generated by SBI Service
FK1
FTM key
RSA 2048
Private key, FTM Provider issued certificate
FTM
FTM
DE1
Biometric encryption random session key
AES>=256
No storage, key is created with TRNG/DRBG inside FTM
FTM
FK2
Secure boot
RSA>=256
Private key, self signed certificate
FTM
FTM Provider
Key never leaves FTM
K1
Kernel Root
ROOT
-
RSA 2048
Private key, self signed certificate
PK1
ABIS
PARTNER
mpartner-default-abis (or partner ID)
AUTH
ABIS_Partner
PK2
Device Providers
PARTNER
DKL0
Device key SBI CL 1.0
RSA 2048
Private key, self signed certificate
Host machine TPM/key store
Auto generated by SBI Service
DKL1
HSM-1
Partner ID
Device key