HSM for Dummies
specific algorithms (as is the JCA). The JCE can use a Service Provider Interface
(SPI) to link different implementations from different suppliers into the Java runtime
environment simultaneously. From Version 1.4, Java has a JCE and JCA implementation.
The provider can subsequently load other implementations both
statically and dynamically. The JCE Provider from the Institute for Applied Information
Processing and Communication Technology (IAIK) at the Technical University
of Graz (Austria) is one of the most widely known JCE implementations.
Microsoft Cryptography API: Next Generation
Lastly, we take a look around in the Microsoft world. The current interface here
is: Cryptography Next Generation (CNG). It was introduced in Windows VistaTM
and supersedes CryptoAPI. CNG supports currently popular symmetric and
asymmetric algorithms, as well as random number generation and all popular
hash functions. Microsoft is aligning itself with Suite B.
In 2005, the National Institute of Standards and Technology (NIST) in
America published a list (Suite B) of cryptographic algorithms. This
collection is a recommendation from the NSA for the deployment of
cryptographic methods and their key strengths. In parallel, the NSA
also put together the Suite A list, to represent the algorithms for deployment
in highly sensitive areas. The Suite A list wasn’t released.
But what would IT be without its exceptions? Microsoft has another interface for
HSMs in the field of database servers. This is a SQL server data encryption function
Extensible Key Management (EKM). This function interface makes it possible
to use an HSM to realize database encryption stipulated in many application
areas. The EKM interface is essentially another standard Microsoft interface.
Other Standard Interfaces
The interfaces introduced in this guide are the most widely used APIs for HSMs
at the time of print. Other interfaces to add to the list are either supplier specific
but represent an ‘industry’ standard, or are other defined interfaces such as the
integration of HSMs into the OpenSSL library. OpenSSL is a library for Secure
Socket Layer (SSL) and Transport Layer Security (TLS). Many other products,
such as OpenCA, use OpenSSL in the backend. The engine concept of OpenSSL
enables developers to link in smartcards and hardware security modules for all
cryptographic processes, meaning OpenSSL also represents a good alternative to
the interfaces we mentioned earlier in this section.
24