3 The Interface: The Key to the Application
Purposes of Interfaces
The interface for communication with cryptographic devices is, unfortunately,
an Achilles’ heel in the deployment of HSMs. An HSM is a system offering the capability
to represent a very high level of complexity. But from this attribute
comes the potential to make major implementation errors and therefore enable
a successful attack by means of a combination of different command structures.
Oldenburg University has published a very good overview of what form
attacks on interfaces take:
http://www.uni-oldenburg.de/fileadmin/user_upload/
informatik/download/da.pdf.
Also, it’s possible to run multi-protocol functions in an HSM. The consequence
here is that command interactions between individual function protocols can result
in potential errors. You find these multi-protocol function HSMs, providing
different interfaces for diverse applications, in the banking sector in particular.
Selecting the Correct Interface
One of the most important criteria in selecting an HSM interface is always assessment
of the requirements as per the usage environment. This means that 90
percent of the interfaces you require when in a usage environment dominated
totally by Microsoft are Microsoft-defined interfaces, such as CNG (Cryptography
API: Next Generation). It also always depends on what the application you’re
planning to use already has as an interface to an HSM. The last few years have
seen advancements in this field in particular, and more and more suppliers of
standard business applications have integrated interfaces for HSM or Security
Token. Here’s a list of the most well-known applications:
Microsoft Windows Server 2012; Active Directory Certificate Services
(AD CS)
Microsoft Active Directory Rights Management Services (AD RMS)
Microsoft Internet Information Server (IIS)
Microsoft SQLEKM Provider
Bind 9 (Domain Name System)
OpenDNSSEC
25
/da.pdf
