HSM for Dummies
The Common Criteria are made up of three parts:
Introduction and general model
Functional requirements
Assurance requirements
If you’re searching for protection profiles for an HSM, you’ll find protection profiles
for so-called security modules. Caution is called for here, because these are
only security modules in smartcard format. The only protection profile that’s
currently evaluated and published is provided by the German Federal Office for
Information Security (BSI) with the number BSI-CC-PP-0045: Cryptographic
Modules, Security Level ‘Enhanced’.
What Does Certification Mean for My Project?
Misconceptions with regard to certification in particular still abound.
The requirements of certifications with regard to functionality frequently
mean the functions of HSMs are restricted. The consequence of this is that
many manufacturers have introduced the ‘FIPS Mode’. Auditors often expect
conformance to certifications, and so the operators run devices in ‘FIPS
Mode’.
Sometimes the functional scope of an HSM is restricted so much by the certified
version that deployment within the relevant application isn’t possible.
Customers looking for HSMs need to clarify prior to product selection what
exactly they require.
30