The HSM 8000 (Host Security Module) series of equipment provides cryptographic functions to support network and point-to-point data security. Acting as a peripheral to a Host computer, the HSM provides the cryptographic facilities required to implement key management, message authentication and Personal Identification Number (PIN) encryption in real time online environments. The HSM is made physically secure by locks, electronic switches and tamper-detection circuits.
Figure 1 - HSM 8000: Front View showing Normal Operation
The HSM supports a number of standard functions and can be customised to perform client-specific cryptographic functions. Standard functions include:
· Verifying and generating Personal Identification Numbers (PINs) such as those used with bank accounts and credit cards.
· Generating encrypted card values such as Card Verification Values (CVVs) for the plastic card industry.
· PIN solicitation, to obtain a new PIN from a card holder (against a reference number).
· Generating keys for use in Electronic Funds Transfer Point Of Sale (EFTPOS) systems.
· Key management in non-EFTPOS systems.
· Generating and verifying Message Authorization Codes (MACs) for messages transferred via telecommunications networks.
An HSM system consists of a single stand-alone unit or a number of units mounted in a standard 19-inch cabinet. The HSM 8000 can also be used to complement other RG7000 series HSMs in a standard 5-unit cabinet. A typical five-unit configuration permits concurrent operation for high throughput, and, under control of the application program, provides automatic and immediate backup in the event of a fault in a single unit.
The HSM is normally online to the Host and does not require operator monitoring or intervention. The HSM performs cryptographic processing in response to commands from the Host. The Host sends command messages, which consist of command codes and other fields that are required by the HSM in order to process the commands. The HSM processes the command messages and generates response messages, which also contain a variable number of fields (depending on the message type). Some commands, mainly involving plain text data, are entered by the user via the associated HSM Console.
The throughput of the HSM depends on the types of commands that are executed, and the method and speed of the Host connection.
Note that neither console terminal, printer, cables nor transceiver are supplied with the HSM.
Figure 2 - HSM in a Typical System
The throughput of the HSM depends on the types of commands that are executed, and the method and speed of the Host connection.
Note that neither console terminal, printer, cables nor transceiver are supplied with the HSM.