Comment
Author: Admin | 2025-04-28
I worked and completed a PKI project which used a HSM for generating - storing keys and performing crypto functions. I used PKCS#11 to interface with our application for sigining/verifying and encryption/decryption. Our platform is windows.Now we are looking to offer a low cost alternative solution by replacing the the HSM with a software security module. I must note here that i am aware of the drawbacks of not using a HSM. Its a trade off between security Vs Cost.I found that Microsoft provides the Next Generation CryptoAPI (CNG), key store and certificate services. My senior management are not inclined to use open source software. I also found RSA and cryptomathic offering toolkits to perform software based solutions.Has anybody come across any commercial software security module tool kits to perform key generation, key store and crypto functions?Programming language - c/c++ThanksRaj Tom Ritter101k32 gold badges142 silver badges174 bronze badges asked Aug 26, 2009 at 14:16 You could use SoftHSM, which is a pure-software PKCS #11 implementation. It is being used by the OpenDNSSEC project precisely to be swapped out in cases a real HSM is not available, so it might work for you too. However, it's BSD licensed, so I guess your management may not like it on that basis.If you are looking for low-cost and yet commmercial (I'm not sure if you're specifically looking for something proprietary, which CryptoAPI is, or for something that is commercially supported, which CryptoAPI is not, unless you have a contract with Microsoft), rewriting your application to use the Win32 CryptoAPI seems the only viable option to me. RSA's toolkits are not cheap, in my experience. answered Sep 10, 2009 at 13:05 Jack LloydJack Lloyd8,4052 gold badges39 silver badges47 bronze badges 1 I have a customer who used the software PKCS#11 implementation that comes with Mozilla's NSS as a drop-in replacement for the HSM. They're on Linux using ruby-pkcs11, so your mileage may vary. answered Mar 2, 2011 at 17:27 2 Your best option should be to find a software PKCS#11 library. There should be several implementations on the market - I know that the company I work for sells one. That way you would still be able to switch back to a PKCS#11-compliant HSM and the necessary modifications to the application should be minimal.Your other options are CryptoAPI or CNG from Microsoft or a toolkit from RSA, Cryptomathic or another vendor. That would probably require more work to rewrite the application - I can't really see any advantage to this option, except that CryptoAPI and CNG are free. answered Sep 9, 2009 at 10:39 Rasmus FaberRasmus Faber49.7k25 gold badges148 silver badges193 bronze badges 6 I'm testing a solution called Vault from Hashicorp that is something like a SSM (Software Security Module) that can protect keys an make cryptographic operations. It has a server that can be used in "developer mode" (for testing and programming) and a very strict "production mode" that can be used in a final environment. The basic solution is Open Source,
Add Comment