Slightly off-topic: HSM Recommendations?
melvin1...@yahoo.com
All,
I'm working on an acquiring product that needs to process PIN based
debit transactions.
Does anyone have recommendations or tips for choosing a Hardware
Security Module(HSM)?
Has anyone worked on a project that required integrating jPOS with a
HSM?
thanks,
-m
Andy Orrock
It's not off-topic in the slightest. In fact, it's at the heart of
what a jPOS-based application would have to do.
First, to narrow your selection set a bit: don't even think about
Asynch-connected (i.e., RS232-connected models. You want a box that
uses TCP/IP connectivity (both for integration reasons as well as
throughput reasons).
There are three good options for you:
1. The Thales "HSM 8000" series (Thales bought Racal which is the
brand name we're most familiar with in this industry). See
http://www.thales-esecurity.com/ProductsServices/HSM8000.shtml
2. The IDS Key-Up II. See http://www.keyup.biz/products.html
3. The Atalla series of products (owned by H-P and generally
categorized with their "Non-Stop Computing" (i.e. Tandem) family of
products. See http://h20223.www2.hp.com/NonStopComputing/cache/76417-0-0-0-121.aspx
I've been involved with jPOS-based products where we've successfully
integrated the Key-Up for both Issuer and Acquirer functions. We are
in process of intregrating the Thales HSM in an Acquirer role on
another project. I can't speak directly about the Atalla, but its
track record in the industry speaks for itself.
The various features we've implemented are (presented in no particular order):
a. Perform "dynamic key exchange" with a Debit/EBT gateway (for you
Thales/RACAL people out there, that means we can "accept a Zone PIN
Key encrypted under a Zone Master Key and re-encrypt it under our
Local Master Key").
b. Accept BDK-generated, DUKPT-enabled PIN blocks in "card set-up"
requests and generate a "PIN offset" (which we store on our database
encrypted under a PIN Key) [BDK = Base Derivation Key; DUKPT =
Dervived Unique Key Per Transaction]
c. We also have implemented PIN transaction, in which we take the
DUKPT-enabled PIN block from an incoming terminal request and use the
HSM to provide a Triple DES-enabled PIN block using the current ZPK
(as received and stored in 'a').
I've got two other pieces, which are:
* Always ask your selected vendor for a field-by-field walkthrough of
the commands you need to use. First, because the vendor-provided
books always consist of about 40 - 50 possible commands and you'll
typically need about 3 of them. So, you want to drill down on those
and understand their nuances. Second, because you'll hopefully get an
experienced engineer on the call that will be able to cut to the chase
for you. You'll be fretting about some field and the guy/gal will
tell you something like "you don't need to send anything beyond Field
9."
* Always insist on seeing trace examples. These will be invaluable to
you and will greatly elucidate points the spec tries to make.
Hope that helps.
Andy Orrock
chhil
Additional HSM's
Thales is what we recommend to clients...
Speed of processing crypto operations.
-chhil
Melvin -
It's not off-topic in the slightest. In fact, it's at the heart of
what a jPOS-based application would have to do.
First, to narrow your selection set a bit: don't even think about
Asynch-connected ( i.e., RS232-connected models. You want a box that
Andy Orrock
Your list reminds me of another decision/review factor: the
adminstrative interface. Melvin, you sound like you're handling the
coding aspects of this thing. Equally important is how well the HSM
handles the administrative tasks, like doing key ceremonies for BDK
creation, KEK (a.k.a., ZMK) key part entry, etc. And typically this
is another group in the company that handles things in this areana
(usually infrastructure, or system support or even a separate security
group). Those guys/gals need to be in involved in the review and take
ownership of the adminstrative facililty aspects of the
decision-making process. It ought to be assigned 50% of the weight in
the review.
One client of ours recently decided on the Thales because of its
administrative capabilities (the program integration features in the
two finalists were a tie). They liked what it did with smart cards,
which met some strict enterprise standards they had in place on that
front.
Andy Orrock
Alwyn Schoeman
I don't know why I keep on selling my previous company, must be because their product
is so good as I can think of no other reason.
The best bang for your buck would be products by a company called Prism (www.prism.co.za) from South-Africa.
Their product is called Incognito and I think was mentioned by somebody else. I think it is resold in the US market
as Mosaic.
Their cards are the result of buying a company called Nanotech which used to supply the military with products. Their
manufacturing processes are still up to military standards I'm told.
I worked on a banking application where we had Thales HSM's that could do 50 tps. If I remember correctly these machines
cost us between $40-80k USD each.
Prism can supply you with cards that can do 600 tps upwards for half that price range. If I'm not mistaken these cards even
have FIPS 4 rating (I'm sure of at least 3). The cards are limited to a certain performance, they can actually do more.
Before they started limiting transactions in hardware, we could get around 1000tps out of a card 'rated' for 100.
I once heard on the grapevine that they had an installation that could do 2000 RSA operations a second.
Servers used to be Windows based, but I have it on good authority that they have a Linux version. C++ (windows and sparc) and
java api's available.
Regards,
Alwyn
melvin1...@yahoo.com
Thanks for the great info. I was really lost on how to start
evaluating HSMs.
Does anyone have thoughts about the Eracom line of products?
http://www.eracom-tech.com/hsm.0.html
I was drawn to their JCA/JCE Cryptographic Service Provider.
It seems this would greatly simplify Java integration.
http://www.eracom-tech.com/50.0.html
Andy Orrock
Eracom is a solid choice - it has a sizable presence in the Australian
marketplace and plays an integral, dependable role in many of the
Tandem- and Stratus-based financial payment implementations there.
Andy Orrock