How do I integrate HSM encryption with C#?

user690932 picture user690932 · Apr 7, 2011 · Viewed 9.3k times · Source

How would I integrate Hardware Security Module encryption with a C# application?

Answer

IanNorton picture IanNorton · Apr 7, 2011

HSM typically means Hardware Security Module. This is a device that will usually physically protect private or secret keys such that they don't ever get into your computer's RAM. Most HSMs will do encryption and signatures for you rather than just holding keys.

Access to a HSM's crypto powers can be via a handful of APIs. Including PKCS#11, Chil (OpenSSL). MSCAPI and CNG provders also exist to use HSMs.

Most HSM vendors will provide you with a PKCS#11 library or CAPI/CNG provider. Once you have this, it is a matter of programming against a published API.

Generally, using a HSM goes somthing along these lines:

provider = HSM.Connect()
keyhandle = provider.LoadKey("my_rsa_key")
signature = provider.Sign( keyhandle, "Sha1WithRSA", "myData" )
provider.UnloadKey( keyhandle )

Unfortunately, It the managed portion of CAPI and CNG do not allow for access to third-party providers which you would need to use a CAPI/CNG HSM via C#. You will have to call directly into the unmanaged CAPI/CNG or a PKCS#11 library code using PInvoke calls.