Chapter 3: ProtectServer External 2 Plus Installation and Configuration
Secure Messaging System (SMS)
ProtectServer HSMs store cryptographic keys and objects in tamper-resistant secure memory, which is erased
when a tamper is detected. The stored keys are accessed through PKCS#11 calls from the client. Client calls to
a Network HSM traverse the network layer (TCP/IP). In the default security mode, this communication channel
between the HSM and the client is unencrypted. Configure the HSM security policy to improve this channel's
security. Refer to
in the "Security Policies and User Roles" section of the
ProtectToolkit-C
Administration Guide
for descriptions of the available flags and how they affect your implementation.
The Secure Messaging System (SMS) enhances the security of the client-HSM channel. SMS provides an
encrypted channel between the client and the HSM and authenticates messages on that channel using a
Message Authentication Code (MAC) approved by the FIPS 140-2 standard. Refer to
in the
"Cryptoki Configuration" section of the
ProtectToolkit-C Administration Guide
for a detailed description of SMS
functionality.
NOTE
SMS encrypts and authenticates messages between the client and HSM, but does
not provide means for the HSM to authenticate client credentials or vice-versa.
The HSM supports the following SMS modes:
>
HIMK
>
ADH
>
ADH2 (PTK 5.4 and above)
For secure deployment, use ADH or ADH2. Refer to
in the "Cryptoki Configuration" section
of the
ProtectToolkit-C Administration Guide
for descriptions of the difference between these modes.
The SMS feature is flexible and can be configured to:
>
Encrypt/decrypt all messages
>
Sign/verify all messages
>
Allow only FIPS-approved mechanisms
>
Rotate signing and encryption keys after a specified number of packets or hours
>
All of the above
For maximum security, enable all of the above features. See
in the "Security Policies and User
Roles" section of the
ProtectToolkit-C Administration Guide
for flag descriptions and setup instructions.
NOTE
Enabling FIPS mode will block all mechanisms that are not FIPS-approved. If you are
using unapproved mechanisms and understand the implications, do not enable FIPS mode.
Networking and Firewall Configuration
There is no means to authenticate the client to the HSM or vice-versa. It is therefore recommended that the
HSM and client are connected to the same secure network segment, to prevent sensitive data from traveling
through insecure intermediate network(s). This configuration prevents Man-in-the-Middle and other malicious
attacks. If possible, connect the HSM directly to the client using a cross-cable.
Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide
2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group
50
