Overview

This section introduces SafeNet ProtectToolkit-M and shows how SafeNet components and terminology apply in the Microsoft Cryptographic API environment.

SafeNet ProtectToolkit-M Applications

With SafeNet ProtectToolkit-M installed, applications that call the Microsoft Cryptographic API (MSCAPI) can make use of the secure key storage and high-speed cryptographic processing offered by SafeNet hardware security modules (HSMs).

The Microsoft Cryptographic API (MSCAPI) provides security services for a range of applications, such as web-based SSL processes.

Microsoft Certification Authority (MSCA) and Internet Information Services (IIS) (a Microsoft web server) use the MSCAPI and therefore may be integrated with SafeNet ProtectToolkit-M. An MSCA may store CA keys on an HSM, while IIS may use HSM key storage when establishing secure socket layer (SSL) communication.

The MSCAPI Model and SafeNet ProtectToolkit-M

Cryptographic Service Providers

SafeNet ProtectToolkit-M is implemented as a Microsoft Cryptographic Service Provider (CSP).

A CSP is a plug-in cryptographic module that integrates with Microsoft Windows and provides the underlying key storage and security operations for the Microsoft Cryptographic API (MSCAPI). The architecture of the MSCAPI supports the development of non-Microsoft CSPs such as SafeNet ProtectToolkit-M.

SafeNet ProtectToolkit-M includes both “RSA Full” and “RSA SChannel” cryptographic service providers. These can be used instead of the corresponding Microsoft CSPs to provide hardware-based key storage and RSA encryption.

MSCAPI Implementation Using SafeNet ProtectToolkit-M

SafeNet ProtectToolkit-M model shows how SafeNet HSMs can be utilized as part of a MSCAPI system, using SafeNet ProtectToolkit-M as a CSP.

Figure 1: SafeNet ProtectToolkit-M model


MSCAPI Keyset Model

Within MSCAPI (and hence SafeNet ProtectToolkit-M), key pairs are held within a key container, which is stored within a keyset.

HSM Secure Memory
  │
  ├── Keyset Space
  │
  └── Keyset User (1)
       │
       └── Key Container
            │
            ├── Signature Key Pair
            └── Exchange Key Pair
 

Each user requiring processing support from the SafeNet ProtectToolkit-M system will need a user keyset containing a key container. Key containers may contain up to 2 key pairs: a signature key pair and an exchange key pair.

Apart from this, there are two keysets required by the SafeNet ProtectToolkit-M system for its internal processes. These are the SYSTEM keyset and the MACHINE keyset, which are visible to all system users. SafeNet ProtectToolkit-M cannot operate without either of these and will automatically create either set if they are not present or deleted. Shared keys (accessible by more than one user), such as those generated automatically when Microsoft CA is installed, will also be stored in one of these keysets when using a SafeNet ProtectToolkit-M CSP. Generally these shared keys are stored in the MACHINE keyset.

The physical storage location for each keyset is CSP-dependent. By default, Microsoft CSPs store keys to disk, in user profiles. When using the “Safenet RSA Full” or “Safenet RSA SChannel” CSPs, all keys are secured by SafeNet ProtectToolkit-M within SafeNet hardware security modules (HSMs).

Further Documentation

The following reference material should be considered in addition to this user manual:

>SafeNet ProtectServer PCIe HSM Installation Guide

>SafeNet ProtectServer Network HSM Installation/Configuration Guide

>SafeNet HSM Access Provider Installation Guide

>Microsoft documentation on cryptographic service providers. See their web site.