Overview

This section introduces ProtectToolkit-M and shows how SafeNet components and terminology apply in the Microsoft Cryptographic API environment.

ProtectToolkit-M Applications

With ProtectToolkit-M installed, applications that call the Microsoft Cryptographic API (MSCAPI) can make use of the secure key storage and high-speed cryptographic processing offered by SafeNet hardware security modules (HSMs).

The Microsoft Cryptographic API (MSCAPI) provides security services for a range of applications, such as web-based SSL processes.

Microsoft Certification Authority (MSCA) and Internet Information Services (IIS) (a Microsoft web server) use the MSCAPI and therefore may be integrated with ProtectToolkit-M. An MSCA may store CA keys on an HSM, while IIS may use HSM key storage when establishing secure socket layer (SSL) communication.

The MSCAPI Model and ProtectToolkit-M

Cryptographic Service Providers

ProtectToolkit-M is implemented as a Microsoft Cryptographic Service Provider (CSP).

A CSP is a plug-in cryptographic module that integrates with Microsoft Windows and provides the underlying key storage and security operations for the Microsoft Cryptographic API (MSCAPI). The architecture of the MSCAPI supports the development of non-Microsoft CSPs such as ProtectToolkit-M.

ProtectToolkit-M includes both “RSA Full” and “RSA SChannel” cryptographic service providers. These can be used instead of the corresponding Microsoft CSPs to provide hardware-based key storage and RSA encryption.

MSCAPI Implementation Using ProtectToolkit-M

ProtectToolkit-M model shows how SafeNet HSMs can be utilized as part of a MSCAPI system, using ProtectToolkit-M as a CSP.

Figure 1: ProtectToolkit-M model


MSCAPI Keyset Model

Within MSCAPI (and hence ProtectToolkit-M), key pairs are held within a key container, which is stored within a keyset.

HSM Secure Memory
  │
  ├── Keyset Space
  │
  └── Keyset User (1)
       │
       └── Key Container
            │
            ├── Signature Key Pair
            └── Exchange Key Pair

Each user requiring processing support from the ProtectToolkit-M system will need a user keyset containing a key container. Key containers may contain up to 2 key pairs: a signature key pair and an exchange key pair.

Apart from this, there are two keysets required by the ProtectToolkit-M system for its internal processes. These are the SYSTEM keyset and the MACHINE keyset, which are visible to all system users. ProtectToolkit-M cannot operate without either of these and will automatically create either set if they are not present or deleted. Shared keys (accessible by more than one user), such as those generated automatically when Microsoft CA is installed, will also be stored in one of these keysets when using a ProtectToolkit-M CSP. Generally these shared keys are stored in the MACHINE keyset.

The physical storage location for each keyset is CSP-dependent. By default, Microsoft CSPs store keys to disk, in user profiles. When using the “Safenet RSA Full” or “Safenet RSA SChannel” CSPs, all keys are secured by ProtectToolkit-M within SafeNet hardware security modules (HSMs).

Further Documentation

The following reference material should be considered in addition to this user manual:

>About the ProtectServer HSM and ProtectToolkit Installation Guide

>Microsoft documentation on cryptographic service providers. See their web site.