Overview
This section introduces ProtectToolkit-M and shows how SafeNet components and terminology apply in the Microsoft Cryptographic API environment.
ProtectToolkit-M applications
With ProtectToolkit-M installed, applications that call the Microsoft Cryptographic API (MSCAPI) can make use of the secure key storage and high-speed cryptographic processing offered by SafeNet hardware security modules (HSMs).
The Microsoft Cryptographic API (MSCAPI) provides security services for a range of applications, such as web-based SSL processes.
Microsoft Certification Authority (MSCA) and Internet Information Services (IIS) (a Microsoft web server) use the MSCAPI and therefore can be integrated with ProtectToolkit-M. An MSCA can store CA keys on an HSM, while IIS can use HSM key storage when establishing secure socket layer (SSL) communication.
The MSCAPI model and ProtectToolkit-M
Cryptographic service providers
ProtectToolkit-M is implemented as a Microsoft Cryptographic Service Provider (CSP).
A CSP is a plug-in cryptographic module that integrates with Microsoft Windows and provides the underlying key storage and security operations for the Microsoft Cryptographic API (MSCAPI). The architecture of the MSCAPI supports the development of non-Microsoft CSPs such as ProtectToolkit-M.
ProtectToolkit-M includes both “RSA Full” and “RSA SChannel” cryptographic service providers. These can be used instead of the corresponding Microsoft CSPs to provide hardware-based key storage and RSA encryption.
MSCAPI implementation using ProtectToolkit-M
ProtectToolkit-M model shows how SafeNet HSMs can be utilized as part of a MSCAPI system, using ProtectToolkit-M as a CSP.
ProtectToolkit-M model
MSCAPI keyset model
Within MSCAPI and ProtectToolkit-M, key pairs are held within a key container, which is stored within a keyset.
HSM Secure Memory
│
├── Keyset Space
│
└── Keyset User (1)
│
└── Key Container
│
├── Signature Key Pair
└── Exchange Key Pair
Each user requiring processing support from the ProtectToolkit-M system will need a user keyset containing a key container. Key containers can contain up to 2 key pairs: a signature key pair and an exchange key pair.
Apart from this, there are two keysets required by the ProtectToolkit-M system for its internal processes. These are the SYSTEM keyset and the MACHINE keyset, which are visible to all system users. ProtectToolkit-M cannot operate without either of these and will automatically create either set if they are not present or deleted. Shared keys (accessible by more than one user), such as those generated automatically when Microsoft CA is installed, will also be stored in one of these keysets when using a ProtectToolkit-M CSP. Generally these shared keys are stored in the MACHINE keyset.
The physical storage location for each keyset is CSP-dependent. By default, Microsoft CSPs store keys to disk, in user profiles. When using the “Safenet RSA Full” or “Safenet RSA SChannel” CSPs, all keys are secured by ProtectToolkit-M within SafeNet hardware security modules (HSMs).
Further documentation
The following reference material should be considered in addition to this user guide:
-
Microsoft documentation on cryptographic service providers. Refer to the Microsoft website.