Help Center> Data Encryption Workshop> Service Overview> Dedicated HSM> Functions
Updated on 2024-05-06 GMT+08:00
View PDF

Functions

Dedicated HSM is a cloud service used for encryption, decryption, signature, signature verification, key generation, and the secure storage of keys.

Dedicated HSM provides encryption hardware, guaranteeing data security and integrity on Elastic Cloud Servers (ECSs) and meeting FIPS 140-2 requirements. Dedicated HSM offers you a secure and reliable management for the keys generated by your instances, and uses multiple algorithms for data encryption and decryption.

Functions

Dedicated HSM provides the following capabilities:

  • Generation, storage, import, export, and management of encryption keys (both symmetric and asymmetric keys)
  • Data encryption and decryption by using symmetric and asymmetric algorithms
  • Using cryptographic hash functions to calculate message digests and hash-based message authentication code
  • Signing data and code in encrypted mode and verifying signature
  • Random data generation in encrypted mode

Supported Cryptography Algorithms

You can use Chinese cryptographic algorithms and certain international common cryptographic algorithms to meet various user requirements.

Table 1 Supported cryptography algorithms

Category

Common Cryptographic Algorithm

Symmetric cryptographic algorithm

AES

Asymmetric cryptographic algorithm

RSA, DSA, ECDSA, DH, and ECDH

Digest algorithm

SHA1, SHA256, and SHA384

Dedicated HSM Types

Table 2 Dedicated HSM types

HSM Type

Function

Application Scenario

Hardware Security Module (HSM)
  • Data encryption and decryption
  • Data signature and verification
  • Data digest
  • Generation and verification of MAC addresses

Basic password calculations in applications of a wide range of industries, such as identity authentication, data protection, SSL keys, and computation offloading.

Finance
  • Generation, encryption, conversion, and verification of personal identification number (PIN)
  • Generation and verification of Media Access Control (MAC)
  • Generation and verification of Card Verification Value (CVV)
  • Generation and verification of Type Allocation Code (TAC)
  • Typical Racal instruction set
  • People's Bank of China (PBOC) 3.0 common instruction set

Cryptographic calculation in financial systems, such as card issuing systems and point of sale (POS) systems

Signature verification server
  • Signing and signature verification
  • Encoding and decoding of digital envelopes
  • Encoding and decoding of signed digital envelopes
  • Certificate verification

Signature usage in Certificate Authority (CA) systems, certificate verification, encrypted transmission of a large amount of data, and identity authentication
Parent topic: Dedicated HSM