How do I integrate HSM encryption with C#?

Question

How would I integrate Hardware Security Module encryption with a C# application?

Answer 1

If its a PKCS #11 compliant device, you can use NCryptoki. From their website:

NCryptoki is a library for .NET framework that implements the PKCS#11 specifications and supplies an API for C#, VB.NET, Visual Basic 6, Delphi and other COM interop languages for integrating a PKCS#11 compliant token in any application.

[...]

Main Features:

• Compliant with PKCS#11 2.20 specifications
• Compliant with any PKCS#11 smart card/token/HSM
• 32 or 64 bit platform
• .NET Framework 2.0, 3.0, 3.5 and 4.0

Answer 2

HSM typically means Hardware Security Module. This is a device that will usually physically protect private or secret keys such that they don't ever get into your computer's RAM. Most HSMs will do encryption and signatures for you rather than just holding keys.

Access to a HSM's crypto powers can be via a handful of APIs. Including PKCS#11, Chil (OpenSSL). MSCAPI and CNG provders also exist to use HSMs.

Most HSM vendors will provide you with a PKCS#11 library or CAPI/CNG provider. Once you have this, it is a matter of programming against a published API.

Generally, using a HSM goes somthing along these lines:

provider = HSM.Connect()
keyhandle = provider.LoadKey("my_rsa_key")
signature = provider.Sign( keyhandle, "Sha1WithRSA", "myData" )
provider.UnloadKey( keyhandle )

Unfortunately, It the managed portion of CAPI and CNG do not allow for access to third-party providers which you would need to use a CAPI/CNG HSM via C#. You will have to call directly into the unmanaged CAPI/CNG or a PKCS#11 library code using PInvoke calls.

Answer 3

We used Pkcs11Interop and it worked really well. It is an Apache 2.0 licensed open source library. As far as i see it is quite up to date and still being maintained.