如何将硬件安全模块加密与 C# 应用程序集成?
3 回答
HSM typically means Hardware Security Module. This is a device that will usually physically protect private or secret keys such that they don't ever get into your computer's RAM. Most HSMs will do encryption and signatures for you rather than just holding keys.
Access to a HSM's crypto powers can be via a handful of APIs. Including PKCS#11, Chil (OpenSSL). MSCAPI and CNG provders also exist to use HSMs.
Most HSM vendors will provide you with a PKCS#11 library or CAPI/CNG provider. Once you have this, it is a matter of programming against a published API.
Generally, using a HSM goes somthing along these lines:
provider = HSM.Connect()
keyhandle = provider.LoadKey("my_rsa_key")
signature = provider.Sign( keyhandle, "Sha1WithRSA", "myData" )
provider.UnloadKey( keyhandle )
Unfortunately, It the managed portion of CAPI and CNG do not allow for access to third-party providers which you would need to use a CAPI/CNG HSM via C#. You will have to call directly into the unmanaged CAPI/CNG or a PKCS#11 library code using PInvoke calls.
如果它是符合 PKCS #11 的设备,您可以使用NCryptoki。从他们的网站:
NCryptoki 是一个用于 .NET 框架的库,它实现了 PKCS#11 规范,并为 C#、VB.NET、Visual Basic 6、Delphi 和其他 COM 互操作语言提供了一个 API,用于在任何应用程序中集成符合 PKCS#11 的令牌。
[...]
主要特点:
- 符合 PKCS#11 2.20 规范
- 符合任何 PKCS#11 智能卡/令牌/HSM
- 32 或 64 位平台
- .NET 框架 2.0、3.0、3.5 和 4.0
我们使用了 Pkcs11Interop,它工作得非常好。它是一个 Apache 2.0 许可的开源库。据我所知,它是最新的并且仍在维护中。