2. What is HSM?
HSM stands for Hardware Security Module. It’s a tamper resistant and incredibly secure physical device which is used to
generate/store cryptographic keys and perform cryptographic functions. It detects unauthorized access, trigger alarm and
even can remove the cryptographic keys inside to protect the information.
There are general purpose and specialized HSMs.
Payment industry uses specialized HSM to protect cryptographic keys, sensitive data generation, and validation. Typically it
undertakes following functions for payment card personalization and transaction authorization:
– Sharing keys securely
– Generate PVV, CVV for magnetic strip data
– Generate and print PIN mailer
– Encrypt/Decrypt/Re-Encrypt PIN block
– Verify card security codes
– Verify PIN
– Verify EMV (chip) data
It’s mandatory for industries like payments to use HSM which an expensive device. Hence there are many companies cropped
up who offer HSM as a service.
Use of HSM for cryptographic functions in payment is de facto and also endorsed by PCI council as part of PCI DSS. PCI also
provides security requirement for HSM (link).
3. HSM (Thales) Simulator
The Thales Simulator Library is an implementation of a software emulation of the
Thales (formerly Zaxus, formerly Racal) RG7000 Hardware Security Module
cryptographic device.
4. How to Install
1.Go to CodePlex, an open source project archive
(https://archive.codeplex.com/?p=thalessim) and download. The source code is
available on github (https://github.com/nickntg/thalessimulatorlibrary) as well, but
you need to have all the tools to build the solution and then you can get your hands
on the installer.
2.Extract downloaded file thalessim.zip.
3.Go to "thalessimwikidownloadWikidocs" directory.
4.Run the Thales Windows Simulator installer.
5.This will install the simulator as "Thales Simulator".
5. How to Use
1.Run the installed "Thales Simulator“
2.The default configuration of the simulator is available in ThalesParameters.xml generally available in the
installed directory (C:Program Files (x86)NTGThales Simulator)
3.The default port for the simulator is 9998. It can be changed in ThalesParameters.xml.
4.Open a socket and connect the simulator on port 9998.
5.Important!!! All messages need to be prefixed with a 2-byte header i.e; 0000. The purpose of this header is
to be able to identify request/response pairs in a high-load scenario. If you send simultaneous requests to the
simulator (or a real HSM for that matter), you need to be able to match the correct responses to original
requests because they might not arrive in the original order. You can use the header to do that.
Sample command for CVV verification is
"CYU123456789012345678901234567890121234123456789012345;1212101",
prefix it with 2-byte header before sending to the simulator
i.e; "0000CYU123456789012345678901234567890121234123456789012345;1212101"