1. HSM
    1. A physical computing device that safeguards and manages digital keys.
  2. Design
    1. HSMs come in the form of a plug-in card or an external device that attaches directly to a computer or network server.
    2. Depending on the vendor, HSMs may be tamper-resistant or tamper-proof.
    3. Many HSM systems have means to securely back up the keys they handle outside of the HSM.
  3. Functions
    1. onboard secure cryptographic key generation
    2. onboard secure cryptographic key storage, at least for the top level and most sensitive keys, which are often called master keys
    3. key management
    4. use of cryptographic and sensitive data material, for example, performing encryption or digital signature functions
    5. offloading application servers for complete asymmetric and symmetric cryptography.
  4. Uses
    1. PKI Environment (CA HSMs)
      1. In PKI environments, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle asymmetric key pairs.
      2. Logical and physical high-level protection
      3. Multi-part user authorization schema (see Blakley-Shamir secret sharing)
      4. Full audit and log traces
      5. Secure key backup
    2. Card Payment System HSMs (Bank HSMs)
      1. HSMs support both general-purpose functions and specialized functions required to process transactions and comply with industry standards.
      2. verify that a user-entered PIN matches the reference PIN known to the card issuer
      3. in conjunction with an ATM controller or POS terminal, verify credit/debit card transactions by checking card security codes or by performing host processing components of an EMV based transaction
      4. support a crypto-API with a smart card (such as an EMV)
      5. re-encrypt a PIN block to send it to another authorisation host
      6. perform secure key management
      7. support a protocol of POS ATM network management
      8. support de facto standards of host-host key | data exchange API
      9. generate and print a "PIN mailer"
      10. generate data for a magnetic stripe card (PVV, CVV)
      11. generate a card keyset and support the personalisation process for smart cards
    3. SSL/TLS Connection Establishment HSMs
    4. DNSSEC Deployment HSMs
    5. Cryptocurrency Wallet HSMs