Introduction
Securosys Hardware Security Modules (HSMs) are not only optimized for the physical protection of private key material. Securosys HSMs also provide control of the keys usage with powerful authorizations rules through its Smart Key Attributes (SKA).
For example, applications can define authorization using quorums, timelocks, and timeouts, and they can limit the types of operations that are allowed (signing, encrypting).
We recommend reading the dedicated Smart Key Attribute (SKA) section before proceeding with the TSB guide. The other pages in this guide will assume an understanding the high-level concepts of SKA.
Transaction Security Broker
When using SKAs, an application often needs to collect authorizations from multiple different people, or it needs to wait for a certain amount of time to pass (for timelocks). This requires keeping state. Somewhere, the not-yet-complete authorizations need to be stored, the partial authorizations need to be collected, until they are ready to be forwarded to the HSM.
Therefore, Securosys introduced the TSB. The TSB sits between the application and the HSM and handles the logic for collecting all parts of an authorization. It exposes a REST API that can be consumed by applications, and it communicates with the HSM over the JCE API.
The TSB is a standalone engine. It is not critical for security, since all security relevant operations are executed in the HSM.
For more details see this article.
Architecture
What's next?
The articles in this TSB guide will explain how to use SKAs with the TSB:
- how to create SKA keys,
- how to create and manage approvers for SKA keys,
- and how to integrate with the Authorization App.