Features of Cloud Hardware Security Module - Key Management Service

This topic describes one type of Virtual Security Module (VSM) that is supported by Cloud Hardware Security Module, General Virtual Security Modules (GVSMs), including API specifications, encryption algorithms, and performance references.

HSMs in the Chinese mainland

GVSMs (validated by the State Cryptography Administration)

The GVSM complies with GM/T 0028-2014 security technical requirements for cryptographic modules and GM/T 0030-2014 cryptographic server technical specification. It provides internationally standardized cryptographic service interfaces and supports Public Key Infrastructure (PKI) applications using Chinese cryptographic algorithms (GM/T series). The GVSM enables independent or concurrent delivery of cryptographic operations and key management services to multiple applications. GVSM supports dedicated or parallel cryptographic operation and key management for multiple applications.

Feature	Description
Interface specifications	GM/T 0018-2023 cryptographic device application interface specification. PKCS#11 interface specification. SunJCE interface specification. Microsoft Cryptography API: Next Generation (CNG).
Encryption algorithms	Symmetric encryption algorithms: SM1, SM4, Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) (128- and 256-bit keys are supported). Asymmetric encryption algorithms: SM2, Rivest-Shamir-Adleman (RSA) with key lengths from 2048 to 4096 bits, and Elliptic Curve Cryptography (ECC), including NIST P-256, Brainpool P-256, and FRP-256. Digest algorithms: SM3, Secure Hash Algorithm 1 (SHA-1), SHA-256, SHA-384, and SHA-512.
Data communication protocol	TCP/IP.
Maximum concurrent connections	256

Performance with 32-byte test data

Performance reference	Operations per second	Response time (unit: seconds)
SM1 encryption performance	600	0.006
SM2 key generation performance	4,000	0.006
SM2 signing performance	3,000	0.008
SM2 verification performance	2,000	0.026
RSA2048 key generation performance	6 pairs per second	8.605
SA2048 public key operations	3,500	0.008
RSA2048 private key operations	400	0.018
SM3 digest performance	5,000	0.009
SM4 encryption performance	5,000	0.003
AES128 performance	7,000	0.004
AES256 performance	6,000	0.004

HSMs outside the Chinese mainland

GVSMs (validated by NIST FIPS 140-2 Level 3)

The hardware and firmware of the GVSM comply with FIPS 140-2 Level 3 certification. You can securely and reliably manage cryptographic keys while using various encryption algorithms to perform robust encryption and decryption operations on data.

Feature	Description
Interface specifications	PKCS#11 interface specification.
Encryption algorithms	Symmetric encryption algorithms: Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) (128-, 192-, and 256-bit keys are supported). Asymmetric encryption algorithms: Rivest-Shamir-Adleman (RSA) (key length from 2048 to 4096 in bits) and elliptic curve cryptography (ECC). Digest algorithms: Secure Hash Algorithm 1 (SHA-1), SHA-256, SHA-384, and SHA-512.
Performance references	Computing performance of RSA-2048 signing and verification: 1,100 operations per second. EC P256 point multiplication performance: 315 operations per second. AES-256 duplex communication encryption speed: 300 MB per second. RSA-2048 key generation performance: 0.5 pairs per second. Random number generation speed: 20 MB per second. Maximum concurrent connections: 5,000.
Limits	Maximum number of keys supported per GVSM: 3,300. Maximum number of users supported per GVSM: 1,024. Username character length: 31. User password character length range: 7 to 32.