Use Cases

Crypto Service Gateway supports all widely used crypto algorithms you would expect, e.g. RSA, AES, 3DES, HMAC, etc. and in addition offers advanced functionality to address many common business problems, including:



New Call-to-action
New Call-to-action
New Call-to-action

Cryptomathic CSG
Selected use cases

Endorsed Code Signing

In an ever-connected world with devices, apps and even things (IOT) on the internet, code signing plays an increasingly important role to ensure the integrity, authenticity and provenance of the underlying code - whether that be Windows or mobile applications right through to the signing of firmware for hardware devices.

The CSG service manages a pool of HSMs to ensure a resilient and available code signing service; together with exposing a simple-to-use API for consuming various other cryptographic services. CSG supports both RSA and ECDSA signing. Code signing services are consumed either directly through the CSG’s API (Java, C++, .NET and RESTful) or using a CSG extension. CSG extensions provide additional platform specific encoding and/or integration into 3rd party signtools. Extensions include a CSP for Microsoft Authenticode, JAR/APK signers and more.

Endorsed signing is a unique CSG feature which is tailored for the code-signing market. CSG’s endorsed signing feature gives you the secure work flows necessary to control what code may be signed. Endorsed signing requires that a minimum mandatory number of authorized ‘endorsers’ must endorse a code signing request before a secure signing operation is permitted.

Click here for more information on code signing with CSG.

Managed Data Encryption 

CSG's managed encryption technology addresses a common crypto headache - ensuring encrypted data can be safely decrypted at a later date, even if the original key has been replaced. This technique is ideally suited for long-term storage of encrypted data within a business database, for example. Managed encryption is an optional feature that can be made available to any application using CSG.

Managed encryption provides confidentiality, authenticity and integrity (while normal encryption only offers the first of these). This means CSG can ensure the data hasn't been modified while it was stored. The encrypted data returned by CSG contains a pointer to the key used to perform the encryption. Even if the encryption key is updated, CSG retains access to the old key and can use it to decrypt historical data. Support is also provided for updating old encrypted data to use a newer key.


Tokenization is a common technique for protecting sensitive data, such as PANs, as they pass through business systems. The original data is replaced with a token of the same length, using a reversible process.

CSG offers tokenization as a basic crypto function available to any application. The tokenization process is customizable and can allow parts of the data to pass through unchanged (e.g. the last four digits of the PAN). A configurable mixture of format-preserving encryption and database storage is used to produce the token values.

For those concerned with PCI-DSS, tokenization may provide a way to bring systems out of scope for audits. For more information on PCI-DSS compliance with CSG, please refer to PCI-DSS topic paper.

Secure PIN Management

CSG’s API exposes the ability to perform financial operations such as those required for PIN Management.

The API allows applications to verify PINs (including DUKPT-based encryption), and give the ability to calculate new PIN offsets for facilitating PIN change operation. Also included are functions for secure PIN translation, the process of changing the key that encrypts a PIN. This operation is commonly needed in payment systems, where the PIN must travel through different systems which use different zone-related keys. The PIN translation functions support a variety of standard PIN block formats.

CSG supports PIN functionality using our secure code execution (SCE) technology, which is a vendor-neutral approach to executing code within an HSM.  This approach ensures that all calculations are perform inside the HSM, no intermediary results or PIN data will be exposed in plaintext outside the HSM.

Hybrid Encryption 

There is a limit to how much data can be encrypted using an RSA public key – no more than the length of the key itself. For example, a 2048-bit RSA key cannot encrypt more than 2048 bits (256 bytes). To encrypt larger amounts of data, the typical solution is to use a random symmetric session key to encrypt the data. The public key of the recipient is then used to encrypt the session key. This is known as hybrid encryption.

CSG supports hybrid encryption as a single command, removing the need to code support for this into each application. The policy file defines the type of session key to generate (e.g. AES or Triple-DES) and the mode of encryption.

EMV Authorization

EMV is the payment specification used across the world to process credit and debit card transactions. EMV payment cards contain a secure chip holding a collection of cryptographic keys. These keys are used during a transaction to create a secure cryptogram which is sent back to the corresponding bank/processor for authorization.

CSG’s APIs provide support for EMV transaction authorization (ARQC/ARPC) through both specialized payment HSMs or using our vendor neutral secure code execution (SCE) technology. Other related functionality that the CSG supports includes: EMV issuer scripting (for PIN change) and Dynamic CVC/CVV verification.

Confidential Computing with the Enclave Security Module

Transitioning to the cloud entails addressing challenges related to digital asset protection, including compliance with complex privacy laws, maintaining control over data and encryption keys, and managing risks from shared infrastructure and potential insider threats. Addressing these demands a comprehensive approach to cloud security, incorporating customized security measures and a focus on securing encryption keys, is especially crucial in the uncertain trust levels of a cloud environment.

The Enclave Security Module (ESM) integrates with Cryptomathic's Crypto Service Gateway (CSG) platform as an accessible cryptographic resource, similar to traditional Hardware Security Modules (HSMs). The CSG nodes are positioned within an AWS EC2 instance, acting as a link to the ESM within the AWS Nitro Enclave. Depending on your compliance and security needs, the key management system safeguarding your cryptographic keys can be set up either on-premise or in the cloud, offering a flexible, secure, and compliant key management solution tailored to your specific requirements. 

Check out the ESM Solution Brief

We are always ready to assist you 

No matter your location, our global reach allows us to collaborate with you anywhere in the world! We look forward to hearing from you and assure you of our prompt response.

Contact us



Case Study -

Read the case study to see why Barclays Bank chose CSG as their strategic enterprise crypto service.

Read Case study

Achieving Real-World Crypto-Agility

Learn how a business can assert control over its HSM estate, reduce risk, increase efficiency and attain confident compliance - with Crypto Service Gateway.

 Read White Paper
Code Signing

Topic Paper -
Code Signing

Understand how CSG provides Endorsed Code Signing, enforcing the necessary secure workflows for controlling the code signing process with a business.

 Download Solution Brief