Hardware Security Module
Encyclopedia
A hardware security module (HSM) is a type of secure cryptoprocessor
targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications. These modules are physical devices that traditionally come in the form of a plug-in card or an external TCP/IP security device that can be attached directly to the server or general purpose computer.
The goals of an HSM are (a) onboard secure generation, (b) onboard secure storage, (c) use of cryptographic and sensitive data material, (d) offloading application servers for complete asymmetric and symmetric cryptography. HSMs provide both logical and physical protection of these materials from non-authorized use and potential adversaries. In short, they protect high-value cryptographic keys.
The cryptographic material handled by most HSMs are asymmetric key pairs (and certificates) used in public-key cryptography
. Some HSMs can also handle symmetric keys and other arbitrary data.
Many HSM systems have means to securely backup the keys they handle either in a wrapped form via the computer's operating system or externally using a smartcard or some other security token
. HSMs should never allow for secrets' exportation in plaintext form, even when migrating between HSMs or performing backup operations.
Some HSM systems are also hardware cryptographic accelerators
. They usually cannot beat the performance of software-only solutions for symmetric key operations. However, with performances ranges from 1 to 7,000 1024-bit RSA signs/second, HSM's can provide significant CPU offload for asymmetric key operations. Since NIST is recommending the use of 2,048 bit RSA keys from year 2010
, performance at longer key sizes is becoming increasingly important.
Because HSMs are often part of a mission-critical infrastructure such as a public key infrastructure or online banking application, HSMs can typically be clustered for high availability. Some HSMs feature dual power supplies to enable business continuity.
A few of the HSMs available in the market have the ability to execute specially developed execution modules within the HSM's secure enclosure. Such ability is useful, for example, in cases where special algorithms or business logic has to be executed in a secured and controlled environment. The execution modules can be developed in native C language, in .NET, Java or other programming languages. While providing the benefit securing application-specific code, these execution engines confuse the status of an HSM's FIPS
or Common Criteria
validation status.
Whereas there are some standards covering security requirements for cryptographic modules, the most widely accepted (both as customers’ choice and government requests) is the NIST FIPS 140-2
.
that can be used with hardware modules from different vendors.
environment, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle key pairs. In this scenario, there are some fundamental features a device must have, namely:
• Logical and physical high level protection
• Multi-part user authorization schema (see Blakley-Shamir secret sharing
)
• Full audit and log traces
• Secure key backup
In the PKI environment, the device performance is much less important in both online and offline operations as Registration Authority procedures represent the performance bottleneck of the Infrastructure.
. These devices can be grouped in two main classes:
OEM or integrated modules for automated teller machine
s and POS
terminals
:
Authorisation and personalisation modules may be used to:
The major organization that produces and maintains standards for HSMs on banking market is the Payment Card Industry Security Standards Council.
(SSL/TLS
). In this environment, SSL Acceleration HSMs may be employed. Typical performance numbers for these applications range from 50 to 1,000 1024-bit RSA signs/second, although some devices can reach numbers as high as +7,000 operations per second.
.
Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....
targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications. These modules are physical devices that traditionally come in the form of a plug-in card or an external TCP/IP security device that can be attached directly to the server or general purpose computer.
The goals of an HSM are (a) onboard secure generation, (b) onboard secure storage, (c) use of cryptographic and sensitive data material, (d) offloading application servers for complete asymmetric and symmetric cryptography. HSMs provide both logical and physical protection of these materials from non-authorized use and potential adversaries. In short, they protect high-value cryptographic keys.
The cryptographic material handled by most HSMs are asymmetric key pairs (and certificates) used in public-key cryptography
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
. Some HSMs can also handle symmetric keys and other arbitrary data.
Many HSM systems have means to securely backup the keys they handle either in a wrapped form via the computer's operating system or externally using a smartcard or some other security token
Security token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
. HSMs should never allow for secrets' exportation in plaintext form, even when migrating between HSMs or performing backup operations.
Some HSM systems are also hardware cryptographic accelerators
SSL acceleration
SSL acceleration is a method of offloading the processor-intensive public key encryption algorithms involved in SSL transactions to a hardware accelerator....
. They usually cannot beat the performance of software-only solutions for symmetric key operations. However, with performances ranges from 1 to 7,000 1024-bit RSA signs/second, HSM's can provide significant CPU offload for asymmetric key operations. Since NIST is recommending the use of 2,048 bit RSA keys from year 2010
, performance at longer key sizes is becoming increasingly important.
Because HSMs are often part of a mission-critical infrastructure such as a public key infrastructure or online banking application, HSMs can typically be clustered for high availability. Some HSMs feature dual power supplies to enable business continuity.
A few of the HSMs available in the market have the ability to execute specially developed execution modules within the HSM's secure enclosure. Such ability is useful, for example, in cases where special algorithms or business logic has to be executed in a secured and controlled environment. The execution modules can be developed in native C language, in .NET, Java or other programming languages. While providing the benefit securing application-specific code, these execution engines confuse the status of an HSM's FIPS
FIPS
- Computer :*FIPS , Fully Interactive Partition Splitter, a disk partitioner*Federal Information Processing Standard, United States government standards*FTC Fair Information Practice, FIPs, US Federal Trade Commission guidelines- People :...
or Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
validation status.
Tamper protection
The tamper evidence, resistance, and response – tamper protection – are the key and major differences HSMs have from usual server computers acting as cryptographic accelerators.Whereas there are some standards covering security requirements for cryptographic modules, the most widely accepted (both as customers’ choice and government requests) is the NIST FIPS 140-2
FIPS 140-2
The Federal Information Processing Standard Publication 140-2, , is a U.S. government computer security standard used to accredit cryptographic modules. The title is Security Requirements for Cryptographic Modules...
.
HSM software APIs
Below is a list of popular cryptography APIsApplication programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
that can be used with hardware modules from different vendors.
- PKCS#11PKCS11In cryptography, PKCS #11 is one of the family of standards called Public-Key Cryptography Standards , published by RSA Laboratories, that defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules and smart cards...
– RSA's API, designed to be platform independent, defining a generic interface to HSMs. Also known as 'cryptoki' - NCryptoki .NET wrapper to PKCS#11 HSM - http://www.ncryptoki.com]
- OpenSSLOpenSSLOpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
– OpenSSL engine API - JCE/JCAJava Cryptography ExtensionThe Java Cryptography Extension is an officially released Standard Extension to the Java Platform. JCE provides a framework and implementation for encryption, key generation and key agreement, and Message Authentication Code algorithms...
– Java's cryptography API - Microsoft CAPI – Microsoft's API as used by IIS, CA and others, also available in .NET.NET FrameworkThe .NET Framework is a software framework that runs primarily on Microsoft Windows. It includes a large library and supports several programming languages which allows language interoperability...
. - Microsoft CNG API – Microsoft's next-generation crypto API available for Windows Vista onwards, used by IIS, ADCS and others.
HSM main uses
HSMs can be employed in any application that uses digital keys. Typically the keys must be of high-value - meaning there would be a significant, negative impact to the owner of the key if it were compromised. The list of applications is endless, but some of the primary uses include:PKI environment (CA HSMs)
On the PKIPublic key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
environment, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle key pairs. In this scenario, there are some fundamental features a device must have, namely:
• Logical and physical high level protection
• Multi-part user authorization schema (see Blakley-Shamir secret sharing
Secret sharing
Secret sharing refers to method for distributing a secret amongst a group of participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a sufficient number of shares are combined together; individual shares are of no use on their own.More formally, in a...
)
• Full audit and log traces
• Secure key backup
In the PKI environment, the device performance is much less important in both online and offline operations as Registration Authority procedures represent the performance bottleneck of the Infrastructure.
Card payment system HSMs (bank HSMs)
Limited-feature HSMs are used in card processing systems. These systems are usually less complex than CA HSMs and normally do not feature a standard APIApplication programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
. These devices can be grouped in two main classes:
OEM or integrated modules for automated teller machine
Automated teller machine
An automated teller machine or automatic teller machine, also known as a Cashpoint , cash machine or sometimes a hole in the wall in British English, is a computerised telecommunications device that provides the clients of a financial institution with access to financial transactions in a public...
s and POS
Point of sale
Point of sale or checkout is the location where a transaction occurs...
terminals
Computer terminal
A computer terminal is an electronic or electromechanical hardware device that is used for entering data into, and displaying data from, a computer or a computing system...
:
- to encrypt the PIN entered when using the card
- to load keys into protected memory
Authorisation and personalisation modules may be used to:
- check an on-line PIN by comparing with an encrypted PIN block
- in conjunction with an ATM controllerATMCAn ATMC is a system used in financial institutions to route financial transactions between ATMs, core banking systems and other banks. An ATMC is sometimes referred to as an "EFTPOS Switch."...
, verify credit/debit card transactions by checking card security codes or by performing host processing component of an EMVEMVEMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
based transaction - support a crypto-API with a smart cardSmart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
(such as an EMVEMVEMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
) - re-encrypt a PIN block to send it to another authorisation host
- support a protocol of POS ATM network management
- support de-facto standards of host-host key|data exchange API
- generate and print a "PIN mailer"
- generate data for a magnetic stripe card (PVV, CVV)
- generate a card keyset and support the personalisation process for smart cardSmart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s
The major organization that produces and maintains standards for HSMs on banking market is the Payment Card Industry Security Standards Council.
SSL connectivity
There are applications where performance is a bottleneck but security must not be forgotten. These applications usually are presented as secure Web services served through HTTPSHttps
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
(SSL/TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
). In this environment, SSL Acceleration HSMs may be employed. Typical performance numbers for these applications range from 50 to 1,000 1024-bit RSA signs/second, although some devices can reach numbers as high as +7,000 operations per second.
DNSSEC
An increasing number of registries use HSMs to store the key material that is used to sign large zonefiles. An open source tool for managing signing of DNS zone files using HSM is OpenDNSSECOpenDNSSEC
The OpenDNSSEC is software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions to further enhance Internet security....
.
See also
- Secure cryptoprocessorSecure cryptoprocessorA secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....
- Electronic funds transferElectronic funds transferElectronic funds transfer is the electronic exchange or transfer of money from one account to another, either within a single financial institution or across multiple institutions, through computer-based systems....
- Public key infrastructurePublic key infrastructurePublic Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
- Security tokenSecurity tokenA security token may be a physical device that an authorized user of computer services is given to ease authentication...
- IBM 4764IBM 4764The IBM 4764 Cryptographic Coprocessor is a secure cryptoprocessor that performs cryptographic operations used by application programs and by communications such as SSL private key transactions associated with SSL digital certificates. Each coprocessor includes a tamper-responding hardware security...
- Transparent Data EncryptionTransparent Data EncryptionTransparent Data Encryption is a technology employed by both Microsoft and Oracle to encrypt database content. TDE offers encryption at a column, table, and tablespace level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup...