In modern information technology systems cryptography is found basically everywhere. There are industries where confidential information is of critical importance and it is paramount to guarantee its absolute protection. Thats where the international security standards come into play and where you may have heard the term HSM for the first time.
HSMs – Hardware Security Modules – are universally strongly recommended to be used as a root of trust for cryptographic functions and keys. This begs the question: “Why?” This article will attempt to answer that for you in a short introduction to the world of Hardware Security Modules.
Hardware Security Module is a physical device designed to safely perform cryptographic operations and manage crypto keys lifecycle. These tamper-resistant devices may vary in size and available features, but they all possess security boundaries for storing and operating with cryptographic materials. The most widely used are network attached reck mounted HSMs that look like specialized blade servers.
The architecture of such devices is carefully thought out to eliminate possible vulnerabilities on both the hardware and software level, preventing any physical or logical attack on the keys and data stored inside the HSM. This feature is vital to the very foundation of cryptography – the keys.
The Zero Trust architecture of HSMs does not allow access to the secret keys in a decrypted format and all operations with the keys are executed solely inside the security boundaries. Conclusively, the copy of such keys is only available in an encrypted form, which cannot be used outside the HSM. When it comes to key generation itself, all HSMs are equipped with true random number generators (TRNG) which ensure high source of entropy and generate strong cryptographic keys.
To effectively process cryptographic requests, HSMs use cryptoprocessors designed specifically for optimal execution of cryptographic operations. The devices also support interactions with smart cards, which can exponentially increase the storage capacity of cryptographic materials.
In short, HSMs perform cryptographic operations and protect cryptographic keys within a secure hardware device. HSMs can encrypt and decrypt data, create and verify digital signatures or generate and manage cryptographic keys.
HSMs are used as a root of trust for a variety of digital systems. With robust security these devices safely protect and manage encryption keys, digital signatures, and allow them to safely execute critical application code components and custom cryptographic functions inside the security boundaries of HSM.
The process of interaction between HSMs and other systems occur through the most common cryptographic APIs. The supported PKCS#11, OpenSSL, Java, Microsoft CNG ensure easily configurable interaction of modules with various applications. All modern HSMs support remote administration and monitoring systems, as well as the ability to cluster multiple devices to work on joint tasks.
The HSM security is all about mandatory international certifications. Main HSM security standards establish the requirements for the design, implementation and evaluation of hardware security modules.
FIPS 140-2 – Federal Information Processing Standard (FIPS) is the U.S. government computer security standard which provides security enhancements designed to cover a wide range of potential applications and environments. Security requirements cover areas related to the secure design and implementation of a cryptographic module.
Common Criteria (CC) – a globally recognized standard/certification ISO/IEC 15408 that evaluates the security levels of information technology products, such as HSMs. CC provides a common framework and methodology for testing and verifying the security features and functions of HSMs.
Payment Card Industry Hardware Security Module (PCI HSM) – a part of the PCI PIN Transaction Security (PTS) program. The PCI HSM standard specifies the specific requirements for HSMs intended for use in payment processing systems. It focuses on transaction security, payment card processing, and payment card information security.
As of now, there are two main types of HSMs: General Purpose HSMs and Payment HSMs:
Payment HSMs are developed taking into account the requirements of regulators and security standards of organizations in the non-cash payment sector. These devices include enhanced security measures, such as detailed distribution of user roles and the need for a quorum to conduct an operation. The architecture of processors and crypto cores of Payment HSMs, as well as their software, are designed for such specific operations as: issuing and validating payment cards, protecting payment transactions, working with PIN codes and authenticating payment system users.
General Purpose HSMs are designed for more flexible use whenever cryptography might be implemented. The main difference between General Purpose HSMs and Payment HSMs is that Payment HSMs have more specific and strict security features and functions regarding payment industry standards, while General Purpose HSMs have more flexible and general cryptographic features and functions that can be used for various applications.
In addition to protecting cryptographic data and cryptographic operations, General Purpose HSMs may support the execution of custom applications within a secure environment. Typical uses are for generating, using, managing, securely transferring and disposing of encryption keys and digital signatures.
Generally speaking, HSMs are used for various purposes that involve cryptographic operations. Some of the common examples are:
Public Key Infrastructure (PKI). HSMs are used in PKI at all levels of the hierarchy, generating, managing and all and all protecting the PKI keys lifecycle. Not to mention validation of digital signatures crucial for PKI authentication.
Digital payments. The use of HSM in the Payment Card Industry is strictly mandatory for anyone processing payment transactions. Hardware Security Modules are indispensable for issuing plastic cards, generating cryptograms, client authorization and protecting transactions.
Safe production and the Internet of Things (IoT). Reliable authentication of devices when connecting to corporate networks is an important cyber security issue for organizations. HSMs provide each such device with a unique identifier and protect it from cloning or substitution.
Cloud computing. In cloud environments, responsibility for data security often falls on the user rather than the provider. Hardware Security Modules are configured to work with all common cloud services and make it possible to securely store all encryption keys from your cloud data in one place and manage them with ease.
Blockchain. The most important components of a blockchain are private keys and critical code components. HSMs not only securely interact with cryptographic materials without the risk of compromising them, but also execute code within the secure boundaries, protecting it from attackers.
Protecting cryptographic materials and operations is a critical point of any cybersecurity system. We hope this article gave you at least a basic idea why HSMs are at the top of their game when it comes to this particular task. Reliable cryptosystems are essential to secure customer data and business processes, by using HSMs you not only comply with the best global practices, but most importantly safeguard the company’s reputation and maintain clients’ trust.