• About Us
    • PRODUCTS

  • Blog
  • Contact
Blog Security What Is a Hardware Security Module (HSM)? Definition & Explanation 

DATE:

FEBRUARY 20 2023

AUTHOR:

Table of Contents

Hardware Security Module (HSM) for Modern Systems

Hardware Security Modules HSMs are secure physical devices that perform cryptographic operations with sensitive data. They are necessary to carry out secure operations with cryptographic keys. For many industries, for example the Payment Cards Industry (PCI), the presence of HSM is a mandatory requirement, without which they are not permitted to continue their activities.

What Is HSM?

Hardware Security Module HSM is a dedicated computing device. It is designed to securely perform cryptographic operations with high speed and to store and manage cryptographic materials (keys). The main operations that HSM performs are encryption, decryption, cryptographic key generation, and operations with digital signatures. In addition, some HSMs have an option to load custom code and  run it in a secure environment as well.

Hardware Security Modules store cryptographic keys in such a way that it is impossible to extract these keys in a clear-text (unencrypted) form. Therefore, all operations with sensitive data occur within the secure boundaries of the Hardware Security Module HSM.

Traditionally, HSMs are used in scenarios where the security system must provide a level of protection where the cost and complexity of a successful attack is so high that the risk of such attacks is close to zero.

HSMs

How HSMs Function?

Simply put, HSMs are designed to protect cryptographic keys and to perform cryptographic operations. The primary purpose of HSM is to protect encryption keys from being compromised or leaked. HSMs other functions regarding cryptographic keys lifecycle include secure encryption key generation and management, key backup, key exchange, and final disposal.

Acting as a root of trust in a security system, HSM protects sensitive data from being compromised as they are never stored or transmitted unencrypted. All sensitive data can be handled only within the secure boundaries of HSM.

HSMs are tamper resistant devices, when the security risk alert is on, the HSM switches to a disabled or a tampering unresponsive state. HSM provides granular event control through logging and alerting. In case of an unauthorized access, all keys will always be instantly deleted.

HSMs are designed to work with a large number of requests. They are designed to be fault tolerant. HSMs also support device scaling and clustering.

Important feature of all HSMs is to protect the company sensitive data from any kind of insider malicious actions. Role-based access control features allow you to apply policies for individual key containers, such as requiring a quorum of administrators to provide a smart card and PIN to get access to device administration. Even the fully authorized quorum access does not allow to extract or compromise the protected data from the security boundaries.

Hardware Security Module Architecture

Hardware security modules (HSMs) are hardened, tamper-resistant devices that protect your company’s most sensitive data and allow the company to comply with the security standard requirement. Most HSMs have different mandatory security certifications, the most used of which is FIPS 140-2, recognized globally, a U.S. government NIST standard that validates the security robustness of cryptographic modules. It has different levels of security, the widely required are the FIPS 140-2 Level 2 and Level 3.

In terms of form, Hardware Security Modules are available in the size of an embedded PCI card, a desktop USB-attached module, or a server rack module. Depending on the form factor and the model, the speed of performing cryptographic operations varies, as well as the number of possible applications that can run on one HSM. The physical shell of the HSM is equipped with tamper sensors, and chip combinations in the module provide tamper detection and response to it.

Each HSM contains one or more secure crypto processor chips. It allows you to perform cryptographic operations of symmetric and asymmetric cryptography and hash functions. These processors are immune to tampering. HSMs also have a built-in hardware true random number generator, which is necessary for the high reliability of the encryption keys generated in the HSM.

Communication with the HSM is usually carried out using RJ45 or USB ports to which the host device is connected. Some models have a smart card reader and additional security mechanisms such as physical locks. Moving the locks to one position or another will move the HSM from one state to another. This is implemented as an additional security measure for access control when performing critical operations on the module, as well as administrators or security officers mutual control in the quorum.

Important HSM Features

The hardware security module options and possibilities can be beneficial to any application that uses cryptographic keys. Typically, almost any key has a very high value – meaning that if they are compromised, it will have a significant negative impact on the owner of the keys. For reliable protection of key materials, HSM has the following features:

  • Physical and logical protection against access to key materials from either intruders or insiders.

 

  • The inability to extract critical data from the device in the unencrypted clear-text form.

 

  • Detailed access control to the device with different sets of rights.

 

  • Secure cryptographic key generation, storage, management, exchange and utilization through crypto key lifecycle.

 

  • Performing encryption, decryption, or digital signature functions.

 

  • Support for symmetric, asymmetric cryptography and hash functions.

 

  • The ability to securely execute code of critical application components within the secure boundaries

 

  • Support for popular cryptographic APIs for easy integration into the company’s digital infrastructure.

 

  • Cryptographic offloading of application servers from cryptographic tasks to increase the speed and free computing resources.

 

  • Scalability and an option to use multiple HSMs within a single system.

How Are HSMs Used?

HSMs are used wherever high-level data protection is required. Previously, such industries have been the banking sector and financial institutions, healthcare, and government organizations. However, due to the accelerating growth of digitalization of all organizations, reliable data protection tools are needed in an increasing number of companies.

Today HSMs secure the following digital processes among many others:

  • Issue of payment cards, protection of transactions, online banking and mobile POS terminals.
  • Protection of private keys in PKI – Public Key Infrastructure.
  • Protection of root certificates and private keys for Certificate Authorities (CA) and Registration Authorities (RA).
  • Issuing digital identities.
  • DNS Registry Protection.
  • Digital signing of documents and code signing.
  • Managing TLS/SSL security certificates for advanced web application security.
  • Protecting IoT devices.
  • Cloud storage and cloud computing protection.
  • Protection of the blockchain and crypto wallets.
  • Encryption of databases and hard drives.
  • Management of encryption keys at the corporate level.

How HSM Can Help Your Business

Implementing HSM in your company’s infrastructure can help your business in many ways. The most obvious of these is a major increase in the security of sensitive data and your digital business processes. The larger and more complex IT infrastructure an organization has, the more vulnerabilities there are and the more attractive it becomes for fraudsters or malicious insiders. Therefore, if you are thinking about how to protect your company from reputational and financial losses due to data leaks or hacks, HSM can help you mitigate these risks.

In addition, the presence of HSM is required by regulators in many industries. For example, without HSM it is impossible to digitally accept payments in many countries of the world. The same applies to the storage of personal data of customers or users – depending on the degree of sensitivity – such data may need to be protected only by solutions of a certain level of certification. HSMs are certified security devices that help you meet the requirements of regulators and thereby open new opportunities for your company.

Cloud Computing and HSMs

Nowadays, most companies aim to run the majority of their IT workloads and applications in the cloud, with one or multiple cloud service providers. If you run critical applications and store sensitive data in the cloud environment, then they require encryption. Your security policy or regulatory requirements may obligate you to protect these cloud encryption keys through the HSM.

Most major cloud providers now offer HSM-based cloud service. But if you use the services of several cloud providers then each cloud service will have its own HSM. This greatly complicates key management and security policies.

The easier way is to use a cloud HSM provider. This allows you to centrally manage and secure all your cryptographic operations, not only in all cloud provider environments but also in your local networks. For many companies when migrating to a cloud-based HSM they need to consider a more hybrid approach and complement it with on-premise solutions when the cloud just doesn’t meet performance, operational, or security requirements.

What is a Root of Trust?

The root of trust in security systems is those elements of the security architecture, the reliability of which cannot be doubted. The whole security architecture is built on it. Typically, the root of trust is the Hardware Security Module HSM. Such an important role is assigned to this module because they are reliably tamper-proof and meet the strictest device security requirements according to international data protection standards. Since HSMs adhere to FIPS 140-2 Common Criteria, eIDAS and other security compliances, making HSM the root of trust allows businesses to meet the highest digital security compliance.

What Is Random Number Generation?

Random number generation is a process that uses a device to generate a sequence of numbers or symbols that can only be reasonably predicted based on chance. Random number generators are divided into:

  • Hardware Random Number Generators HRNGS that generate random numbers depending on the current value of some attribute of the physical environment, which is almost impossible to model
  • Pseudorandom Number Generators PRNGS which generate numbers that look random but are actually deterministic and can be reproduced if the model (template) on which the pseudo-random number generator is based is known.

Types of Hardware Security Modules (HSMs)

Special Hardware Security Modules can be divided according to their purpose. To date, two main types of HSMs are common – General Purpose HSMs and Payment HSMs.

1. General Purpose Hardware Security Modules

General Purpose Hardware Security Modules are designed to run common cryptographic algorithms and to manage cryptographic keys. There are a lot of scenarios for their use. In fact, all processes related to cryptographic keys and functions can be integrated with HSMs. In addition, some HSM models of this type, offer an option to upload your own code for secure execution or a custom developed cryptographic algorithm.

A General Purpose HSM is very flexible and can be used in any application that operates with cryptographic keys and doesn’t require any additional controls imposed by a Payment HSM. Examples include management of the symmetric keys used for database encryption, or management of the asymmetric keys used for the creation of digital signatures and certificates to support PKI (Public Key Infrastructure) and crypto wallets.

The General Purpose HSM complies with the international regulatory requirements of the following standards: FIPS 140-2, Common Criteria, eIDAS, FISMA, and RGPD. Some General Purpose HSMs meet other standards, but these are the most common.

General-purpose HSMs are ready to issue and process digital certificates, digitally sign documents and software code, encrypt/decrypt or tokenize data, and manage encryption keys.

A General Purpose HSM is typically optimized for asymmetric cryptography as it’s very resource-intensive when performed on the host server applications, and widely used for many different services. The data encryption/decryption is usually performed by the server software application using a symmetric key it receives from the HSM at start-up; all of the data are not necessarily passed through the HSM itself.

Entrust nShield Connect– one of the most popular General Purpose HSMs

Payment Hardware Security Modules

Payment Hardware Security Modules are specialized HSMs. As the name suggests, they address the challenges of banking and financial institutions. A Payment HSM provides the tougher security controls mandated by certain payment industry standards. They are equipped with features that help organizations comply with the regulations imposed on payment industry like PCI (Payment Card Industry).

Payment HSMs are designed to meet the following industry security standards: PCI DSS, PCI HSM, CPoC, SPoC, Merchant, Card Manufacturing, Secure Pin, 3DS.

Payment HSMs are provided with special cryptographic commands and extended security and access policies. In payment use cases, the payment software application cannot have access to sensitive data and keys, and the HSM not only performs the basic cryptographic functions, it also understands the format of the specialized commands and generates the correctly formatted output data. Some of the Payment HSM use cases include:

  • PIN generation, management, and validation
  • PIN block translation during the network switching of ATM and POS transactions
  • Card, user and cryptogram validation during payment transaction processing
  • Payment credential issuing for payment cards and mobile applications
  • Point-to-point encryption (P2PE) key management and secure data decryption
  • Sharing keys securely with third parties to facilitate secure communications
  • Electronic funds interchange (EFTPOS, ATM)
  • Cash-card reloading
  • EMV transaction processing
  • Key generation and injection
  • A Payment HSM is optimised for high-volume symmetric encryption of small data elements.
 

The transactions in payments industry are typically quite small in data size and huge in volume.  That is why symmetric encryption is used to secure them, as it’s much faster and more efficient to process in comparison to asymmetric encryption. Generally, it is safe to say that symmetric encryption is more effective for data in-transit. Although for digital certificates and signatures the asymmetric encryption is also used.

payShield 10K is currently the most used payment HSM in the world

Difference Between HSM vs. TPM Modules for Encryption

The TPM is tamper-proof cryptographic device that stores encryption keys, just like the HSM. Can we say that they perform the same function? Not really.

HSMs are designed for high performance encryption\decryption and key management and are usually hosted in data centers. HSM has interfaces for host commands and cryptographic APIs for communication with other applications. In addition, the performance of cryptographic operations in some HSM models exceeds the hardware capabilities of any computer with a TPM on board. Finally, the HSM can work as a standalone unit.

As for the TPM, it cannot work without a motherboard or processor in which it’s directly integrated into. HSMs can work with multiple applications, while TPMs can only work with its own computer or device. TPM’s functions are limited to checking the status of the computer, storing encryption keys, and decrypting/encrypting data on the computer’s memory to provide additional security for the locally stored and processed data.

TPM

An example of a simple computer attached TPM unit

Conclusion

The security of sensitive data is a critical aspect of today’s organizations. HSMs act as the root of trust in the data security in the digital infrastructures of banks, financial institutions, government organizations and many other enterprises. Helenix has extensive experience distributing and integrating Hardware Security Modules for a variety of different tasks.  Don’t hesitate to Contact Us if you have any further questions. 

FAQ

HSM – Hardware Security Module -is a secure, trusted physical device that performs cryptographic functions. Typically, an HSM is a physical intrusion-proof computer with an embedded cryptographic chip. Proving its reliability, every HSM on the market possess mandatory security certifications.

HSM is designed to securely perform cryptographic operations and manage cryptographic keys. With it, one can perform operations with cryptographic keys, encrypt and decrypt data, as well as sign digital documents or code sign.

HSM is used as a root of trust in sensitive data protection cryptographic systems. Whether you’re looking to improve your company’s data security or meet industry data protection regulations, HSM is the way to go. Some types of data in financial and government sector are legally required to be protected by a certified HSM.

Key Management System KMS is a cryptographic key management system. Often such systems are implemented in the form of software. HSM, in addition to more functionality than KMS, is always a separate hardware module. Any KMS can be strengthened with an HSM to protect the keys.