A hardware security module ( HSM ) is a physical computing device that maintains and manages digital keys for strong authentication and provides cryptoprocessing. These modules have traditionally come in the form of plug-in cards or external devices that attach directly to a computer or network server.
Video Hardware security module
Design
HSMs may have features that provide tamper proof such as visible signs of interruption or logging and warnings, or damage tampers that make difficult interruptions without making HSM operable, or damaging responses such as removing locks on tamper detection. Each module contains one or more secure cryptoprocessor chips to prevent interference and bus inspection, or combination of chips in modules protected by tamper proofer, tamper resistant, or responsive tamper packaging.
Many HSM systems have the means to secure the keys they handle outside of HSM. Keys can be backed up in a wrapped and stored form on a computer disk or other media, or externally using secure portable devices such as smartcards or other security tokens.
Because HSM is often part of mission critical infrastructure such as public key infrastructure or online banking applications, HSM can usually be grouped for high availability. Some HSMs have dual power supplies and replaceable parts in the field such as cooling fans to match the high availability requirements of the data center environment and to enable business continuity. HSM can also be grouped for higher performance.
Some of the HSMs available in the market have the ability to run modules that are developed specifically within the HSM safe enclosure. Such capabilities are useful, for example, in cases where special algorithms or business logic must be run in a safe and controlled environment. Modules can be developed in the original C language, in.NET, Java, or other programming languages. While providing the benefits of securing application-specific code, this execution engine protects FIPS validation status or HSM Criteria validation.
Maps Hardware security module
Security
Due to the important role they play in securing applications and infrastructure, the HSM and/or cryptographic modules they use are usually certified for internationally recognized standards such as Common Criteria or FIPS 140 to provide users with independent assurance that the design and implementation of cryptographic products and algorithms is sound. The highest level of FIPS 140 security certification that can be achieved is Security Level 4 (Overall), very little has been successfully validated by HSM. When used in financial payment applications, the security of HSM is often validated against HSM requirements established by the Payment Card Industry Security Council.
Usage
The hardware security module can be used in any application that uses digital keys. Usually the key must be of high value - meaning there will be a significant negative impact on the key owner if it is compromised.
The functions of HSM are:
- secure onboard cryptographer
- secure cryptographic key storage, at least for the top and most sensitive keys, often called the primary key
- key management
- the use of cryptographic and sensitive data files, for example, perform encryption or digital signature functions
- unpacks the application server for complete asymmetric and symmetric cryptography.
HSM is also deployed to manage Transparent Data Encryption keys for databases and keys to storage devices such as disk or tape.
HSM provides the logical and physical protection of this material, including cryptographic keys, from disclosure, unauthorized use, and potential enemies.
HSMs support symmetric and asymmetric cryptography (public key). For some applications, such as certificate authority and digital signing, cryptographic material is an asymmetric key pair (and certificate) used in public key cryptography. With other applications, such as data encryption or financial payment systems, cryptographic material consists mainly of symmetric keys.
Some HSM systems are also hardware cryptographic accelerators. They usually can not beat the performance of a hardware-only solution for symmetric lock operations. However, with performance ranging from 1 to 10,000 RSA marks of 1024 bits per second, HSM can provide significant CPU offload for asymmetric key operations. Since the National Institute of Standards and Technology recommended the use of RSA 2.048 bit keys from 2010, performance on longer key sizes is becoming increasingly important. To solve this problem, some HSMs now support elliptic curve cryptography (ECC), which provides stronger encryption with shorter key lengths.
PKI Environment (CA HSMs)
In a PKI environment, HSM can be used by certification authorities (CA) and registration authorities (RAS) to generate, store, and handle asymmetric key pairs. In this case, there are some fundamental features that a device must have:
- High-level logical and physical protection
- Multi-part user authorization scheme (see Blakley-Shamir sharing secrets)
- Full audit and trace log
- Secure key backups
On the other hand, device performance in the PKI environment is generally less important, both in online and offline operations, since the Registration Authority procedure represents the bottleneck of Infrastructure performance.
HSMs card payment system (HSMs bank)
Special HSM is used in the payment card industry. HSMs support both general purpose and functional functions required to process transactions and adhere to industry standards. They usually do not have a standard API.
Typical applications are transaction authorization and payment card personalization, which require functions such as:
- verify that the PIN entered by the user matches the reference PIN known to the card issuer
- in conjunction with an ATM or POS controller, verify credit/debit card transactions by checking the card's security code or by performing host processing components of an EMV-based transaction
- supports crypto-API with smart card (like EMV)
- re-encrypts the PIN block to send it to another authorization host
- perform secure key management
- supports ATM POS network management protocol
- supports the de facto standard of host keys | Data exchange API â ⬠<â â¬
- create and print "PIN mail"
- generate data for magnetic stripe card (PVV, CVV)
- generate card lock and support personalization process for smart card
Large organizations that produce and maintain standards for HSM in the banking market are the Payment Card Industry Security Standards, ANS X9, and ISO.
Establish an SSL connection
The performance of critical applications that must use HTTPS (SSL/TLS), can take advantage of the use of SSL Acceleration HSM by moving RSA operations, which typically require multiple large integer digits, from the host CPU to the HSM device. A typical HSM device can perform about 1 to 10,000 RSA operations of 1024 bits/sec. Some performance on longer key sizes is becoming increasingly important. To solve this problem, some HSM now support elliptical curve cryptography. Special HSM devices can achieve as high as 20,000 operations per second.
DNSSEC
More and more registrars use HSM to store the key ingredients used to sign large zone files. The open source tool for managing the signing of DNS zone files using HSM is OpenDNSSEC.
On January 27, 2007, DNSSEC deployment for the root zone officially began; it is done by ICANN and Verisign, with support from the US Department of Commerce. Details of the root signature can be found on the DNSSEC Root website.
Cryptocurrency Wallet
The cryptocurrency hardware wallet is HSM in the form of a portable device.
See also
- Electronic funds transfer
- FIPS 140
- Public key infrastructure
- PKCS 11
- Secure cryptoprocessor
- Security Token
- Transparent Data Encryption
Notes and references
External links
Manual HSM Dinamo (Achitecture, Developer, Configuration, Integration, Locks, etc)
- The current NIST FIPS-140 certificate
- Review of the Hardware Security Module
Source of the article : Wikipedia