Hardware Security Module

 

Hardware Security Module (HSM)

Devices dedicated to performing cryptographic functions 

Physical device that provides extra security for sensitive data.

Hardware Security Modules/(HSMs), are devices dedicated to performing strong authentication for digital keys, certificate management, provides crypto-processing and calculation of specific values such as card verification values (CVVs) or Personal Identification Numbers (PINs).

Hardware Security Module systems come in different flavors and form factors, and are less susceptible to corruption and system failures. This is because they do not have an operating system and are attached externally to the device they are serving.

The functions of an HSM are:

  • Onboard secure cryptographic key generation
  • Onboard secure cryptographic key storage.
  • Key management
  • Use of cryptographic and sensitive data material.
  • Offloading application servers for complete asymmetric and symmetric cryptography.

The entire cryptography key lifecycle -- from provisioning, managing, and storing to disposing or archiving the keys -- occurs in the HSM.

The HSMs are either embedded in other hardware, or connected to a server as part of a network, or used as a standalone device offline.

The software and programs may be free, but due to the mission critical nature of the PKI, securely designing, implementing and managing in accordance with standards like CA/Browser Forum needs attention. The deployment of the PKI requires physical and logical security controls, quality of service all the time.

HSM - PKI

 

Secure Key Management 

HSMs provide both logical and physical protection of these materials, including cryptographic keys, from disclosure, non-authorized use, and potential adversaries in order to protect the confidentiality and integrity of the keys. 

Acts as a Trust Anchor

The HSM acts as a trust anchor and provides protection for identities, applications and transactions by ensuring tight encryption, decryption and authentication for a variety of applications.

Provides accelerated cryptographic operations

The software and hardware present in the modules are specifically dedicated for security functions and thus provide faster and superior results.

Invulnerable to attacks over a network

It provides a greater level of security as it does not have an operating system and is thus virtually invulnerable to attacks over a network.

Tamper response

These devices are also known as Tamper Resistant Security Modules (TRSMs) because of their capability to detect any attacks on their surface and securely delete the sensitive content stored in their memory.

Certifications and Standards

As HSMs play a critical role in securing applications and infrastructure, they are certified by internationally recognized standards such as Common Criteria or FIPS 140 to provide users with independent assurance that the design and implementation of the product and cryptographic algorithms are sound. When used in financial payments applications, the security of an HSM should be validated against the HSM requirements defined by the Payment Card Industry Security Standards Council.

The Interfaces

An HSM faces different interfaces with diverse array of application and operating systems. The current HSM interfaces (APIs) supported are:

General Purpose APIs

PKCS#11 Cryptographic Token Interface Standard

JCE: Java Cryptography Extension
Microsoft Cryptography API: Next Generation
OpenSSL

Payment Specific APIs

  1. ByteBuffer Interface
  2. Mark II
  3. Other Vendor Specific APIs

General Purpose HSM

The general purpose HSM ensures the security of cryptographic keys for servers and applications.

  • Equipped with standard cryptographic algorithms
  • Support major OS drivers including VMware and Hyper-V
  • Supports standard APIs like PKCS#11, Java (JCE), Microsoft CAPI and CNG, OpenSSL

Specific Purpose HSM

  • Optimized for specific function
    • Secure Access Module (SAM)
    • Electronic Fund Transfer / Payment System
  • May or may not support standard cryptographic algorithms.
  • Supports specific applications
    • EFT Key management
    • MAC (Message Authentication Code)
  • Supports limited cryptographic algorithms

HSM Application Areas

As HSMs play a critical role in securing applications and infrastructure, they are certified by internationally recognized such as Common Criteria or FIPS 140 to provide users with independent assurance that the design and implementation of the product and cryptographic algorithms are sound. When used in financial payments applications, the security of an HSM should be validated against the HSM requirements defined by the Payment Card Industry Security Standards Council.

HSM Applications

 

For further information, please contact us at sales@rn-trust.com, call +800-RNTrust (7687878) or whatsapp +97144465181.