The term Hardware Security Module (HSM) refers to an internal or external peripheral device for the efficient and secure execution of cryptographic operations or applications for sensitive data. This makes it possible, for example, to ensure the trustworthiness and integrity of data and the associated information in business-critical IT systems. In order to ensure trustworthiness, it may be necessary to protect the cryptographic keys used, both in terms of software and against physical attacks or side-channel attacks.
Features of Hardware Security Module (HSM)
Several cryptographic algorithms can be implemented in an HSM:
- Asymmetric cryptosystems, e.g. RSA (encryption or signature), ECDSA, Diffie-Hellman key exchange, Elliptic Curve Cryptography
- Symmetric encryption and decryption: AES, DES, Triple-DES, IDEA
- Cryptographic hash functions: SHA-1, SHA-2 / SHA-256
- Generation of random numbers, keys and PINs (both physical and deterministic))
HSMs usually offer extensive functions for the secure management of the device and the keys. Examples are the authentication of operators and administrators by hardware tokens (e.g. chip cards or security tokens), access protection in the multi-eyes principle (k out of n persons required), encrypted backup of keys and configuration data, secure cloning of the HSM.
---
A feature of many HSMs is their ability to actively defend against attacks, which describes it as “tamper-responsive” (i.e. reacting to manipulation attempts). Some of the first devices of this type were equipped with self-destructive technology to ensure that their data would not be compromised under any circumstances.
Modules of Hardware Security Module (HSM)
Trusted Platform Module (TPM) primarily stores derived keys from IT systems and people. The field of application is typically the security of security-relevant information for smaller IT systems (e.g. PCs, notebooks, printers, network components, cars and other things).
Software HSMs, such as the SoftHSM2 implementation, provide the software functionality of an HSM, but without the protection of a hardware crypto processor. By definition, a software HSM is not a true HSM because the keys are not protected from physical attacks or (offline) brute force attacks. Although the keys in a software HSM are protected by a PIN, the keys can be duplicated and copied.
USB or PCIe Hardware Security Modules (USB HSM, PCIe HSM) are suitable for cryptographic applications of a PC or server and are physically connected or installed on the PC or server. These modules usually have low cryptographic performance and can store few keys.
A network hardware security module (network HSM) is designed for particularly valuable security-relevant information (master keys, keys of global importance, etc.) and for high performance requirements. The areas of application are typically security components for larger IT systems, secure manufacturing or in the high-security environment.
Areas of Application of Hardware Security Module (HSM)
Possible areas of application for an HSM are:
- Creation of personalization data for the production of debit (e.g. Maestro card) and credit cards (e.g. MasterCard, Visa, American Express, Diners) as well as identity documents with chip technology (e.g. identity cards, driver’s licenses, passports)
- Security processor in the networks of payment service providers
- Secure PIN Letter Creation
- Transaction protection in toll systems
- Time stamping services
- Signature server
- Archiving systems
- Certificate Authority (as part of a PKI))
- E-mail protection according to S/MIME standard or PGP
- E-tickets
- Key derivation for IoT devices
- DNS protection
Blockchain
Crypto wallet
Internet of Things
