"We Mean E-Business since 1998"

Hardware Security Modules (HSMs)

A Hardware Security Modules (HSMs) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

Hardware Security Modules (HSMs) may possess controls that provide tamper evidence such as logging and alerting and tamper resistance such as deleting keys upon tamper detection. Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing.
Many HSM systems have means to securely backup the keys they handle either in a wrapped form via the computer’s operating system or externally using a smart card or some other security token.
Because HSMs are often part of a mission-critical infrastructure such as a public key infrastructure or online banking application, HSMs can typically be clustered for high availability. Some HSMs feature dual power supplies and field replaceable components such as cooling fans to conform to the high-availability requirements of data center environments and to enable business continuity.

A few of the HSMs available in the market have the ability to execute specially developed modules within the HSM’s secure enclosure. Such an ability is useful, for example, in cases where special algorithms or business logic has to be executed in a secured and controlled environment. The modules can be developed in native C language, in .NET, Java, or other programming languages. While providing the benefit of securing application-specific code, these execution engines protect the status of an HSM’s FIPS or Common validation.

What is HSM used for?

A hardware security module can be employed in any application that uses digital keys. Typically the keys must be of high-value – meaning there would be a significant, negative impact to the owner of the key if it were compromised.
The functions of an HSM are

  • on-board secure cryptographic key generation
  • on-board secure cryptographic key storage and management
  • use of cryptographic and sensitive data material
  • Offloading application servers for complete asymmetric and symmetric cryptography.

HSM is also deployed to manage Transparent Data Encryption keys for databases.

HSMs provide both logical and physical protection of these materials, including cryptographic keys, from non-authorized use and potential adversaries.

The cryptographic material handled by most HSMs are asymmetric key pairs (and certificates) used in public-key cryptography. Some HSMs can also handle symmetric keys and other arbitrary data.

PKI environment (CA HSMs)

In PKI environments, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle key pairs. In these cases, there are some fundamental features a device must have, namely:

  • Logical and physical high-level protection
  • Multi-part user authorization schema (see Blakley-Shamir secret sharing)
  • Full audit and log traces
  • Secure key backup

On the other hand, device performance in a PKI environment is generally less important, in both online and offline operations, as Registration Authority procedures represent the performance bottleneck of the Infrastructure.

Card payment system HSMs (bank HSMs)

Limited-feature HSMs are used in card processing systems. These systems are usually less complex than CA HSMs and normally do not feature a standard API. These devices can be grouped into two main classes:

OEM or integrated modules for automated teller machines and point of sale terminals:

  • to encrypt the personal identification number (PIN) entered when using the card
  • to load keys into protected memory.
© 2016 - All rights reserved.