A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. (from wiki)
A hardware security module (HSM) is a physical device that provides secure storage for encryption keys. It also provides secure computational space (memory) to perform encryption and decryption operations.
HSM provides secure cryptographic key storage and operations within a tamper-resistant hardware device.HSM is worth looking into ,Whenever security, compliance, key management e.t.c are of utmost importance.
A hardware security module can be employed in any application that uses digital keys. Typically the keys must be of high-value - meaning there would be a significant, negative impact to the owner of the key if it were compromised.
The functions of an HSM are:
A hardware security module (HSM) is a physical device that provides secure storage for encryption keys. It also provides secure computational space (memory) to perform encryption and decryption operations.
HSM provides secure cryptographic key storage and operations within a tamper-resistant hardware device.HSM is worth looking into ,Whenever security, compliance, key management e.t.c are of utmost importance.
A hardware security module can be employed in any application that uses digital keys. Typically the keys must be of high-value - meaning there would be a significant, negative impact to the owner of the key if it were compromised.
The functions of an HSM are:
- onboard secure cryptographic key generation
- onboard secure cryptographic key storage and management
- use of cryptographic and sensitive data material
- offloading application servers for complete asymmetric and symmetric cryptography.
- Database -TDE( transparent data encryption):-
Several commercial database engines support a feature called transparent data encryption (TDE) that can seamlessly encrypt the data in a database.Transparent data encryption can use HSM to provide enhanced security for sensitive data. An HSM is used to store the master encryption key used for transparent data encryption. The key is secure from unauthorized access attempts as the HSM is a physical device and not an operating system file. All encryption and decryption operations that use the master encryption key are performed inside the HSM. This means that the master encryption key is never exposed in insecure memory. - Cryptographic accelerator:-
HSM delivers significant performance benefits and reduces hardware costs. HSMs can provide significant CPU offload for asymmetric key operations. Can not compete with hardware-only solutions for symmetric key operations though. Performances ranges from 1 to 7,000 1024-bit RSA signs/second. - Compliance sensitive industries:-wherever data is sensitive , critical and highly personal it needs to be encrypted. Healthcare industry , Legal industry, Finance industry, government, banks... all have to deal with lot of compliance clearance to make sure their data/documents/information is all using high standard encryption and key management standards.. HSMs can help in enforcing PCI DSS, PCI PTS compliance , DES compliance, FIPS compliance , HIPAA compliance, TR-39 compliance. Mostly all follow the sign and decrypt data, but the private keys are located at a HSM model
- Certificate Management:-HSM can also be used as service to generate certificates, sign certificate signing requests (CSRs), and to store private keys used with certificates. The CloudHSM is typically used as an architectural building block and root of trust in these applications
- EMV data preparation and card personalization
- Remote key loading for ATM networks
- Point-to-Point Encryption (P2PE) of cardholder data
- Credit, debit, and prepaid card fraud prevention
- MAC calculation to ensure integrity of data in transit and at rest
- Dynamic key exchange for Point of Sale and ATM
- PIN translation and verification
- One-time password generation for online security :-
Most OTP (One Time Password) solutions are based on a long secret random seed value. Somehow this needs to be stored at the validating server as well to be able to verify the submitted OTP value.
In a way these seeds have the same role as user supplied passwords and need to be stored equally secure. Salting & hashing will not work here as this will break the OTP algorithm.
Most small OTP-tokens are physically secured by being more or less tamper-proof but this does not apply to the server.Do all cryptographic computations in the HSM - SSL offloading
Sample Applications:
- PKI key generation & key
- Storage (online CA keys & offline CA keys)
- Certificate validation & signing
- Document signing
- Transaction processing
- Database encryption
- Smart card issuance
No comments:
Post a Comment