HARDWARE SECURITY MODULES (HSMs)

Similar documents
Getting to Grips with Public Key Infrastructure (PKI)

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

PKI Credentialing Handbook

Who s Protecting Your Keys? August 2018

Delivering Certificates or Trust Building Robust PKIs Alan T Liddle Msc BSc PgDip FBCS CEng CITP AMP MIMMM

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Utimaco HSM Introduction JIPDEC Seminar June 2017

White Paper. Deploying CKMS Within a Business

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Overview. SSL Cryptography Overview CHAPTER 1

Encryption and Key Management. Arshad Noor, CTO StrongAuth, Inc. Copyright StrongAuth, Inc Version 1.1

Security Requirements for Crypto Devices

Adding value to your MS customers

HARDWARE SECURITY MODULES DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

Keep your fingers off my keys today & tomorrow

VMware, SQL Server and Encrypting Private Data Townsend Security

Security Architecture Models for the Cloud

VMware, SQL Server and Encrypting Private Data Townsend Security

1. Product Overview 2. Product Features 3. Comparison Chart 4. Product Applications 5. Order Information 6. Q & A

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Remote Key Loading Spread security. Unlock efficiency

Digital signatures: How it s done in PDF

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Creating Trust in a Highly Mobile World

Dyadic Security Enterprise Key Management

This Security Policy describes how this module complies with the eleven sections of the Standard:

PKI at the Crossroads: the Impact of the IoT and more! Amogh Ranade

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

The Open Application Platform for Secure Elements.

eidas compliant Trust Services with Utimaco HSMs

Root and Issuing CA Technical Operations Overview

Symmetric Key Services Markup Language Use Cases

TransKrypt Security Server

PCI Compliance Whitepaper

Unbound and Oasis KMIP Interoperability

Enterprise Key Management Infrastructure: Understanding them before auditing them. Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC

nshield GENERAL PURPOSE HARDWARE SECURITY MODULES

Watson Developer Cloud Security Overview

Alliance Key Manager A Solution Brief for Partners & Integrators

Channel FAQ: Smartcrypt Appliances

XenApp 5 Security Standards and Deployment Scenarios

Securing Smart Meters with MULTOS Technical Overview

THE THALES SECURITY WORLD ARCHITECTURE

Hardware Cryptography and z/tpf

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

CREDENTSYS CARD FAMILY

Apple Inc. Certification Authority Certification Practice Statement

APNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12

Moser Baer Group 25 years of excellence

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

The SafeNet Security System Version 3 Overview

ProtectV StartGuard. FIPS Level 1 Non-Proprietary Security Policy

Secure Government Computing Initiatives & SecureZIP

SafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Sensitive Data and Key Management for DBAs

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

Key Management in a System z Enterprise

Architecture 1 3. SecureToken. 32-bit microprocessor smart chip. Support onboard RSA key pair generation. Built-in advanced cryptographic functions

MX900 SERIES PCI PTS POI SECURITY POLICY

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

Introduction to Device Trust Architecture

Interface. Circuit. CryptoMate

Installation and usage of SSL certificates: Your guide to getting it right

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Dr. Char-Shin Miou Chunghwa Telecom. Co. April 7, 2011

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Trusted Platform Module explained

1. Product Overview 2. Product Features 3. Comparison Chart 5. Q & A

WHITE PAPER Complying with the Payment Card Industry Data Security Standard

Connecting Securely to the Cloud

CYBERSECURITY AND SERVICE STATIONS

NIST Cryptographic Toolkit

Apple Inc. Certification Authority Certification Practice Statement

Contents. Notices Terms and conditions for product documentation.. 45 Trademarks Index iii

Certification Authority

CardOS Secure Elements for Smart Home Applications

Axway Validation Authority Suite

MU2b Authentication, Authorization and Accounting Questions Set 2

PCI Compliance Whitepaper

SecureDoc Disk Encryption Cryptographic Engine

The evolving storage encryption market

Electronic and digital signatures in Adobe Sign for government.

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

Trojan-tolerant Hardware & Supply Chain Security in Practice

SQL Server Security Azure Key Vault

1. Product Overview 2. Product Features 3. Product Value 4. Comparison Chart 5. Product Applications 6. Q & A

Secured by RSA Implementation Guide. Last Modified: August 2, 2013

Utimaco IS GmBH. Teo Poh Soon Director. CryptoServer Products Aachen, Germany June 2014 Page 1

SSL Configuration Oracle Banking Liquidity Management Release [April] [2017]

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Ultra Electronics AEP Networks Ltd Ultra Safe Keyper

Certicom Security for Government Suppliers developing products to meet the US Government FIPS security requirement

Authentication Technology for a Smart eid Infrastructure.

Transcription:

HARDWARE SECURITY MODULES (HSMs)

Cryptography: The basics Protection of data by using keys based on complex, randomly-generated, unique numbers Data is processed by using standard algorithms (mathematical formulae) key length measure is bits (more bits = more variants) Symmetric encryption: one key to encrypt and decrypt data. E.g. AES256 Asymmetric encryption: Public and Private key pair to sign and verify identity as well as to exchange keys securely. e.g. RSA 2048 Hashing checks authenticity/integrity e.g. SHA2 Longer keys and regular rekeying adopted to combat increasing strength of hackers Move to ECC (asymmetric) - enables shorter keys and less processing power for equivalent levels of security Data security depends on keys. These must be kept secure, hence the need for HSMs 2

What is an HSM? Secure memory device to store vital data objects cryptographic Private/secret keys Hardware designed to detect attack and respond by deleting keys Dedicated hardware provides high-performance cryptographic processing engine Built to comply with internationally-recognised security standards e.g. FIPS 140-2 Levels 3 or 4 Hardware device (as opposed to software service) enforces separation of duties away from Admin/Systems team to dedicated security team 3

Why are they used? HSMs provide a secure storage and processing environment for keys that protect data or signing transactions. They can hold 1000s of keys and secure many applications on many servers HSMs can also hold the Master Key that secures an unlimited number of external keys User application keys never in clear in HSM storage secured by hierarchy of keys Growth in cloud services and increasing data breaches require more stringent security measures HSMs provide increased security, trusted crypto processing and compliance with security regulations 4

How do they work? Provides security around keys layers of an onion (physical access, MofN, hierarchy of keys, electrical/physical tamper sensing) HSMs perform functions for applications - key generation, encryption and decryption, signing and verifying, hashing Application server sends instruction to HSM to process data using specific key that never leaves HSM Applications are integrated with HSMs via client running on server crypto function calls/instructions forwarded by client to HSM for execution 3 main Crypto APIs (libraries of functions for programming language used by application): PKCS#11 (C), Microsoft (CAPI/CNG), Java (JCE/JCA) 5

Who buys them? Governments National, Local, Regional orgs Banks, Financial Institutions and Payments Processors Utilities Telcos and Hosting providers Transportation Healthcare Education Retail Manufacturing Official Agencies PKI Providers Etc. 6

Types of HSMs - Applications General purpose (PKI etc.) optimised for asymmetric Payments (Banking and retail - issuing/processing of credit and debit cards); industry-specific function sets optimised for symmetric [Note: A bank may buy a general-purpose HSM for PKI, and a payments HSM for ATM transactions] Customisable (user can load their own functions, algorithms) 7

Applications that use HSMs PKI Webservers - SSL DNSSec Time stamping Document signing Database encryption Code signing epassports ID Cards Manufacturing SIM cards Smart metering & IoT 8

Types of HSMs - Physical PCI card Network-attached, shared HSM Stand-alone, dedicated HSMs for one application (e.g. Root CA can be taken offline) Smart cards (origin of PKCS#11 standard) USB tokens (smart card on USB form factor) 9

Features required in HSMs Certification Ease of use High availability/load balancing Monitoring Auditing (for regulations) Secure backup Secure link to app server client Full suite of algorithms and key lengths (inc ECC) Documented integrations Partitioning separate virtual HSMs in one device for different users Ability to control key lifecycle according to corporate policy (creation / use / deletion) 10

Policies & procedures More important than the HSM itself is how it is managed and controlled: Secure location Multiple people required to authenticate (M of N) Separation of duties Protection of smart cards/pins/backup media Documentation and labelling Agreed roles and duties Security Officer, Compliance Officer, Auditor Security consultants often advise on best practices and develop policy documents. All relevant parties to agree, understand and sign off on their duties. 11

Managed HSMs Cloud SaaS/IaaS/PaaS use is now commonplace Challenge: should I trust my cloud provider to host my HSMs and manage my cryptographic keys? Are they cryptography specialists? Can they properly separate and control key splits? Are multi-person controls or my specific Key Management Policies complied with? How and where will they host the HSMs? Can I be sure I still have control? Do they have access to my keys? If they cannot offer you HSM services or their HSM services will not meet your requirements of security or management, then Trustis, through our Cryptography-as-a-Service, provides HSM hosting, HSMs on Demand and Key Management services 12

Cloud HSM architecture 13

About Trustis For over 15 years, Trustis has specialised in cryptographic solutions that include large-scale PKIs, managed HSMs, Identity Federation, as well as security policy and compliance. We serve both the public and private sectors in the UK and around the world and have been a G-Cloud supplier since its inception. Trustis services comply with ISO 27001:2013 as well as tscheme and are ETSI Certified. A product-independent approach ensures that customers get the best solution to meet their requirements. Recent projects include public sector networks, 4G security in telecoms, smart grid and metering rollouts, payment systems in banking and epassport PKIs. 14

Contact details Trustis Commercial Contact: Robert Hann robert.hann@trustis.com +44 (0) 7818 552411 Trustis Limited Building 273, Greenham Business Park, Thatcham, RG19 6HN +44 (0) 1635 231361 info@trustis.com www.trustis.com 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback