A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.
Humans have tried to establish and maintain confidential lines of communication for millennia, rarely with enduring success. During World War II governments and military organizations invested heavily in encryption systems (cryptographic “defense”) and code breaking (cryptographic “offense”). However, civilian and commercial adoption of encryption systems lagged considerably, in large part due to legal and regulatory constraints. As global trade and the financial industry flourished after World War II, and as national economic security became more strategic, commercial exploitation of strong encryption emerged as a national imperative in the United States and in several other countries.
The first hardware security module (HSM) was invented by Egyptian engineer Mohamed Atalla (anglicized to Martin “John” M. Atalla) in 1972. He invented a high security module dubbed the “Atalla Box” which encrypted PIN and ATM messages, and protected offline devices with an un-guessable PIN-generating key. In 1972, Atalla filed U.S. Patent 3,938,091, which described a PIN system with an encoded card reader and which utilized encryption techniques to assure telephone link security while entering personal ID information that was transmitted to a remote location for verification.
He founded Atalla Corporation (now Utimaco Atalla) in 1972, and commercially launched the “Atalla Box” the following year in 1973, officially as the Identikey system. It was a card reader and customer identification system, providing a terminal with plastic card and PIN capabilities. The system was designed to let banks and thrift institutions switch to a plastic card environment from a passbook program. The Identikey system consisted of a card reader console, two customer PIN pads, intelligent controller and built-in electronic interface package. The device consisted of two keypads, one for the customer and one for the teller. It allowed the customer to type in a secret code, which is transformed by the device, using a microprocessor, into another code for the teller. During a transaction, the customer’s account number was read by the card reader. This process replaced manual entry and avoided possible key stroke errors. It allowed users to replace traditional customer verification methods such as signature verification and test questions with a secure PIN system. It was a success, and led to the wide use of high security modules.
A key innovation of the Atalla Box was the key block, which is required to securely interchange symmetric keys or PINs with other actors of the banking industry. This secure interchange is performed using the Atalla Key Block (AKB) format, which lies at the root of all cryptographic block formats used within the Payment Card Industry Data Security Standard (PCI DSS) and American National Standards Institute (ANSI) standards.
At the National Association of Mutual Savings Banks (NAMSB) conference in January 1976, Atalla unveiled an upgrade to its Identikey system, called the Interchange Identikey. It added the capabilities of processing online transactions and dealing with network security. Designed with the focus of taking bank transactions online, the Identikey system was extended to shared-facility operations. It was consistent and compatible with various switching networks, and was capable of resetting itself electronically to any one of 64,000 irreversible nonlinear algorithms as directed by card data information. The Interchange Identikey device was released in March 1976. Later in 1979, Atalla introduced the first network security processor (NSP).
Fearful that Atalla would dominate the market, banks and credit card companies began working on an international standard in the 1970s. The IBM 3624, launched in the late 1970s, adopted a similar PIN verification process to the earlier Atalla system. Atalla was an early competitor to IBM in the banking market.
The U.S. National Bureau of Standards (NBS) sponsored a standardization process for cryptographic algorithms to be available for civilian use. IBM submitted its Data Encryption Standard (DES) on a royalty free basis for the NBS’s consideration (and U.S. National Security Agency review), and the U.S. declared DES the U.S. commercial symmetric-key encryption algorithm standard in 1977. Within the same year IBM introduced the IBM 3845, the first generally commercially available (i.e. civilian) HSM that was directly attached (via IBM’s channel I/O architecture) to general purpose IBM computers, including IBM mainframes. The IBM 3845 included secure key entry devices (cards and PIN pads) for master key loading, random number generation capabilities for seeding, and persistent storage for key materials. IBM introduced enabling software, notably a predecessor to IBM’s Integrated Cryptographic Service Facility (ICSF), to allow application programmers to take advantage of the HSM’s services. The IBM 3845 helped launch and secure modern electronic banking, such as national and international Automatic Teller Machine (ATM) and payment card networks. IBM quickly introduced a second generation IBM 3845 HSM that supported both DES and TDES. Other vendors then also introduced various HSMs, also based initially on DES then TDES.
HSMs have continued to evolve and improve ever since. Modern IBM HSMs still broadly resemble the IBM 3845’s basic architecture: direct attachment (typically now via dedicated network or bus attachment, sometimes with the HSM embedded), some level of tamper protection (or at least tamper evident packaging) in varying degrees and certification levels, some mechanism for loading and managing key materials with varying levels of trust, random number generation capabilities, persistent storage, and software features (drivers, libraries, etc.) to access the HSM’s services from both general purpose and specialized computing environments, including transaction processing systems.
The Atalla Box protected over 90% of all ATM networks in operation as of 1998, and secured 85% of all ATM transactions worldwide as of 2006. Atalla’s HSM products protect 250 million card transactions every day as of 2013, and still secure the majority of the world’s ATM transactions as of 2014.
HSMs may have features that provide tamper evidence such as visible signs of tampering or logging and alerting, or tamper resistance which makes tampering difficult without making the HSM inoperable, or tamper responsiveness such as deleting keys upon tamper detection. Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing, or a combination of chips in a module that is protected by the tamper evident, tamper resistant, or tamper responsive packaging.
Many HSM systems have means to securely back up the keys they handle outside of the HSM. Keys may be backed up in wrapped form and stored on a computer disk or other media, or externally using a secure portable device like a smartcard or some other security token.
Because HSMs are often part of a mission-critical infrastructure such as a public key infrastructure or online banking application, HSMs can typically be clustered for high availability and performance. Some HSMs feature dual power supplies and field replaceable components such as cooling fans to conform to the high-availability requirements of data center environments and to enable business continuity.
A few of the HSMs available in the market have the ability to execute specially developed modules within the HSM’s secure enclosure. Such an ability is useful, for example, in cases where special algorithms or business logic has to be executed in a secured and controlled environment. The modules can be developed in native C language, in .NET, Java, or other programming languages. While providing the benefit of securing application-specific code, these execution engines protect the status of an HSM’s FIPS or Common Criteria validation.
Due to the critical role they play in securing applications and infrastructure, HSMs and/or the cryptographic modules are typically certified to internationally recognized standards such as Common Criteria or FIPS 140 to provide users with independent assurance that the design and implementation of the product and cryptographic algorithms are sound. The highest level of FIPS 140 security certification attainable is Security Level 4 (Overall), to which only one HSM has been successfully validated as of August 2018. When used in financial payments applications, the security of an HSM is often validated against the HSM requirements defined by the Payment Card Industry Security Standards Council.
A hardware security module can be employed in any application that uses digital keys. Typically the keys must be of high-value – meaning there would be a significant, negative impact to the owner of the key if it were compromised.
The functions of an HSM are:
- onboard secure cryptographic key generation
- onboard secure cryptographic key storage, at least for the top level and most sensitive keys, which are often called master keys
- key management
- use of cryptographic and sensitive data material, for example, performing encryption or digital signature functions
- offloading application servers for complete asymmetric and symmetric cryptography.
HSMs are also deployed to manage Transparent Data Encryption keys for databases and keys for storage devices such as disk or tape.
HSMs provide both logical and physical protection of these materials, including cryptographic keys, from disclosure, non-authorized use, and potential adversaries.
HSMs support both symmetric and asymmetric (public-key) cryptography. For some applications, such as certificate authorities and digital signing, the cryptographic material is asymmetric key pairs (and certificates) used in public-key cryptography. With other applications, such as data encryption or financial payment systems, the cryptographic material consists mainly of symmetric keys.
Some HSM systems are also hardware cryptographic accelerators. They usually cannot beat the performance of hardware-only solutions for symmetric key operations. However, with performance ranges from 1 to 10,000 1024-bit RSA signs per second, HSMs can provide significant CPU offload for asymmetric key operations. Since National Institute of Standards and Technology is recommending the use of 2,048 bit RSA keys from year 2010, performance at longer key sizes is becoming increasingly important. To address this issue, some HSMs now support elliptic curve cryptography (ECC), which delivers stronger encryption with shorter key lengths.
PKI environment (CA HSMs)
In PKI environments, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle asymmetric key pairs. In these cases, there are some fundamental features a device must have, namely:
- Logical and physical high-level protection
- Multi-part user authorization schema (see Blakley-Shamir secret sharing)
- Full audit and log traces
- Secure key backup
On the other hand, device performance in a PKI environment is generally less important, in both online and offline operations, as Registration Authority procedures represent the performance bottleneck of the Infrastructure.
Card payment system HSMs (bank HSMs)
Specialized HSMs are used in the payment card industry. HSMs support both general-purpose functions and specialized functions required to process transactions and comply with industry standards. They normally do not feature a standard API.
Typical applications are transaction authorisation and payment card personalisation, requiring functions such as:
- verify that a user-entered PIN matches the reference PIN known to the card issuer
- in conjunction with an ATM controller or POS terminal, verify credit/debit card transactions by checking card security codes or by performing host processing components of an EMV based transaction
- support a crypto-API with a smart card (such as an EMV)
- re-encrypt a PIN block to send it to another authorisation host
- perform secure key management
- support a protocol of POS ATM network management
- support de facto standards of host-host key | data exchange API
- generate and print a “PIN mailer”
- generate data for a magnetic stripe card (PVV, CVV)
- generate a card keyset and support the personalisation process for smart cards
The major organizations that produce and maintain standards for HSMs on the banking market are the Payment Card Industry Security Standards Council, ANS X9, and ISO.
SSL connection establishment
Performance critical applications that have to use HTTPS (SSL/TLS), can benefit from the use of an SSL Acceleration HSM by moving the RSA operations, which typically requires several large integer multiplications, from the host CPU to the HSM device. Typical HSM devices can perform about 1 to 10,000 1024-bit RSA operations/second. Some performance at longer key sizes is becoming increasingly important. To address this issue, some HSMs  now support elliptic curve cryptography. Specialized HSM devices can reach numbers as high as 20,000 operations per second.
An increasing number of registries use HSMs to store the key material that is used to sign large zonefiles. An open source tool for managing signing of DNS zone files using HSM is OpenDNSSEC.
On January 27, 2007 deployment of DNSSEC for the root zone officially started; it was undertaken by ICANN and Verisign, with support from the U.S. Department of Commerce. Details of the root signature can be found on the Root DNSSEC’s website.
An actual bitcoin transaction from a web based cryptocurrency exchange to a hardware wallet (HSM).
A hardware cryptocurrency wallet is a HSM in the form of a portable device.
- ^Ramakrishnan, Vignesh; Venugopal, Prasanth; Mukherjee, Tuhin (2015). Proceedings of the International Conference on Information Engineering, Management and Security 2015: ICIEMS 2015. Association of Scientists, Developers and Faculties (ASDF). p. 9. ISBN 9788192974279.
- ^“Secure Sensitive Data with the BIG-IP Hardware Security Module” (PDF). F5 Networks. 2012. Retrieved 30 September 2019.
- ^Gregg, Michael (2014). CASP CompTIA Advanced Security Practitioner Study Guide: Exam CAS-002. John Wiley & Sons. p. 246. ISBN 9781118930847.
- ^ Jump up to:ab Stiennon, Richard (17 June 2014). “Key Management a Fast Growing Space”. SecurityCurrent. IT-Harvest. Retrieved 21 August 2019.
- ^ Jump up to:ab c Langford, Susan (2013). “ATM Cash-out Attacks” (PDF). Hewlett Packard Enterprise. Hewlett-Packard. Retrieved 21 August 2019.
- ^ Jump up to:ab c d Bátiz-Lazo, Bernardo (2018). Cash and Dash: How ATMs and Computers Changed Banking. Oxford University Press. pp. 284 & 311. ISBN 9780191085574.
- ^ Jump up to:ab “The Economic Impacts of NIST’s Data Encryption Standard (DES) Program” (PDF). National Institute of Standards and Technology. United States Department of Commerce. October 2001. Retrieved 21 August 2019.
- ^ Jump up to:ab c “ID System Designed as NCR 270 Upgrade”. Computerworld. IDG Enterprise. 12(7): 49. 13 February 1978.
- ^ Jump up to:ab “Four Products for On-Line Transactions Unveiled”. Computerworld. IDG Enterprise. 10 (4): 3. 26 January 1976.
- ^Rupp, Martin (16 August 2019). “The Benefits of the Atalla Key Block”. Utimaco. Retrieved 10 September 2019.
- ^Burkey, Darren (May 2018). “Data Security Overview” (PDF). Micro Focus. Retrieved 21 August 2019.
- ^Konheim, Alan G. (1 April 2016). “Automated teller machines: their history and authentication protocols”. Journal of Cryptographic Engineering. 6 (1): 1–29. doi:10.1007/s13389-015-0104-3. ISSN 2190-8516.
- ^Hamscher, Walter; MacWillson, Alastair; Turner, Paul (1998). “Electronic Business without Fear : The Tristrata Security Architecture” (PDF). Semantic Scholar. Price Waterhouse. Retrieved 7 October 2019.
- ^“Portfolio Overview for Payment & GP HSMs” (PDF). Utimaco. Retrieved 22 July 2019.
- ^“Electronic Tamper Detection Smart Meter Reference Design”. freescale. Retrieved 26 May 2015.
- ^“Using Smartcard/Security Tokens”. mxc software. Retrieved 26 May 2015.
- ^“Encryption solutions”. Ultra Electronics. Archived from the original on October 18, 2016. Retrieved August 5, 2018. Ultra also boasts the world’s only network-attached Hardware Security Module (HSM) utilising a cryptographic module that is certified to FIPS 140-2 Level 4 overall.
- ^“Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards”. www.pcisecuritystandards.org. Retrieved 2018-05-01.
- ^“Support for Hardware Security Modules”. paloalto. Archived from the original on 26 May 2015. Retrieved 26 May 2015.
- ^“Application and Transaction Security / HSM”. Provision. Retrieved 26 May 2015.
- ^“Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths”. NIST. January 2011. Retrieved March 29, 2011.
- ^ Demaertelaere. “Hardware Security Modules” (PDF). Atos Worldline. Retrieved 26 May 2015.
- ^“Barco Silex FPGA Design Speeds Transactions In Atos Worldline Hardware Security Module”. Barco-Silex. January 2013. Retrieved April 8, 2013.
- ^“SafeNet Network HSM – Formerly Luna SA Network-Attached HSM”. Gemalto. Retrieved 2017-09-21.
- ^“ICANN Begins Public DNSSEC Test Plan for the Root Zone”. www.circleid.com. Retrieved 2015-08-17.
- ^Root DNSSEC