Hardware security module
The term hardware security module or hardware security module ( HSM ) denotes an internal or external peripheral device for the efficient and secure execution of cryptographic operations or applications. This makes it possible, for example, to ensure the trustworthiness and integrity of data and the associated information in business-critical IT systems. In order to guarantee trustworthiness, it may be necessary to protect the cryptographic keys used both in terms of software and against physical attacks or side-channel attacks.
Functions
Various cryptographic algorithms can be implemented in an HSM :
- Asymmetric cryptosystems , e.g. B. RSA (encryption or signature), ECDSA , Diffie-Hellman key exchange , Elliptic Curve Cryptography
- Symmetrical encryption and decryption : AES , DES , Triple-DES, IDEA
- Cryptographic hash functions : SHA-1
- Generation of random numbers, keys and PINs (both physical and deterministic )
HSMs usually offer extensive functions for the secure management of the device and the keys. Examples are the authentication of operators and administrators using hardware tokens (e.g. chip cards or security tokens ), access protection based on the multiple eyes principle (k out of n people required), encrypted backup of keys and configuration data, and secure cloning of the HSM .
Modules
Trusted Platform Module (TPM) primarily stores keys derived from IT systems and people. The area of application is typically the security of security-relevant information for smaller IT systems (e.g. PCs, notebooks, printers, network components, cars and other things).
A high-level security module (HLSM) is designed for particularly valuable security-relevant information (master keys, keys of global importance, etc.) and for very high performance requirements. The areas of application are typically security components for larger IT systems in a high security environment.
Areas of application
Possible areas of application for an HSM are:
- Creation of personalization data for the production of debit (e.g. Maestro card ) and credit cards (e.g. MasterCard, Visa, American Express, Diners) as well as identification documents with chip technology (e.g. identity cards, driver's licenses, passports)
- Security processor in networks of payment service providers
- Secure PIN letter creation
- Transaction security in toll systems
- Timestamp services
- Signature server
- Archiving systems
- Certification authority (as part of a PKI )
- Email security according to S / MIME standard or PGP
- E-tickets
- DNS security at denic
Certification
As a rule, HSMs are certified according to security standards, such as B. FIPS 140-1 and 140-2, DK ( Die Deutsche Kreditwirtschaft ) or Common Criteria (CC). The CC protection profile CWA 14167-2 was specially developed for HSMs that are used by certification service providers to generate digital signatures.
literature
- Norbert Pohlmann : Cyber security: The textbook for concepts, principles, mechanisms, architectures and properties of cyber security systems in digitization. Springer Vieweg, September 2019, ISBN 3658253975 (pages 101–114)
Web links
Individual evidence
- ↑ a b Norbert Pohlmann: Cyber security: the textbook for concepts, principles, mechanisms, architectures and properties of cyber security systems in digitization . Ed .: Springer Vieweg. Wiesbaden 2019, ISBN 3-658-25397-5 ( springer.com ).
- ↑ https://www.denic.de/aktuelles/news/artikel/dnssec-neue-hardware-neuer-schluessel/