Hardware security module

from Wikipedia, the free encyclopedia
An nCipher nShield F3 Hardware Security Module in PCIe form
FIPS 140-2 Level 4 certified internal PCIe HSM adapter

The term hardware security module or hardware security module ( HSM ) denotes an internal or external peripheral device for the efficient and secure execution of cryptographic operations or applications. This makes it possible, for example, to ensure the trustworthiness and integrity of data and the associated information in business-critical IT systems. In order to guarantee trustworthiness, it may be necessary to protect the cryptographic keys used both in terms of software and against physical attacks or side-channel attacks.

Functions

Older Luna HSMs in PCMCIA format

Various cryptographic algorithms can be implemented in an HSM :

HSMs usually offer extensive functions for the secure management of the device and the keys. Examples are the authentication of operators and administrators using hardware tokens (e.g. chip cards or security tokens ), access protection based on the multiple eyes principle (k out of n people required), encrypted backup of keys and configuration data, and secure cloning of the HSM .

Modules

Trusted Platform Module (TPM) primarily stores keys derived from IT systems and people. The area of ​​application is typically the security of security-relevant information for smaller IT systems (e.g. PCs, notebooks, printers, network components, cars and other things).

A high-level security module (HLSM) is designed for particularly valuable security-relevant information (master keys, keys of global importance, etc.) and for very high performance requirements. The areas of application are typically security components for larger IT systems in a high security environment.

Areas of application

Possible areas of application for an HSM are:

  • Creation of personalization data for the production of debit (e.g. Maestro card ) and credit cards (e.g. MasterCard, Visa, American Express, Diners) as well as identification documents with chip technology (e.g. identity cards, driver's licenses, passports)
  • Security processor in networks of payment service providers
  • Secure PIN letter creation
  • Transaction security in toll systems
  • Timestamp services
  • Signature server
  • Archiving systems
  • Certification authority (as part of a PKI )
  • Email security according to S / MIME standard or PGP
  • E-tickets
  • DNS security at denic

Certification

As a rule, HSMs are certified according to security standards, such as B. FIPS 140-1 and 140-2, DK ( Die Deutsche Kreditwirtschaft ) or Common Criteria (CC). The CC protection profile CWA 14167-2 was specially developed for HSMs that are used by certification service providers to generate digital signatures.

literature

  • Norbert Pohlmann : Cyber ​​security: The textbook for concepts, principles, mechanisms, architectures and properties of cyber security systems in digitization. Springer Vieweg, September 2019, ISBN 3658253975 (pages 101–114)

Web links

Commons : Hardware security modules  - collection of images, videos and audio files

Individual evidence

  1. a b Norbert Pohlmann: Cyber ​​security: the textbook for concepts, principles, mechanisms, architectures and properties of cyber security systems in digitization . Ed .: Springer Vieweg. Wiesbaden 2019, ISBN 3-658-25397-5 ( springer.com ).
  2. https://www.denic.de/aktuelles/news/artikel/dnssec-neue-hardware-neuer-schluessel/