What is a Hardware Security Module?
A Hardware Security Module (or HSM) is a physical device that safeguards and manages cryptographic keys.
Before getting into the technical details, it is important to understand why keys, and in particular private keys, need to be well protected.
Let’s use the real world example of a company that issues scratch cards for pre-paid services like electricity or telephone services.
They use an asymmetric algorithm, ie. using a private key to issue the scratch code and a public key in the electricity meter or phone to authenticate that the code on the scratch card was issued by them.
If the server that generates the scratch codes is hacked and an attacker gets a hold of the private key (possibly without knowledge of the company), he can issue the scratch cards himself and sell it on the black market - destroying the company’s business model by the time they realize the problem. It is possible for the company to start using a new private key and replace the public keys on all the devices in the field - but at what cost?
This is where an HSM comes in. Even if a hacker obtains access to the signing server he will not gain access to the key - and even if he does get access to the HSM password, he can only issue codes while he has access to the server. Blocking the hacker from the server and changing the HSM password will solve that at a much lower cost than updating all the devices in the field.
HSMs like the eHSM provides a greater level of security as the key is never on the file system (or in the server memory) and it does not have an operating system to hack. It also uses a secure element in the form of tamper resistant silicon, similar to that used in a smart card, to protect sensitive master keys. Even if it is stolen (more likely to be noticed than keys copied from a file system), it is virtually impossible to get to the key data and the device will clear its internal storage when tampered with.
A general purpose HSM like eHSM can also be used to:
-
Sign documents and emails
-
Sign and encrypt files
-
Protect web server keys
-
Protect VPN keys (OpenVPN, Strong Swan)
-
Sign executables
-
Protect remote shell keys (SSH)
-
Sign software activations (to enable certain features)
-
Protect Certificate Authority root keys
-
Bitcoin wallets (eHSM implements the secp256k1 Elliptic Curve algorithm)
-
Protect GPG keys
-
Hard disk encryption (with for example VeraCrypt)
-
Manage keys in many custom applications