Hardware security module

The term hardware security module ( HSM) or English Hardware Security Module refers to a ( internal or external ) peripheral for the efficient and safe execution of cryptographic operations or applications. This allows, for example, ensure the trustworthiness and integrity of data and the associated information in mission-critical IT systems. To ensure trustworthiness, it may be necessary to protect the next to use cryptographic keys to both software engineering as well as against physical attacks and side-channel attacks.

Functions

In an HSM various cryptographic algorithms can be implemented:

  • Asymmetric cryptosystems, such as RSA (encryption or signature), ECDSA, Diffie -Hellman key exchange, elliptic curve cryptography
  • Symmetric encryption and decryption: AES, DES, Triple -DES, IDEA
  • Cryptologic hash functions: SHA -1
  • Generation of random numbers, keys and PINs ( both physically as well as deterministic)

HSMs provide the most comprehensive features for safe management of the device and the key. Examples include the authentication of operators and administrators by hardware token (eg, smart card or security token ), access protection in multi -eyes principle (k required of n people), encrypted backup of the keys and configuration data safe cloning of the HSM.

Areas of application

Possible applications of HSM are:

  • Creation of personalization data for the production of debit (eg Maestro card) and credit cards ( including MasterCard, Visa, American Express, Diners ) and identification documents with chip technology (eg identity cards, driving licenses, passports )
  • Security processor in networks, the payment service
  • Secure PIN letter generation
  • Transaction security in toll systems
  • Time -stamping services
  • Signature server
  • Archiving systems
  • Certification body (in the context of a PKI )
  • E -mail security by S / MIME or PGP standard
  • E- tickets

Certification

Usually HSM are certified to safety standards, such as FIPS 140-1 and 140-2, DK ( The German banking industry ) or Common Criteria (CC). Especially for HSMs that are used by certification service providers for the generation of digital signatures, the CC Protection Profile CWA 14167-2 was developed.

Public-key cryptography Digital Signature Algorithm Advanced Encryption Standard International Data Encryption Algorithm Security-Token Maestro (debit card) Electronic ticket Federal Information Processing Standards
375517
de