Hardware security module (HSM)
Physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.[1] These modules traditionally come in the form of a plug-in card (so called internal HSM) or an external device that attaches directly to a computer or network server (so called network HSM). A hardware security module contains one or more secure cryptoprocessor chips.[2][3]
Design[edit]
HSMs may have features that provide tamper evidence such as visible signs of tampering or logging and alerting, or tamper resistance which makes tampering difficult without making the HSM inoperable, or tamper responsiveness such as deleting keys upon tamper detection.[4] Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing, or a combination of chips in a module that is protected by the tamper evident, tamper resistant, or tamper responsive packaging. Some of the HSMs are also using secure multi-party computation to protect the keys they manage.[5] A vast majority of existing HSMs are designed mainly to manage secret keys. Many HSM systems have means to securely back up the keys they handle outside of the HSM. Keys may be backed up in wrapped form and stored on a computer disk or other media, or externally using a secure portable device like a smartcard or some other security token.[6]
HSMs are used for real time authorization and authentication in critical infrastructure thus are typically engineered to support standard high availability models including clustering, automated failover, and redundant field-replaceable components.
A few of the HSMs available in the market have the capability to execute specially developed modules within the HSM's secure enclosure. Such an ability is useful, for example, in cases where special algorithms or business logic has to be executed in a secured and controlled environment. The modules can be developed in native C language, .NET, Java, or other programming languages. Further, upcoming next-generation HSMs[7] can handle more complex tasks such as loading and running full operating systems and COTS software without requiring customization and reprogramming. Such unconventional designs overcome existing design and performance limitations of traditional HSMs while providing the benefit of securing application-specific code. These execution engines protect the status of an HSM's FIPS or Common Criteria validation.[8]
HSM main keys and functionalities:
1. **LMK (Local Master Key)**: The Local Master Key is a key used to encrypt other keys stored within the HSM. It is essential for the security of the HSM itself and is typically managed by the HSM administrator.
2. **ZMK (Zone Master Key)**: The Zone Master Key is a key used for encrypting and protecting other keys, usually at a higher level than LMK. It's often used for key exchange between systems or HSMs.
3. **ZPK (Zone PIN Encryption Key)**: The Zone PIN Encryption Key is used for encrypting and decrypting Personal Identification Numbers (PINs) during PIN verification processes in payment transactions.
4. **TPK (Terminal PIN Key)**: The Terminal PIN Key is used for encrypting PINs at the terminal level, typically for PIN pad devices.
5. **SMI (Static MAC Initialization Key)**: The Static MAC Initialization Key is used for generating Message Authentication Codes (MACs) in static mode, often used in ISO 8583 message formats for ensuring data integrity.
6. **SMC (Static MAC Check Key)**: The Static MAC Check Key is used for verifying Message Authentication Codes (MACs) generated using the Static MAC Initialization Key.
7. **CVV (Card Verification Value)**: The Card Verification Value is a security feature printed on payment cards or stored in their magnetic stripe or chip, used to verify that the card is physically present during a transaction. It's also known as CVC (Card Verification Code) or CVC2 (Card Verification Value Code).
8. **PVV (PIN Verification Value)**: The PIN Verification Value is a value calculated from the PIN and the PAN (Primary Account Number) used during PIN verification processes to ensure the PIN entered matches the one associated with the card.
Certainly, here's the description for CVK:
9.**CVK (Card Verification Key)**: The Card Verification Key is used in conjunction with the CVV (Card Verification Value) or CVC (Card Verification Code) to verify the authenticity of payment card transactions. It's typically derived from the issuer's master key or another secure key within the payment system. The CVK is used to generate or verify the CVV/CVC, which helps prevent fraudulent card-not-present transactions.
These keys play critical roles in securing payment transactions and ensuring the confidentiality, integrity, and authenticity of sensitive data within the payment ecosystem.
Card payment system HSMs (bank HSMs)[edit]
Specialized HSMs are used in the payment card industry. HSMs support both general-purpose functions and specialized functions required to process transactions and comply with industry standards. They normally do not feature a standard API.
Typical applications are transaction authorization and payment card personalization, requiring functions such as:
- verify that a user-entered PIN matches the reference PIN known to the card issuer
- verify credit/debit card transactions by checking card security codes or by performing host processing components of an EMV based transaction in conjunction with an ATM controller or POS terminal
- support a crypto-API with a smart card (such as an EMV)
- re-encrypt a PIN block to send it to another authorization host
- perform secure key management
- support a protocol of POS ATM network management
- support de facto standards of host-host key | data exchange API
- generate and print a "PIN mailer"
- generate data for a magnetic stripe card (PVV, CVV)
- generate a card keyset and support the personalization process for smart cards
The major organizations that produce and maintain standards for HSMs on the banking market are the Payment Card Industry Security Standards Council, ANS X9, and ISO.
SSL connection establishment[edit]
Performance-critical applications that have to use HTTPS (SSL/TLS), can benefit from the use of an SSL Acceleration HSM by moving the RSA operations, which typically requires several large integer multiplications, from the host CPU to the HSM device. Typical HSM devices can perform about 1 to 10,000 1024-bit RSA operations/second.[15][16] Some performance at longer key sizes is becoming increasingly important. Specialized HSM devices can reach numbers as high as 20,000 RSA operations per second.[17] To address this issue, some HSMs [18] now support ECC.
DNSSEC[edit]
An increasing number of registries use HSMs to store the key material that is used to sign large zonefiles. OpenDNSSEC is an open-source tool that manages signing DNS zone files.
On January 27, 2007, ICANN and Verisign, with support from the U.S. Department of Commerce, started deploying DNSSEC for DNS root zones.[19] Root signature details can be found on the Root DNSSEC's website.[20]
Blockchain and HSMs[edit]
Blockchain technology depends on cryptographic operations. Safeguarding private keys is essential to maintain the security of blockchain processes that utilize asymmetric cryptography.
The synergy between HSMs and blockchain is mentioned in several papers, emphasizing their role in securing private keys and verifying identity, e.g. in contexts such as blockchain-driven mobility solutions.[21][22] Cryptocurrency private keys can be stored in a cryptocurrency wallet on a HSM.[23]
Cryptographic operations performed by Fabric nodes in the Hyperledger framework support delegation to a Hardware Security Module.[24]
Client-side encryption with HSM[edit]
Cloud providers (eg. Google announced its client-side encryption solution in 2023) introduced different methods for allowing customer data stored on their servers to be encrypted (and decrypted) with HSM devices owned or controlled by the customer.
Reference https://en.wikipedia.org/wiki/Hardware_security_module
Please follow me for more jobs opening - https://www.linkedin.com/in/prashantppohare/
Banking Group- https://www.linkedin.com/groups/9809571/
JobGroup - https://www.linkedin.com/groups/9322201/
Blog - https://bankingpayments.blogspot.com/
VBLOG- https://www.youtube.com/@LoveBanking
#jobsbeanbag #lovebanking #bankingpayments
No comments:
Post a Comment