Hardware security module...what to consider?

Networking/Security Forums -> Cryptographic Software and Hardware

Author: pancilobak PostPosted: Tue Sep 25, 2007 9:10 am    Post subject: Hardware security module...what to consider?
    ----
Hi all,

I was given task by my boss to purchase a hardware security module. We are working on PKI system and would like a hardware protection for keys. Well this is our first time working on it and I am quite blur on what criteria I should consider when purchasing a HSM.

I googled for sometime and found some vendors:
http://www.ncipher.com/cryptographic_hardware/hardware_security_modules/

http://www.safenet-inc.com/

http://www.aepnetworks.com/products/key_management/keyper/overview.htm

I was trying to understand but then i just got lost....

Author: Fracker PostPosted: Fri May 02, 2008 12:47 pm    Post subject:
    ----
In my organization they are used for protection of PIN. And we are using Thales for this purpose.

Organizations Manufacturing HSMs

* AEP Keyper FIPS Level 4 HSM - AEP Keyper FIPS Level 4 HSM
* Atalla Security Products of HP A8150 A9150 A10150 FIPS 140-2 Level Three Validation
* ARX (Algorithmic Research) - PrivateServer HSM, FIPS 140-2 Level 3 Validated
* Banksys DEP - Banksys DEP
* Bull - CRYPT2Pay
* Crypto Accelerator 6000 - Sun
* ERACOM (now a SafeNet subsidiary - CSA8000, protectserver orange,...
* Futurex Hardware Security Modules - SSP Series HSM, RMC9000 HSM
* Ingrian Networks - Ingrian DataSecure Appliances, Ingrian KeySecure Appliances and Ingrian EdgeSecure Appliances
* IBM - 4764 FIPS 140-2 Level 4 (superseding 4758)
* nCipher - netHSM, miniHSM, nShield, nForce
* REALSEC - Cryptosec 2048
* SafeNet - Luna SA, Luna CA (CC EAL4+), Luna SP, Luna PCI, Luna PCM, ProtectServer Gold, ProtectServer External, ProtectHost White, ProtectHost EFT
* Smart Card Technology Inc.SPK2032 Smart Key/Smart Disc
* Thales e-Security - HSM 8000, P3 Crypto Module, WebSentry, SafeSign Crypto Module
* Utimaco - SafeGuard CryptoServer
* xyzmo - xyzmo seal server
* True Access - Net D-Fence ST/XR

From: http://en.wikipedia.org/wiki/Hardware_Security_Module

But Thales HSM 8000 is High end product which go upto 1 million transactions per minute

Author: Fracker PostPosted: Fri May 02, 2008 1:06 pm    Post subject:
    ----
I don't know you can use HSM for PKI or not, as i feel these machines are very expensive, and just for this Job it would be use less. This machine normally used at Highly security zones such as Agencies, bank or any other financial institute (where security mater most)

Why not you use Microsft CAPI or Linux for this purpose, and also there are many cheaper device available for this purpose.

Author: Fire AntLocation: London PostPosted: Fri Jun 27, 2008 12:38 pm    Post subject:
    ----
Hmmm sounds like you haven't defined your objectives. I have used HSMs extensively in PKI projects for financial institutions and government and IMO by far nCipher are the best in the market.

You have to consider how you plan to communicate withy the device. Are you going to use 3rd party software or are you going to code something which uses the supplied PKCS#11 library.

You could always consider using a software key store such as the Java Keystore or any number of providers.

Unless there are any reglatory\legal or performance requirements I would consider a software solution. A hardware solution is likely to cost at least 7K for something suitable and more if you need something beefy.

PM me if you want to know anything else.

Author: Thomas Brandtstaetter PostPosted: Sat Sep 27, 2008 3:17 pm    Post subject:
    ----
Hi,

I am a bit confused regarding the performance measures you posted here:

According to: http://www.thales-esecurity.com/productsservices/HSM8000.shtml

------------------
The HSM 8000 range offers a range of performance options up to 800tps (PIN block translates per second)....
------------------

A PIN Block Translate Function is not the complete story covering a transaction, depending on what you define a transaction to be, of course.

A typical electronic funds transaction (based on ISO 8583) might need additional MAC Calculations and Key Derivations, which would mean that 800 tps would have to be recalculated in top.

Maybe I missed something reading through the Thales Specs, but 1 Millionen Transactions per minute seems a bit high.





Fracker wrote:
In my organization they are used for protection of PIN. And we are using Thales for this purpose.

Organizations Manufacturing HSMs

* AEP Keyper FIPS Level 4 HSM - AEP Keyper FIPS Level 4 HSM
* Atalla Security Products of HP A8150 A9150 A10150 FIPS 140-2 Level Three Validation
* ARX (Algorithmic Research) - PrivateServer HSM, FIPS 140-2 Level 3 Validated
* Banksys DEP - Banksys DEP
* Bull - CRYPT2Pay
* Crypto Accelerator 6000 - Sun
* ERACOM (now a SafeNet subsidiary - CSA8000, protectserver orange,...
* Futurex Hardware Security Modules - SSP Series HSM, RMC9000 HSM
* Ingrian Networks - Ingrian DataSecure Appliances, Ingrian KeySecure Appliances and Ingrian EdgeSecure Appliances
* IBM - 4764 FIPS 140-2 Level 4 (superseding 4758)
* nCipher - netHSM, miniHSM, nShield, nForce
* REALSEC - Cryptosec 2048
* SafeNet - Luna SA, Luna CA (CC EAL4+), Luna SP, Luna PCI, Luna PCM, ProtectServer Gold, ProtectServer External, ProtectHost White, ProtectHost EFT
* Smart Card Technology Inc.SPK2032 Smart Key/Smart Disc
* Thales e-Security - HSM 8000, P3 Crypto Module, WebSentry, SafeSign Crypto Module
* Utimaco - SafeGuard CryptoServer
* xyzmo - xyzmo seal server
* True Access - Net D-Fence ST/XR

From: http://en.wikipedia.org/wiki/Hardware_Security_Module

But Thales HSM 8000 is High end product which go upto 1 million transactions per minute

Author: Thomas Brandtstaetter PostPosted: Sat Sep 27, 2008 3:44 pm    Post subject: HSMs - what are the metrics for telling which is the best ??
    ----
Regarding "being the best" I would like to add a bit of a scope here.

What are the metrics for defining this?

- is the manufacturer and his market stability brought into consideration here? I know of purchasing departments, that are pretty fed up with all those mergers & aquisitions taking place in the security solutions business (meaning also HSM manufacturers). If you read the press carefully, you will find, that there is hardly any sustainability in the HSM market today (I study and survey that for over 20 years). Consider that some HSM integrations (not all, but the ones that companies earn real big revenues with) have to last for over 10 years (not thinking about systems that have to secure day for 40-80 years...). Once a system is setup & certified for production, you will hardly be in a position of reworking the supplies.

- is the certification level a subject? I know that only few HSM manufacturers offer FIPS 140-2 L4 and that level is crucial for achieving the highest proof for a cryptographic subsystem, in order to guarantee a longterm security provisioning for cryptographic key material.

- what kind of API is measured here? Is it a pure functional Crypto-API, or does it provide strong Key-Separation along with its key-management functions? PKCS#11 for instance does not cover standards from the Financial Industry. PKI objectives are not the complete story on applied cryptography in todays markets.

- are you able to migrate the application and the crypto-API when your business grows far beyond anticipation and your ISO27001 Risk Management leads you towards IBM Mainframes, in order to satisfy your shareholders? I know about the discussion on Mainframes, but I also know of reports that analysed the origins of Data being on the internet talking about approx. 60% of the Internet Data origination from mainframes.

- does the manufacturer guarantee 24/7 and at which price will you receive a reaction time of 2 hours (worldwide in 170 countries)

- will the manufacturer backup the risks of product failures? Imagine a Fortune500 company being down for 4-8 hours, because of an HSM failure. The loss will surely be propagated along the liability chain.

I might add some more arguments here, but I just wanted to make a point basically: the HSM dicussion is all about requirements (functional and non-functional) and from my perspective, applied crypto has just shifted problems from "regular" IT boundaries to another Risk-encapsulation.

If there is interest, I would enjoy exchanging thoughts here and elsewhere. My personal involvement is shifting towards something I would call "Open Security Management Board" which would adress the complexity cloud of today crypto-business applied to realworld solutions.

Motivation: The world is too beautiful, to close our eyes while risks a growing exponential.

matt_s wrote:
Hmmm sounds like you haven't defined your objectives. I have used HSMs extensively in PKI projects for financial institutions and government and IMO by far nCipher are the best in the market.

You have to consider how you plan to communicate withy the device. Are you going to use 3rd party software or are you going to code something which uses the supplied PKCS#11 library.

You could always consider using a software key store such as the Java Keystore or any number of providers.

Unless there are any reglatory\legal or performance requirements I would consider a software solution. A hardware solution is likely to cost at least 7K for something suitable and more if you need something beefy.

PM me if you want to know anything else.

Author: woby_32 PostPosted: Tue Dec 23, 2008 5:44 pm    Post subject: Help in choosing an HSM for PKI projects
    ----
Hi pancilobak,

I would definitely recommend using an HSM in your PKI to protect the root keys as well as the signing keys of subordinate CAs (also for OCSP responders if you're planning to use them). This gives you two advantages: First, you don't have the keys lying around on the hard disk. You don't want domain administrators to have access to the keys because this would undermine the security. Also, remember that the disk is likely to be backed up, so the keys will proliferate. You may not pass your next security audit as a result. Second, you add a separation of duties and a missile-silo principle, where you can ensure that a certain quorum of people have to be present for critical key usage - also important for the security auditors.

The Thales HSMs are more geared towards the payments sector and don't really work that well in a PKI environment. The top vendors for PKI projects are definitely nCipher and SafeNet, although I prefer nCipher HSMs for their manageability and running costs. I got burnt in one project where SafeNet nickle-and-dimed me for the backup media in one project where I hadn't budget for it.

If you're using a Microsoft PKI based on 2008, I would tend to go for nCipher because Microsoft certified them to work on that platform. On the other hand, SafeNet offers up to 7,000 signing operations per second (nCipher offers 6,000), but I'm not sure if you're planning to issue that many certificates or OCSP requests per second - likely not.

The industry seems to go strongly for network-attached devices rather than dedicated ones using the internal PCI or PCI Express bus. I would check out the network attached ones because they also allow for better high-availability / disaster recovery than the other ones.

Hope this helps...

Author: Futurex PostPosted: Mon Jun 15, 2009 9:45 pm    Post subject:
    ----
As was mentioned earlier, audit compliance is an absolutely critical consideration to make when implementing any sort of HSM. In a number of situations, standards requirements (ANSI x9.24, PCI-DSS, FIPS, et cetera) will prevent software solutions from being an option.

Once the primary qualifications (standards-compliance and ability to perform the needed functions) for the HSM are met, there are a few other elements that are important to thoroughly examine. Thomas Brandtstaetter mentioned virtually all of them, but there are two worth elaborating on:

- Longevity: technical standards for data security and encryption are constantly changing, and solid, regular updates are needed to keep up with this. If you plan to use this HSM for as long as possible before upgrading the physical hardware, your best bet will be to go with a vendor with a proven, solid track record of continuing support. Check with the device manufacturers you are considering to see if they ensure that they will provide continuing support and that their devices (from a firmware standpoint, at least) will remain standards-compliant over a reasonable amount of time. Nobody wants to make a major investment and be left in the dust when the next year’s model is rolled out.

- Consulting and associated services: this goes along with support (response time and availability in that category is another important consideration) and can be a great help for planning system design and finding out what exactly is best for your organization’s unique needs. Using websites and sales sheets are great to get an overview of a company’s products, but nothing can substitute for talking with an actual person and discussing your situation with them. Crafting a custom solution will ensure that your purchase fits your needs as much as is possible.

Feel free to PM me if you would like elaboration on any of these points.

Thanks,

Adam
Solutions Architect Associate, Futurex
http://www.futurex.com

Author: benzfire PostPosted: Wed Jul 08, 2009 6:21 am    Post subject:
    ----
Really depends on the requirements of your organization. Most corporations shop for HSMs mainly for purpose of regulatory compliance. If NIST FIPS 140-2 is your target, check the baseline level you are targeting at (1 to 4). Levels 3 and 4 are mostly achievable by only hardware modules (AEP, HP Atalla, Safenet, Thales, Sun, IBM, etc). Levels 1 and 2 for software (RSA, Oracle, Checkpoint, Bloombase, Microsoft, etc). Ideally you shop for AEP and Atalla, your boss would smile b'cos they are validated on level 4 which is the highest level you can get for 140-2 on all areas from physical security, access control, crypto algorithms, etc, assume your boss has that much money to burn. However, saying 140-2 at which level can be quite misleading 'coz only when you run your crypto modules in that interesting FIPS-mode would give you the security level which are well documented in their security profile document. That said, if you deploy AEP but you don't operate in FIPS mode or simply in management's perspective or you don't protect your HSM from being turned to non-FIPS mode from the outside, it won't be as secure as it's certified. Reason why vendor products come with FIPS and non FIPS mode, you follow he security policy, it's like even Windows is bad, you follow the protection policy of its common criteria cert, under FIPS or EAL, you are secure, if not, you're not. So there is no such kind of product to be most secure or best, it highly depends if your IT infrastructure, people management, etc can fit in, you get Atalla and you configure your Atalla in FIPS mode but your Atalla is managed by an outsourced contractor holding the admin pin, it's still not secure. So it's wise to check your requirements before you get into what products to go for, if you're saying to protect a root CA key or so, an economic way to get started at might be to get a Gemalto smart token/card. But if u're saying it's an SSL cert and you're protecting your web HTTPS with that cert, it's better you get an SSL accelerator card such as Sun Crypto 6000.

Author: Sam81 PostPosted: Tue Feb 02, 2010 3:11 pm    Post subject: Hsm
    ----
Hi
due to our corporation development (Banking Corporation) I need
to implement HSM to our API.
I have got few questions and look forward for your reply.

1. How can implement my DB2 tablespace into HSM for secure key generation
2. what are the ways to implement DB2 into HSM and PKI generation

Appreciate your cooperation in advance.

Author: jaseinsa PostPosted: Tue Feb 02, 2010 10:51 pm    Post subject: Re: Hsm
    ----
It depends on what you are trying to generate/store. Are you generating symmetric keys (3DES, etc) or asymmetric (RSA, etc)?

Typically with an HSM, those keys are protected by a "master" key that is internal to the HSM and you only get an encrypted key. That encrypted key is then used to do other functions (encrypt/decrypt, sign, verify, etc).

Hope that helps!

Author: rabbashanks PostPosted: Thu Nov 25, 2010 1:29 pm    Post subject: PIN decryption
    ----
Hi

I work for a small payment card issuing company. We run various payment programs under the mastercard and visa brands. Currently we contract with a third party to distribute PINs to our customers, but we would like to bring this in-house.

To do this we need a FIPS level 3 HSM, in order to comply with PCI / MC / Visa requirements. Basically we will retrieve the encrypted PIN block from our processor, and we need to use the HSM to decrypt it so we can give it to the customer.

Obviously I can just go out and buy a Thales or similar, but they are very expensive, and really what we are doing is very simple.

My question is - could I do this with any simple / cheap FIPS level 3 device with a PKCS#11 interface? Eg one of these: https://www.ironkey.com/enterprise

Or does decrypting PIN blocks require hardware specifically designed for this purpose? I believe PIN blocks are usually encrypted to the ISO 9564 standard.



Networking/Security Forums -> Cryptographic Software and Hardware


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group