A Hardware Security Module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. HSMs are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures. Some hardware security modules (HSMs) are certified at various FIPS 140-2 Levels.
HSMs traditionally come in the form of a plug-in card (SAM/SIM card) or an external device that attaches directly to a computer or network server.
HSMs may have features that provide tamper evidence such as visible signs of tampering or logging and alerting, or tamper resistance which makes tampering difficult without making the HSM inoperable, or tamper responsiveness such as deleting keys upon tamper detection. Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing, or a combination of chips in a module that is protected by the tamper evident, tamper resistant, or tamper responsive packaging.
A vast majority of existing HSMs are designed mainly to manage secret keys. Many HSM systems have means to securely back up the keys they handle outside of the HSM. Keys may be backed up in wrapped form and stored on a computer disk or other media, or externally using a secure portable device like a smart card or some other security token.
Because HSMs are often part of a mission-critical infrastructure such as a public key infrastructure (PKI) or online banking application, HSMs can typically be clustered for high availability and performance. Some HSMs feature dual power supplies and field replaceable components such as cooling fans to conform to the high-availability requirements of data center environments and to enable business continuity.
Functions supported by HSMs include:
- Life-cycle management of cryptographic keys used to lock and unlock access to digitized information. Remember that the privacy strength
of encrypted information is determined by the sophistication of the encryption algorithm and the security of the cryptographic keys. The
most sophisticated encryption algorithm is compromised by weak cryptographic key security. Life-cycle management of cryptographic
keys includes generation, distribution, rotation, storage, termination, and archival. - Cryptographic processing which produces the dual benefits of isolating and offloading cryptographic processing from application servers.
In use since the early 1990’s, HSMs are available in two forms:
- Standalone network-attached appliances, and
- Hardware cards that plug into existing network-attached systems.
As the use of encryption to protect the confidentiality of digitized information has increased, partially driven by governmental regulations
(e.g., eIDAS (electronic IDentification, Authentication and trust Services) for electronic transactions in the European Market, General Data
Protection Regulation (GDPR) for the collection and processing of personal information, and Health Insurance Portability and Accountability Act (HIPAA)
in the secure transport of heath information over the Internet) and industry mandates (e.g., Payment Card Industry Data Security Standard,
Requirements 3 and 4).
History
The hardware security module (HSM), a type of secure cryptoprocessor, was invented by Egyptian-American engineer Mohamed M. Atalla, in 1972. He invented a high security module dubbed the “Atalla Box” which encrypted PIN and ATM messages, and protected offline devices with an un-guessable PIN-generating key. In 1972, he filed a patent for the device. He founded Atalla Corporation (now Utimaco Atalla) that year, and commercialized the “Atalla Box” the following year, officially as the Identikey system. It was a card reader and customer identification system, consisting of a card reader console, two customer PIN pads, intelligent controller and built-in electronic interface package. It allowed the customer to type in a secret code, which is transformed by the device, using a microprocessor, into another code for the teller. During a transaction, the customer’s account number was read by the card reader. It was a success, and led to the wide use of high security modules.
Fearful that Atalla would dominate the market, banks and credit card companies began working on an international standard in the 1970s. The IBM 3624, launched in the late 1970s, adopted a similar PIN verification process to the earlier Atalla system. Atalla was an early competitor to IBM in the banking security market.
At the National Association of Mutual Savings Banks (NAMSB) conference in January 1976, Atalla unveiled an upgrade to its Identikey system, called the Interchange Identikey. It added the capabilities of processing online transactions and dealing with network security. Designed with the focus of taking bank transactions online, the Identikey system was extended to shared-facility operations. It was consistent and compatible with various switching networks, and was capable of resetting itself electronically to any one of 64,000 irreversible nonlinear algorithms as directed by card data information. The Interchange Identikey device was released in March 1976. Later in 1979, Atalla introduced the first network security processor (NSP). Atalla’s HSM products protect 250 million card transactions every day as of 2013, and secure the majority of the world’s ATM transactions as of 2014.
Related Products
Related Articles
Entrust Datacard Earns Frost & Sullivan North American Product Leadership Award for its IoT Cybersecurity Solution, ioTrust
Santa Clara, CA, United States, 2019/07/25 - Based on its recent analysis of the North American Internet of Things (IoT) cybersecurity market, Frost & Sullivan recognizes Entrust Datacard Corporation with the 2019 North American Product Leadership Award for its ioTrust
HID Global Acquires DemoTeller
AUSTIN, Texas, July 18, 2016 -- HID Global®, a worldwide leader in secure identity solutions, today announced that it has acquired DemoTeller, a leading provider of instant issuance solutions for the financial market. With this acquisition, HID Global is now able
Identity and Access Management Leader Versasec Unveils vSEC:CMS S-Series v5.4
STOCKHOLM, SWEDEN, February 7, 2019 -- Versasec, the leader in smart card management systems, rolled out the latest generation of its flagship identity and access management (IAM) solution today. vSEC:CMS S-Series v5.4 incorporates a variety of important new features, including new console
Identity and Access Management Leader Versasec Unveils vSEC:CMS S-Series v5.4
STOCKHOLM, SWEDEN, February 7, 2019 -- Versasec, the leader in smart card management systems, rolled out the latest generation of its flagship identity and access management (IAM) solution today. vSEC:CMS S-Series v5.4 incorporates a variety of important new features, including new console
Commission approves acquisition of Gemalto by Thales, subject to conditions
Brussels, 11 December 2018 - The European Commission has approved under the EU Merger Regulation the proposed acquisition of Gemalto by Thales. The approval is conditional on the divestment of Thales' general purpose hardware security modules business. Commissioner Margrethe Vestager, in
Yubico Launches YubiKey 5 Series, the Industry’s First Multi-Protocol Security Keys Supporting FIDO2
PALO ALTO, CA and STOCKHOLM, SWEDEN – September 24, 2018 – Yubico, the leading provider of hardware authentication security keys, today announced the launch of the YubiKey 5 Series, the industry’s first multi-protocol security keys supporting FIDO2/WebAuthn. With this new addition, the