The Key Role of HSMs and Key Management in Secure Permissioned Blockchains for Banking and Payment Services - An Overview

Blockchains are ruled almost entirely by cryptographic mechanisms. These mechanisms mostly involve digital signatures & PKI, hashes, and key derivation.

In permissioned blockchains, the network effect is significantly lesser than in public networks. Besides permissioned blockchains do not use proof-of-work such as in the Bitcoin network or proof-of-stake such as found in Ethereum network and as such do not have the strong and inherent security behind these mechanisms.

By nature, permissioned networks are heavily dependent on cryptographic operations being done in a secure and safe way when used for financial institutions. They require banking-grade HSMs.

In what follows, we will present an overview of the key roles of HSMs in permissioned blockchains for banking & payment services.

Cryptographic Protocols Involved with Blockchains

There are no norms defining blockchains. Therefore, any blockchain implementation is free to pick up cryptographic algorithms that they want and for what they need.

Blockchains may use hash algorithms such as SHA-256 for the blockchain network. For example, Dagger-Hashimoto is used for the Ethereum network and ECDSA is used for Ripple-based networks. Additional hash algorithms include: 

  • X11
  • X13
  • CryptoNight hash
  • Scrypt hash
  • NXT
  • BLAKE256

Here we list the hashes and cipher suites supported by major permissioned blockchains frameworks:

FrameworkHashingSignature scheme
R3 Corda
  • Block hashing: SHA-256 
  • RSA+SHA256
  • ECDSA_SECP256K1+SHA256
  • ECDSA_SECP256R1+SHA256
  • EDDSA_ED25519+SHA512
  • SPHINCS-256+SHA512
Hyperledger Fabric
  • Block hashing: SHA3 SHAKE256 
  • ECDSA+SHA256
  • ECDSA+SHA384
  • ECDSA+SHA512
Hyperledger  Sawtooth
  • SHA-3/256/512
  • Block hashing:64-byte header signature(instead of hash)
  • libsecp256k1
  • Keccak signature
  • hash-256/384/512+AES
  • P-256
  • P384
  • P521
  • S256
  • BN256
  • Block hashing: SHA-256 (BTC)
  • secp256k1 +ECDSA (BTC)

There are many other permissioned frameworks, including HydraChain, OpenChain, and BigchainDB. Most are based on existing frameworks like Bitcoin or Ethereum. Many of the permissioned blockchain networks are crypto-agile and/or post-quantum proof. 

Role of HSMs in Permissioned Blockchains

Permissioned blockchains incorporate the identity authentication, access control, and authorization features for the nodes for the participation in the blockchain network. Cryptographic keys are utilized for the identities of nodes. These cryptographic keys are securely managed through HSMs. Typically, blockchains incorporate the HSM as a service by which a single HSM or a cluster holds the cryptographic keys of various blockchain nodes. These keys should be managed in separate and secure HSM partitions with designated roles for each partition. In some scenarios, PKI-based digital certificates are also used to ensure the trust between the blockchain nodes.

By design, HSMs are perfectly suited for the needs of a permissioned blockchain.

Permissioned blockchain consensus is vulnerable to cryptographic attacks. Therefore, PKI operations should ideally be performed in HSMs. In general, the key pair generation in blockchains is essential, and such keys should not be handled directly by their end-users. Instead, they should be generated and securely stored in HSMs or in key management servers.

Hashing and specifically, keyed hashing operations, are an integral part of the blockchain system. They also need secure random generation functions that should also be achieved with an HSM.

Why Are These Standards Important for Compliance and Auditability?

HSMs are a vital part of any security infrastructure that is under the mandate of securely managing cryptographic keys. The HSMs considered for incorporation must be FIPS 140-2 level validated and Common Criteria certified. If PKI-based digital certificates are being used in the permissioned blockchain, they must comply with the latest X.509 v3 standard. When a permissioned blockchain is employed in a banking/financial services department, the PCI PTS HSM version 3.0 certification is mandatory for legal obligations and compliance.


In preventing and mitigating malicious attacks, the implementation of strong authentication and cryptographic mechanisms is a critical requirement for protecting permissioned blockchains. Since the permissioned blockchain incorporates the identities of blockchain nodes, the need for HSMs is critical.

It would be in the best interest of banks and payment services providers to use HSMs and secure key management systems to perform the cryptographic operations needed for blockchain operations.

References and Further Reading

  • Learn more about Utimaco's HSMs for blockchains
  • More articles on permissioned blockchains on our blog (2018 - today), by Martin Rupp, Priyank Kumar, Ulrich Scholten, Asim Mehmood, Dawn M. Turner and more
  • More articles on eIDAS (2018 - today) on our blog, by Gaurav Sharma, David McNeal and more
  • More articles on HSMs (2018 - today)on our blog, by Terry Anton, Dawn M. Turner and more

Blog post by Martin Rupp, Priyank Kumar and Ulrich Scholten

To find more blog posts related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail


      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.