Definition: A hardware security module (HSM) is a ‘trusted’ physical computing device that provides extra security for sensitive data. This device creates, provides, protects and manages cryptographic keys for functions such as encryption and decryption and authentication for the use of applications, identities and databases.
Hardware Security Module (HSM) explained
A hardware security module is a tamper and intrusion-resistant, highly-trusted physical device that performs all major cryptographic operations, including encryption, decryption, authentication, key management and key exchange. The sole purpose of an HSM is to conceal and protect cryptographic data. They have a robust operating system and restricted network access via a firewall. HSMs need to comply with a range of standards and regulations, which include the following:
- European Union's General Data Protection Regulation;
- PCI Data Security Standard;
- Domain Name System Security Extensions;
- FIPS 140-2;
- Common Criteria.
An HSM is a ‘trusted’ device because it:
- Is built on top of specialized hardware. In special laboratories, the hardware has been thoroughly tested and certified
- Has a security-focused operating system
- Has restricted access through a network interface that is strictly governed by internal rules
- Actively hides and protects cryptographic data.
HSMs can be found in smart cards, dedicated cards found in hardware (cryptographic cards), portable devices, self-contained devices (appliances), IoT devices installed on site, hosted, or offered as a cloud service (HSM-as-a-Service).
There are two main types of Hardware Security Module:
1. General Purpose
General Purpose HSMs can utilize the most common encryption algorithms, such as PKCS#11, CAPI, CNG as well as other common algorithms, which are mainly used with Public Key Infrastructures to safe-guard digital keys and certificates (which protect PKI from being breached), crypto-wallets, and other basic sensitive data.
2. Payment & Transaction
A Payment HSM is used primarily by the banking industry for the protection of payment transactions which include:
- the use of PIN (generation, management, validation and translation of the PIN Block in transactions carried out at POS and ATMs)
- the protection of electronic fund transfers (EFT)
- the generation of data for magnetic strips and EMV chips in card production and personalization processes
- the processing of payment transactions with debit and credit cards
- the validation of cards, users and cryptograms during payment transaction processing
- Payment credential issuing for payment cards and mobile applications
Payment HSMs generally provide cryptographic support for most card brands' payment applications, and their interconnection interfaces are usually more limited than those of general-purpose HSMs.
Benefits of using HSMs
Hardware Security Modules have a number of benefits including:
- Tamper-resistant, tamper-evident, and tamper-proof systems to provide extremely secure physical systems
- Providing the highest level of security for sensitive data and cryptographic keys on the market
- Meeting security standards and regulations
- Cryptographic key lifecycle tasks can be automated quickly and efficiently
- Cryptographic keys are stored in a single location rather than in multiple locations.
Being a physical device with a powerful operating system and limited network access, makes an HSM the "Root of Trust" in an organization's security infrastructure.