Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development. This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.

1. Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
OWASP Thailand Chapter Meeting 4/2017
June 29, 2017

2. WhoAmI
● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP)
● Consultant for OWASP Thailand Chapter
● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter
● Consulting Team Member for National e-Payment project
● Committee Member of Thailand Banking Sector CERT (TB-CERT)
● Contact: narudom@owasp.org

3. Real World Cryptography
We spend too much time arguing about algorithm but lack of
time discussing
● Key controls and key management
● Key change/exchange procedures
● Cryptographic toolkits
● Random number/seed generators
● Process & documentation
● Training

4. Brute-Forcing vs Key Thef
Left hand side: At the Passwords^12 Conference, Jeremi Gosney (a.k.a epixoip) demonstrated a rig of
25 AMD Radeon GPUs that leveraged Virtual OpenCL Open Cluster (VCL)

5. Cryptography uses SECRET keys
How can we keep keys being SECRET?

6. Key Management Fundamental

7. “Key management is the hardest part of cryptography
and often the Achilles’ heel of an otherwise secure
system.”
- Bruce Schneier, Applied Cryptography (2nd edition)

8. Key Management Framework
Generation Exchange Storage Rotation Archiving Destruction
Key Usage

9. Key Generation
● Generate Key
● Register Owner
● Activate Key
● Deactivate Key
● Suspend and Re-Activate a Key
● Renew a Public Key
● Key Derivation or Key Update
● Associate a Key with its Metadata
● Modify Metadata
● List Key Metadata

10. Key Exchange
Establish Key
● Validate Public Key Domain
Parameters
● Validate Public Key
● Validate Public Key Certification
Path
● Validate Symmetric Key
● Validate Private Key (or Key Pair)
● Validate the Possession of a Private
Key
● Perform a Cryptographic Function
using the Key
● Manage the Trust Anchor Store
Cryptographic Key and
Metadata Security: During Key
Establishment
● Key Transport
● Key Agreement
● Key Confirmation
● Key Establishment Protocols
(TLS, IKE, SSH, …)

11. Key Storage
● Store Operational Key and Metadata
● Backup of a Key and its Metadata
● Recover Key and/or Metadata
● Enter a Key and Associated Metadata into a Cryptographic
Module
● Output a Key and Associated Metadata from a Cryptographic
Module

12. Key Rotation (Retirement)
● Replace Key (Rollover, Update and Renewal)
● De-register Key
● Revoke Key
– Document, Test and Maintain Compromise Management Plan
– Establish and Maintain Notification Process
– Assess Impact as Part of Incident Response
– Do Not Delete the Keys

13. Key Archival
● Archive Key and/or Metadata
● Recover Key and/or Metadata

14. Key Destruction
● Destruction of Encryption Key Materials
● Retention of Encryption Key Meta-Data

15. An Overview of Hardware Security Module

16. What is an HSM?
● Cryptographic Computing Hardware Module
● Protected Key Store
● Well-Defined Interface Protocol
● Hard to Compromise
Hardware Security Module

17. Other Names of HSM
● Personal Computer Security Module (PCSM)
● Secure Application Module (SAM)
● Secure Cryptographic Device (SCD)
● Secure Signature Creation Device (SSCD)
● Hardware Cryptographic Device
● Cryptographic Module
Source: SANS Institute InfoSec Reading Room, An Overview of Hardware Security Modules

18. Cryptographic Computing Module
● Hardware Accelerate Cryptography
– Symmetric: AES, 3DES, Blowfish, Aria, Camelia
– Asymmetric: RSA, DSA, Diffie-Hellman, ECC
● Secure Random Number Generator
● Message Digest (Hash)
● Message Authentication Code (MAC)

19. Protected Key Store
● Keys stored in tamper-proof nonvolatile memory
– If tampering is detected, memory will be malfunction
● Implemented using
– Covering components in epoxy
– Thin wires covering sensitive components

20. How HSM Helps Key Management?
● HSM has key generation functions
● HSM provides key transport and key agreement functions
● HSM provides protected key storage and key handling
functions
● HSM provides ciphertext translation function from one key to
another for key rotation
● HSM provides key backup/recover functions for key archival
● HSM is able to delete keys inside protected storage.

21. Main Application Areas
● PKI Environments
– Certification Authority (CA) and Registration Authority (RA)
– Generate, store and handle key pairs
● Card Payment Systems
– Authentication and integrity checking of messages
– Confidentiality (e.g. PIN)
– On-line PIN verification
– Checking card security codes
– Re-encryption of PIN blocks
– Card creation: PIN mailers, generation of magnetic stripe data,
personalization of chip cards
– E-commerce and M-commerce
– Home banking

22. Other Application Areas
● Key Distribution Centers
● SSL connectivity
● PayTV
● Access control: one time passwords, user authentication
● (Qualified) Digital signatures
● Time-stamping
● Trusted Platform Modules (TPM)
● Document protection

23. HSM Selection Criteria

24. Smart Card / SIM SD Card
HSM Form Factors
USB
Network / Remote InterfaceLocal Interface (PCI/PCIe)

25. HSM Key Store Architectures
Keys stored in HSM
● Pros:
– No additional component
is needed
– Ease of maintenance
● Cons:
– Limited numbers of keys
● Example Product: Safenet,
USB Type, Smart Card Type
Keys stored externally and
encrypted by master key in
HSM
● Pros:
– Unlimited or large
numbers of keys
● Cons:
– Additional components are
needed
– Hard to maintain
● Example Product: Thales

26. HSM: General Purpose vs Specific Purpose
General Purpose
● Equipped with standard
cryptographic algorithms
Symmetric, Asymmetric,
Hashing)
● Support major OS drivers
including VMWare and Hyper-V
● Support standard APIs
– PKCS#11
– Open SSL
– Java (JCE)
– Microsoft CAPI and CNG
Specific Purpose
● Optimized for specific function
– Security Application Module
(SAM) / SIM
– Electronics Fund Transfer /
Payment System
● Limited Cryptographic algorithm
● Support specific applications
– EFT Key Management
– MAC (Message Authentication
Code)
● May not support standard APIs

27. HSM Speed
● RSA Signing Speed → Signing operations per second (at 1024-
bit, public exponent 3 or 65537)
● RSA Key Generation Speed → Keys per second (at 1024-bit
and 2048-bit)
● Visa PIN Verification → Operation per second
● AES Encryption → MB per second (at 256-bit key length)

28. HSM Licensing
● HSM specification may support many cryptography algorithms
but not all are activated
– Algorithm activation based on the license
● Maximum encryption/decryption speed may not be the same as
declare in the specification
– Speed limit by the license
● Network or remote interface type HSM may limit the number of
hosts or IP addresses connected to the HSM upon the license

29. HSM: Standard and Certification
● FIPS 140-2
● Common Criteria Evaluation Assurance Level (CC-EAL)
● PCI HSM
● APCA
● MEPS

30. FIPS 140-2
Level Requirement
1 Basic security requirements
2 Tamper evidence, user authentication
3 Tamper detection/resistance, data zeroisation, splitting user roles
4 Very high tamper detection/resistance, Environmental protection

31. CC-EAL
● What Protection Profile (PP)
has been used for the Target
of Evaluation (ToE)?
– CMCKG-PP – Key
Generation
– CMCSO-PP – Signing
Operations
EAL1 Functionally tested
EAL2 Structurally tested
EAL3 Methodically tested and checked
EAL4 Methodically designed, tested,
and reviewed
EAL5 Semi-formally designed and
tested
EAL6 Semi-formally verified design and
tested
EAL7 Formally verified design and
tested

32. HSM Key Backup/Restore
● How do you backup your keystore?
– Smart Card
– Secure USB Storage
● Key synchronization among two HSMs or more?
● Can you restore a backup elsewhere?
– e.g. on a hot-standby site
● Split key backup possible?
● Well-known backup format?

33. Cloud HSM
● Amazon AWS CloundHSM
● IBM Bluemix HSM
https://aws.amazon.com/cloudhsm/
https://www.ibm.com/cloud-computing/bluemix/hardware-security-module

34. HSM API
● PKCS#11
● OpenSSL Engine
● Microsoft CAPI
● Java Cryptography Extension
● Vendor specific API
● Low level programming (need for speed)
– USB Type or Smart Card Type + Reader: PC/SC + vendor
specific smart card application protocol data unit (APDU)
– Network Type: Socket programming with vendor specific
protocol

35. PKCS#11
● PKCS #11 is one of the Public-Key Cryptography Standards but
also support other cryptographic functions
● Defines a platform-independent API to cryptographic tokens,
such as hardware security modules (HSM) and smart cards
● API name is “Cryptoki”, but often called PKCS#11 API as its
standard. Complex C API.
● Wrappers
– Java Cryptography Architecture/Extension (JCA/JCE)
– Pkcs11Interop → .NET (Open source, Nuget package available)
– PyKCS11 → Python
– Ruby-pkcs11 → Ruby

36. PKCS#11 Functions
● Key Management
– Key & Key Pair Generation
– Key Factory
– Key Agreement (Diffie-Hellman)
– Key Store (Keys & Certificates)
● Cipher (Encrypt/Decrypt)
● Secure Random Number Generator
● Message Digest
● Message Authentication
● Digital Signature

37. Key Management with HSM Web Service

38. Pain Points
● How can we encourage developers adopt HSM and key
management process?
● How can we ensure that developers properly implement only
approved cryptography algorithm?
● How can we help applications rotate keys properly and
correctly?
● If we need stronger encryption algorithm or longer key
length in the future, how can we migrate the encrypted data
without application modification?

39. HSM Wrapper API Connection Diagram

40. Wrapping Functions
● decryptdata(AppKeyID, Ciphertext)
– Return Plaintext
● encryptdata(AppKeyID, Plaintext)
– Return Ciphertext
● translatedata(AppKeyID, Ciphertext)
– Return new CipherText
● AppKeyID is not the same as HSM key ID but
a pointer to a configuration record of
– Encryption algorithm
– History list of HSM key IDs usage
– decryptdata & encryptdata will always use
current key that associates with AppKeyID
● Ciphertext is encrypted data
● Plaintext is original data
HSMKeyID AppKeyID ValidFrom
39 3 Last Jan 1
40 4 Last Feb 1
41 3 Next Jan 1
42 4 Next Feb 1
translatedata function will decrypt an input
ciphertext with the current key and re-encrypt
with the nearest future key
For example from key history table, if
AppKeyID=3, translatedata function will use
HSMKeyID=39 to decrypt input ciphertext to a
plaintext, then will encrypt that plaintext with
HSMKeyID=41 to a new ciphertext.

41. Application Example: PGP Decryption
Data
Encrypt key
using receiver‘s
public key
RSA
Encrypted Message
Encrypt Decrypt
Encrypt data
using random
key
q4fzNeBCRSYqv
Encrypted Key
Generate
Random
Key
Data
TIakvAQkCu2u
Random Key
Encrypted Message
Data
q4fzNeBCRSYqv
Encrypted Key
Decrypt data
using key
Decrypt using
receiver‘s
private key
RSA
TIakvAQkCu2u
Data
● Call Wrapper API’s
“decryptdata” function with
parameters
– AppID (Which App Profile)
– q4fzNeBCRSYqv as
Encrypted Data
● Receive TIakvAQkCu2u as
Decrypted Data

42. Application Example:
Secure Password for Deployment Automation