Secure Your Encryption with HSM
7 likes5,516 views
The document discusses the importance of hardware security modules (HSM) in key management for cryptographic systems, highlighting key generation, storage, exchange, and destruction processes. It outlines the challenges of key management and provides an overview of HSM functionalities, including key protection and compliance with standards like FIPS 140-2. Additionally, the document details the selection criteria, application areas, and integration of HSMs with various APIs and platforms.
Secure Your Encryption with HSM
- 1. Secure Your Encryption with HSM Narudom Roongsiriwong, CISSP OWASP Thailand Chapter Meeting 4/2017 June 29, 2017
- 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Consulting Team Member for National e-Payment project ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Contact: [email protected]
- 3. Real World Cryptography We spend too much time arguing about algorithm but lack of time discussing ● Key controls and key management ● Key change/exchange procedures ● Cryptographic toolkits ● Random number/seed generators ● Process & documentation ● Training
- 4. Brute-Forcing vs Key Thef Left hand side: At the Passwords^12 Conference, Jeremi Gosney (a.k.a epixoip) demonstrated a rig of 25 AMD Radeon GPUs that leveraged Virtual OpenCL Open Cluster (VCL)
- 5. Cryptography uses SECRET keys How can we keep keys being SECRET?
- 7. “Key management is the hardest part of cryptography and often the Achilles’ heel of an otherwise secure system.” - Bruce Schneier, Applied Cryptography (2nd edition)
- 8. Key Management Framework Generation Exchange Storage Rotation Archiving Destruction Key Usage
- 9. Key Generation ● Generate Key ● Register Owner ● Activate Key ● Deactivate Key ● Suspend and Re-Activate a Key ● Renew a Public Key ● Key Derivation or Key Update ● Associate a Key with its Metadata ● Modify Metadata ● List Key Metadata
- 10. Key Exchange Establish Key ● Validate Public Key Domain Parameters ● Validate Public Key ● Validate Public Key Certification Path ● Validate Symmetric Key ● Validate Private Key (or Key Pair) ● Validate the Possession of a Private Key ● Perform a Cryptographic Function using the Key ● Manage the Trust Anchor Store Cryptographic Key and Metadata Security: During Key Establishment ● Key Transport ● Key Agreement ● Key Confirmation ● Key Establishment Protocols (TLS, IKE, SSH, …)
- 11. Key Storage ● Store Operational Key and Metadata ● Backup of a Key and its Metadata ● Recover Key and/or Metadata ● Enter a Key and Associated Metadata into a Cryptographic Module ● Output a Key and Associated Metadata from a Cryptographic Module
- 12. Key Rotation (Retirement) ● Replace Key (Rollover, Update and Renewal) ● De-register Key ● Revoke Key – Document, Test and Maintain Compromise Management Plan – Establish and Maintain Notification Process – Assess Impact as Part of Incident Response – Do Not Delete the Keys
- 13. Key Archival ● Archive Key and/or Metadata ● Recover Key and/or Metadata
- 14. Key Destruction ● Destruction of Encryption Key Materials ● Retention of Encryption Key Meta-Data
- 15. An Overview of Hardware Security Module
- 16. What is an HSM? ● Cryptographic Computing Hardware Module ● Protected Key Store ● Well-Defined Interface Protocol ● Hard to Compromise Hardware Security Module
- 17. Other Names of HSM ● Personal Computer Security Module (PCSM) ● Secure Application Module (SAM) ● Secure Cryptographic Device (SCD) ● Secure Signature Creation Device (SSCD) ● Hardware Cryptographic Device ● Cryptographic Module Source: SANS Institute InfoSec Reading Room, An Overview of Hardware Security Modules
- 18. Cryptographic Computing Module ● Hardware Accelerate Cryptography – Symmetric: AES, 3DES, Blowfish, Aria, Camelia – Asymmetric: RSA, DSA, Diffie-Hellman, ECC ● Secure Random Number Generator ● Message Digest (Hash) ● Message Authentication Code (MAC)
- 19. Protected Key Store ● Keys stored in tamper-proof nonvolatile memory – If tampering is detected, memory will be malfunction ● Implemented using – Covering components in epoxy – Thin wires covering sensitive components
- 20. How HSM Helps Key Management? ● HSM has key generation functions ● HSM provides key transport and key agreement functions ● HSM provides protected key storage and key handling functions ● HSM provides ciphertext translation function from one key to another for key rotation ● HSM provides key backup/recover functions for key archival ● HSM is able to delete keys inside protected storage.
- 21. Main Application Areas ● PKI Environments – Certification Authority (CA) and Registration Authority (RA) – Generate, store and handle key pairs ● Card Payment Systems – Authentication and integrity checking of messages – Confidentiality (e.g. PIN) – On-line PIN verification – Checking card security codes – Re-encryption of PIN blocks – Card creation: PIN mailers, generation of magnetic stripe data, personalization of chip cards – E-commerce and M-commerce – Home banking
- 22. Other Application Areas ● Key Distribution Centers ● SSL connectivity ● PayTV ● Access control: one time passwords, user authentication ● (Qualified) Digital signatures ● Time-stamping ● Trusted Platform Modules (TPM) ● Document protection
- 24. Smart Card / SIM SD Card HSM Form Factors USB Network / Remote InterfaceLocal Interface (PCI/PCIe)
- 25. HSM Key Store Architectures Keys stored in HSM ● Pros: – No additional component is needed – Ease of maintenance ● Cons: – Limited numbers of keys ● Example Product: Safenet, USB Type, Smart Card Type Keys stored externally and encrypted by master key in HSM ● Pros: – Unlimited or large numbers of keys ● Cons: – Additional components are needed – Hard to maintain ● Example Product: Thales
- 26. HSM: General Purpose vs Specific Purpose General Purpose ● Equipped with standard cryptographic algorithms Symmetric, Asymmetric, Hashing) ● Support major OS drivers including VMWare and Hyper-V ● Support standard APIs – PKCS#11 – Open SSL – Java (JCE) – Microsoft CAPI and CNG Specific Purpose ● Optimized for specific function – Security Application Module (SAM) / SIM – Electronics Fund Transfer / Payment System ● Limited Cryptographic algorithm ● Support specific applications – EFT Key Management – MAC (Message Authentication Code) ● May not support standard APIs
- 27. HSM Speed ● RSA Signing Speed → Signing operations per second (at 1024- bit, public exponent 3 or 65537) ● RSA Key Generation Speed → Keys per second (at 1024-bit and 2048-bit) ● Visa PIN Verification → Operation per second ● AES Encryption → MB per second (at 256-bit key length)
- 28. HSM Licensing ● HSM specification may support many cryptography algorithms but not all are activated – Algorithm activation based on the license ● Maximum encryption/decryption speed may not be the same as declare in the specification – Speed limit by the license ● Network or remote interface type HSM may limit the number of hosts or IP addresses connected to the HSM upon the license
- 29. HSM: Standard and Certification ● FIPS 140-2 ● Common Criteria Evaluation Assurance Level (CC-EAL) ● PCI HSM ● APCA ● MEPS
- 30. FIPS 140-2 Level Requirement 1 Basic security requirements 2 Tamper evidence, user authentication 3 Tamper detection/resistance, data zeroisation, splitting user roles 4 Very high tamper detection/resistance, Environmental protection
- 31. CC-EAL ● What Protection Profile (PP) has been used for the Target of Evaluation (ToE)? – CMCKG-PP – Key Generation – CMCSO-PP – Signing Operations EAL1 Functionally tested EAL2 Structurally tested EAL3 Methodically tested and checked EAL4 Methodically designed, tested, and reviewed EAL5 Semi-formally designed and tested EAL6 Semi-formally verified design and tested EAL7 Formally verified design and tested
- 32. HSM Key Backup/Restore ● How do you backup your keystore? – Smart Card – Secure USB Storage ● Key synchronization among two HSMs or more? ● Can you restore a backup elsewhere? – e.g. on a hot-standby site ● Split key backup possible? ● Well-known backup format?
- 33. Cloud HSM ● Amazon AWS CloundHSM ● IBM Bluemix HSM https://aws.amazon.com/cloudhsm/ https://www.ibm.com/cloud-computing/bluemix/hardware-security-module
- 34. HSM API ● PKCS#11 ● OpenSSL Engine ● Microsoft CAPI ● Java Cryptography Extension ● Vendor specific API ● Low level programming (need for speed) – USB Type or Smart Card Type + Reader: PC/SC + vendor specific smart card application protocol data unit (APDU) – Network Type: Socket programming with vendor specific protocol
- 35. PKCS#11 ● PKCS #11 is one of the Public-Key Cryptography Standards but also support other cryptographic functions ● Defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards ● API name is “Cryptoki”, but often called PKCS#11 API as its standard. Complex C API. ● Wrappers – Java Cryptography Architecture/Extension (JCA/JCE) – Pkcs11Interop → .NET (Open source, Nuget package available) – PyKCS11 → Python – Ruby-pkcs11 → Ruby
- 36. PKCS#11 Functions ● Key Management – Key & Key Pair Generation – Key Factory – Key Agreement (Diffie-Hellman) – Key Store (Keys & Certificates) ● Cipher (Encrypt/Decrypt) ● Secure Random Number Generator ● Message Digest ● Message Authentication ● Digital Signature
- 37. Key Management with HSM Web Service
- 38. Pain Points ● How can we encourage developers adopt HSM and key management process? ● How can we ensure that developers properly implement only approved cryptography algorithm? ● How can we help applications rotate keys properly and correctly? ● If we need stronger encryption algorithm or longer key length in the future, how can we migrate the encrypted data without application modification?
- 39. HSM Wrapper API Connection Diagram
- 40. Wrapping Functions ● decryptdata(AppKeyID, Ciphertext) – Return Plaintext ● encryptdata(AppKeyID, Plaintext) – Return Ciphertext ● translatedata(AppKeyID, Ciphertext) – Return new CipherText ● AppKeyID is not the same as HSM key ID but a pointer to a configuration record of – Encryption algorithm – History list of HSM key IDs usage – decryptdata & encryptdata will always use current key that associates with AppKeyID ● Ciphertext is encrypted data ● Plaintext is original data HSMKeyID AppKeyID ValidFrom 39 3 Last Jan 1 40 4 Last Feb 1 41 3 Next Jan 1 42 4 Next Feb 1 translatedata function will decrypt an input ciphertext with the current key and re-encrypt with the nearest future key For example from key history table, if AppKeyID=3, translatedata function will use HSMKeyID=39 to decrypt input ciphertext to a plaintext, then will encrypt that plaintext with HSMKeyID=41 to a new ciphertext.
- 41. Application Example: PGP Decryption Data Encrypt key using receiver‘s public key RSA Encrypted Message Encrypt Decrypt Encrypt data using random key q4fzNeBCRSYqv Encrypted Key Generate Random Key Data TIakvAQkCu2u Random Key Encrypted Message Data q4fzNeBCRSYqv Encrypted Key Decrypt data using key Decrypt using receiver‘s private key RSA TIakvAQkCu2u Data ● Call Wrapper API’s “decryptdata” function with parameters – AppID (Which App Profile) – q4fzNeBCRSYqv as Encrypted Data ● Receive TIakvAQkCu2u as Decrypted Data
- 42. Application Example: Secure Password for Deployment Automation