Collaborate Disseminate
In various discussions of Security Architecture, I have read that HSMs can be configured with rate limiting on the number of encryptions/decryptions that can be performed in a given amount of time. If I understand correctly, the purpose of… Continue reading Can some HSMs send requests to other servers before performing an encryption/decryption operation?
Imagine a system architecture where an API server is able to send a request to an HSM, and the HSM is able to decrypt some data for a particular user/customer, in order to serve some hypothetical purpose. In this case, if the API server is… Continue reading Using an HSM to protect encrypted data even when a server is compromised
Given the usage of AWS KSM without CloudHSM. There is a two-tier key hierarchy: master key + data key. Master key encrypts data key, data key encrypts data. Encrypted data key is stored with the data it encrypted. Encryption/decryption of … Continue reading AWS KMS CMK compromise
Long story short, I’ve assigned with the task to find a way to improve security in an application, they are using java keystores to save and protect the keys. The application owner is worried that someone could stole the keystore and the pass.
I’ve read this question Storage of ‘secrets’, keystores, HSMs and the rest and as the accepted answer says there is always something at the end that could expose everything.
As I see the best way to protect the keys is to store private keys in an HSM and do there the signing operations.
This has lead me to another problem: I have to store the keys in the HSM in a way that applications don’t have access to other application keys, the HSM in my organization is a Thales Luna, so to make this separation between applications they need to create partitions in it which has a downside, this partitions have additional cost.
Other thing I’ve noticed is that even with the HSM there is something always in the client side that could lead to a breach, the difference is the complexity to get the keys or get access to the HSM to misuse the keys.
I am exploring the option of encrypt the private keys of each module with a key inside the HSM, so regarding this the question should be: Is it really more secure using a key inside the HSM to encrypt the private keys than using the java keystore only?
I’m still not completely sure about the role of using an HSM or TPM on a device when it comes to storing private keys for security purposes.
My use case would be using TLS with an embedded device which contains a unique self-signed device … Continue reading Does / Can a HSM or TPM encrypt my private keys
I have heard about this, but not sure how it would work.
I would imagine that when you register the device, the public RSA key burnt into the chip would be shared.
That way, if the application sends a challenge, the TPM uses the private ke… Continue reading How does a cloud based application use a TPM to authenticate hardware devices?
I understand that Root of Trust is necessary for implementing a secure boot on a device. Root of Trust is strong and trust worthy if this comes from hardware security elements like HSM/TPM/..
So for devices which are not having hardware se… Continue reading Secure boot for devices which don’t have hardware security element
I’m new to DUKPT, so I’m not entirely clear about DUKPT and HSM. Right now, I’m trying to decrypt data (PAN number) from terminal.
So far, when I receive KSN and encrypted data, I understand that I need to find encryption key. From my HSM … Continue reading How to get Future Keys (Session Key) from IPEK for decryption data?
Are there any Open-Source Hardware Security Modules (meeting OSHWA requirements)?
I’ve worked with Utimaco HSMs, but I’m not a big fan of closed-source hardware — especially when it comes to security but also out of principle.
Moreover, I… Continue reading Open-Source Hardware Security Modules (HSM)
What are the pros and cons and differences between several key protection below ?
Online Wallet
software wallet
paper wallet
hardware wallet
hardware security module
trusted platform module
cloud key management system
smart card
keystores… Continue reading The best key protection