TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / Hardware Security Modules According to ISO 13491 and the Relation to ANSI x9.24-1-2017

Hardware Security Modules According to ISO 13491 and the Relation to ANSI x9.24-1-2017

November 09, 2020

This article will examine Hardware Security Modules (HSMs) according to ISO 13491 and how their relationship to ANSI x9.24-1-2017.

A hardware security module (HSM) is a type of computer hardware that can be augmented inside a computer or used over the network as a standalone device. As an external network device it is connected via a network cable. When augmented inside a computer or server, it is a PCIe card that is attached directly to the motherboard of the computer or server.

An HSM is designed to protect and manage digital keys that are used for strong authentication purposes with specialized functions that are needed to process transactions and perform general-purpose functions. HSMs provide logical and physical protection, such as cryptographic protection and tamper-proof enclosures to protect critical data from being disclosed or being accessed by those who are not authorized to do so.

The Roles of HSMs

HSMs can be used in any application that utilizes digital keys to protect said keys. These keys are usually of high value and require confidentiality because if compromised, there could be a significant negative impact on the key’s owner.

How are HSMs Used?

HSMs perform the following functions:

New call-to-action

  • Generating security cryptographic keys
  • Providing security cryptographic key storage for master keys
  • Key management
  • Using cryptographic and sensitive data to perform encryption and digital signatures
  • Completing asymmetric and symmetric cryptography for application servers

Both symmetric and asymmetric cryptography are supported by HSMs. Applications like digital signing and certificate authorities usually use asymmetric key pairs and certificates that are used in public-key cryptography. Applications like financial payment systems and data encryption also rely on the use of symmetric keys.

PKI Environment

HSMs can be used by certification authorities and registration authorities in PKI environments to generate, store, and handle asymmetric key pairs. These devices must have features such as:

  • Both logical and physical high-level protections
  • Secure key backup
  • Full audit and log traces
  • Multi-part user authorization schema

Card Payment Systems

The payment card industry uses specialized HSMs. These devices support common functions and specialized functions that are used for processing transactions in compliance with industry standards. Authorization of transactions and payment card personalization are typical applications used in the payment card industry. Cryptography is used for

  • PIN verification
  • Protecting secret information like customer PINs
  • Maintaining the integrity and authenticity of MACs and other sensitive data
  • Card security card code verification
  • Supporting crypto-API with EMV
  • Performing secure key management
  • Generating data for magnetic strip cards (PVV, CVV)
  • Generating a card keyset and supporting the card personalization process

For the banking and retail financial services market, HSMs are required to abide by standards set by the Payment Card Industry Security Standards Council, ISO, and ANSI X9.

The security of these devices is critical to securing retail electronic payment systems that are constantly at risk of cyber-attack. However, HSMs are also always at risk of being attacked.

Attack Risks HSMs Commonly Face

There are numerous attack scenarios that target HSMs used for electronic payments. The most concerning are:

  • Penetration, which involves the unauthorized opening or physical perforation of the HSM to access its sensitive data like cryptographic keys.
  • Monitoring electromagnetic (EM) radiation, timing differential, and power consumption, and other side-channel attacks to find sensitive information that is stored inside the HSM.
  • Manipulation by putting the HSM under environmental stressors, bombarding it with a sequence of inputs, or interfering with its external inputs to cause it to disclose sensitive information if its “test mode” is triggered and allow an attacker to gain unauthorized access to the HSM’s services.
  • Modification, which involves the unauthorized alteration of the logical or physical characteristics of the HSM that allows the device to remain operational, but it will continue to disclose protect information as long as the modification is in place, such as a PIN pad overlay placed between the PIN entry point and the PIN encryption point.
  • Substitution, which involves replacing one device with another device that looks like the original device and may have some of its logical characteristics, but it will also contain some unauthorized functions.

How Do HSMs Defend Against These Attacks?

HSMs need to have three factors working together to defend against attacks:

  1. Device Characteristics
  2. Device Management
  3. Environment

HSMs possess logical and physical security protections that work to deter the attack scenarios above. Their physical security characteristics include:

  1. Tamper resistance
  2. Tamper evidence
  3. Tamper response

The ANSI x9.24-1-2017 Standard

The ANSI x9.24-1-2017 standard was published by the Standards Committee X9 of the American National Standards Institute. Version – 2017 was approved on June 8, 2017.

It addresses and standardizes symmetric key management related to Secure Cryptographic Devices (SCD) for Retail Financial Services.

Secure Cryptographic Devices are devices providing “physically and logically protected cryptographic services and storage“. It hence applies to Hardware Security Modules.

The ANSI standard states in chapter 3 that it shall be applied in conjunction with the ISO 13491 – 2016 – all parts, Financial services – Secure cryptographic devices.

What Does ISO 13491 Require of HSMs?

ISO 13491 requires that HSMs must have a combination of all three physical security characteristics to ensure the required security. When needed, additional physical characteristics may be required to prevent passive attacks from attacking sensitive data.

The purpose of secure cryptographic device management is to prevent the unauthorized alteration of the HSM’s characteristics throughout its life cycle. This is accomplished by placing external controls on the device during its life cycle.

These controls include:

  • Security practices
  • Key management methods
  • Operational procedures

The security of the HSM’s environment can range between minimal and highly controlled. Controls should be in place to prevent or detect access based on the device’s physical risks and the type of data it is protecting.

New call-to-action

References

  • ANSI X9.24-1-2017 – Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 of the American National Standards Institute
  • ISO 13491-1:2016 Financial services — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and evaluation methods (2016), by the International Organization for Standardization
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Thomas-Krenn.AG Microexpert Limited Nexus - Utimaco Hardware Security Modules Partner IQuantics Corp intarsys AG MTG - Utimaco Hardware Security Modules Partner CEGA Security AKEA S.A. - Utimaco Hardware Security Modules Partner Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Encryption Consulting LLC CertiSur S.A. Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Altacom UAB Perceptus-sp.-z-o.-o. PKI Solutions Inc. Envoy Data Corporation - Utimaco Hardware Security Modules Partner MALKOM D.Malińska i Wspólnicy s.j. Compumatica secure networks GmbH Fornetix - Utimaco Hardware Security Modules Partner Safesoft Kft. MIcrosec CREA plus d.o.o. Real security d.o.o. Nexus Technology GmbH Clearkey Consulting - Utimaco Hardware Security Modules Partner ESYSCO Sp. z o.o. Utimaco HSM - QuintessenceLabs Cryptomathic Inc. Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Utimaco HSM - InfoGuard Swiss Cyber Security Softline Solutions GmbH Nexus - Utimaco Hardware Security Modules Partner CewTec S.A. Cryptomathic A/S Fortiedge Pte Ltd. E-Sign S.A. Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner PETA (Thailand) Co., Ltd. Rohde & Schwarz Cybersecurity GmbH Abrantix AG EUROPEAN DYNAMICS SA. Versasec Cogito Group Pty Ltd SecureMetric Technology Sdn. Bhd. Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Telegrupp AS cv cryptovision GmbH PrimeKey Labs GmbH Baas Control s.r.o. Cryptomathic GmbH Primekey Solutions AB Cyber Armor Pte Ltd Macroseguridad CREAplus Italia S.r.l Ascertia - Utimaco Hardware Security Modules Partner Compumatica secure networks B.V. VAR Group SpA - Utimaco Hardware Security Modules Partner Utimaco HSM - PTESA_profesionales en transacciones electronicas JJNet International Co., Limited - Utimaco Hardware Security Modules Partner
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research