TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / How HSM Facilitates Auditability for TSA / Notary Services in Blockchain Technologies

How HSM Facilitates Auditability for TSA / Notary Services in Blockchain Technologies

November 09, 2020

In this article, we shall explain the main benefits of using HSMs in combination with notary services/ TSA for auditing blockchains. Our intent is to provide only the main ideas and guidelines about the subject.

Trusted Timestamping & TSA

Definition

Trusted timestamping consists of the process of keeping track of the creation and modification time of a transaction (or any other type of data) in a secure way. A secure timestamp is such that no one may be able to modify it once it has been created without destroying the integrity of the timestamp.

Trusted timestamping must offer an irrefragable proof that a given transaction has been performed at a given date. It is used especially for ledgers and accountancy purposes in financial systems.

New call-to-actionTSA and Notaries in Permissioned Blockchains

Blockchains create de facto decentralised timestamps. The core principle of the consensus defined by the original blockchains was to prevent using a timestamp media server [1] to provide trusted timestamping.

With the recent rise of permissioned blockchain and the fact that consensus is usually performed by timestamping authorities (TSA), for example, the abstract blockchain, Corda-like notary services, the idea of using some additional trusted media to publish the timestamps have been re-introduced.

Auditing in Blockchain

Blockchains have many functions and features that facilitate auditing but the blockchain in itself isn’t an audit system. It is possible for an auditing system (usually automated) to check the validity of invoices by performing cryptographic operations (usually hashing) to compare financial invoices and accounting balances with a record of transactions found in blocks inside one (or more) blockchain(s).

This is why permissioned blockchains, which are more business-oriented than their public counterparts, are offering more latitude to professional financial auditing. Recall also that its visibility features, which are one of the pillars of the blockchain (e.g., ‘all’ can see all the transactions) are not suitable for a lot of major business actors such as banks and financial processors for example. This means that besides the blockchain, there is a need for strongly permissioned encryption to make sure that private transaction data are not leaked to unauthorized parties. In terms of audits, such as those performed in banks, this may look like a challenge. As we shall see it later in this article, the auditing of a blockchain can be done via a PCI-compliant HSM.

There are many accountability issues in a typical blockchain architecture, but we will not enter into the details here. However, we will explain how using a notary/TSA service in combination with a PCI-grade HSM can solve, at least partially, these issues.

Anchoring and Timestamp Servers in Blockchain

As we explained earlier, anchoring services that use a media server for publishing secure timestamps, in addition to the blockchain itself, are considered as a better and more convenient way to perform audits in the context of permissioned blockchains; for example, like those provided by the Corda framework for example.

Audit Functions Offered by HSMs

Here we shall detail what audit functions are needed or advisable in a banking-grade HSM.

New call-to-action

If an auditable event happens, the HSM automatically adds an entry to an audit log file. A typical audit log entry includes:

  • A timestamp with date and time of the event
  • User name of all users who authenticated the audited command
  • Function code (FC) and subfunction code (SFC) of the audited command
  • A status code to indicate success of the operation or error code otherwise

An HSM is an ideal tool for performing such anchoring and providing secure audit logs because it uses secure memory protection and cryptographically signed logs for offline historical storage. It can identify itself as a trusted service, as well.

A formal audit procedure can be conducted from a central HSM user interface (control center), with the help of the logs produced by the HSM. This allows for level I audits concerning the HSMs in within the financial institution. Often a landscape of HSMs is found with a decentralized arrangement. The audits can in spite of this be conducted from a central location. The use of FIPS 140-2 compliant HSM is mandatory to reach PCI DSS compliance for the permissioned blockchain architecture.

Conclusion

In the context of permissioned blockchains, using a bank-grade HSM for auditing purposes, along with a blockchain notary service (or a TSA), is the right way to solve many auditability challenges found when using blockchain technologies for financial services provided by banks and to achieve PCI-compliance.

New call-to-action

References and Further Reading

  • Learn more about Utimaco’s HSMs for blockchains
  • More articles on blockchains in automotive (2019 – today), by Martin Rupp, Priyank Kumar, Ulrich Scholten, Asim Mehmood, Dawn M. Turner and more
  • More articles on permissioned blockchains in banking (2018 – today), by Martin Rupp, Priyank Kumar, Ulrich Scholten, Asim Mehmood, Dawn M. Turner and more
  • More articles on eIDAS (2018 – today), by Gaurav Sharma, David McNeal and more
  • More articles on HSMs (2018 – today) by Terry Anton, Dawn M. Turner and more
  • [1] such as Usenet at the time the initial blockchains such as the Bitcoin were created
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

ESYSCO Sp. z o.o. Softline Solutions GmbH Compumatica secure networks GmbH Cyber Armor Pte Ltd CREA plus d.o.o. Ascertia - Utimaco Hardware Security Modules Partner MIcrosec Utimaco HSM - QuintessenceLabs Nexus - Utimaco Hardware Security Modules Partner Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner PKI Solutions Inc. CewTec S.A. IQuantics Corp Macroseguridad Clearkey Consulting - Utimaco Hardware Security Modules Partner Rohde & Schwarz Cybersecurity GmbH Perceptus-sp.-z-o.-o. PETA (Thailand) Co., Ltd. Cryptomathic Inc. PrimeKey Labs GmbH cv cryptovision GmbH CREAplus Italia S.r.l Altacom UAB Telegrupp AS EUROPEAN DYNAMICS SA. Nexus Technology GmbH AKEA S.A. - Utimaco Hardware Security Modules Partner VAR Group SpA - Utimaco Hardware Security Modules Partner Fortiedge Pte Ltd. Cogito Group Pty Ltd Thomas-Krenn.AG Cryptomathic GmbH Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Abrantix AG Utimaco HSM - PTESA_profesionales en transacciones electronicas Safesoft Kft. Nexus - Utimaco Hardware Security Modules Partner MTG - Utimaco Hardware Security Modules Partner Komar Consulting Inc. - Utimaco Hardware Security Modules Partner MALKOM D.Malińska i Wspólnicy s.j. Baas Control s.r.o. Utimaco HSM - InfoGuard Swiss Cyber Security JJNet International Co., Limited - Utimaco Hardware Security Modules Partner intarsys AG Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Compumatica secure networks B.V. Cryptomathic A/S Envoy Data Corporation - Utimaco Hardware Security Modules Partner Microexpert Limited CertiSur S.A. E-Sign S.A. Fornetix - Utimaco Hardware Security Modules Partner Versasec Encryption Consulting LLC Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Primekey Solutions AB SecureMetric Technology Sdn. Bhd. Real security d.o.o. CEGA Security
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research