Organizations have been crucially reliant on the internet for their business workflows. Due to this enhanced exposure, organizations are facing new threats on a daily basis that dictates the incorporation of cryptographic services.
In the past, the malicious adversaries used to target the corporate sectors such as finance and banking, but today, every platform is targeted. Hence the protection of user data and information has been highlighted in every business sector. A vital element used to address some security issues is HSM. PCI SSC has mandated the inclusion of HSM as a part of PCI DSS compliance.
This article covers the physical security requirements for HSMs.
An HSM is a dedicated hardware/physical computing device that is responsible for secure key life cycle management along with providing performance-enhanced & accelerated crypto operations. Corporate organizations and banks have expanded their businesses around the world through e-commerce.
HSMs are widely deployed by enterprises for the protection of the client’s sensitive information and business transactions. HSM is the security component that acts as the backbone of the cryptographic infrastructure of the organization and protects the crypto keys at every phase from generation to destruction which also includes the physical security of cryptographic keys and sensitive data from unauthorized access and adversaries.
The tasks performed by HSM can be categorized as:
PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development in PCI and alignment of the company’s policies to PCI DSS (Payment Card Industry Data Security Standard).
PCI DSS is an information security standard to prevent credit card scams and numerous additional security threats & vulnerabilities. Credit/Debit card provider companies/corporations such as MasterCard and Visa etc. implement the mechanism and security controls specified and suggested in the PCI DSS. The entities that store, process and transmit the card information also implement PCI DSS. The importance of HSM can be explained from the fact that HSM has been defined as a role and mandatory component for PCI DSS compliance.
PCI SSC mandates the following physical security requirements for HSMs:
Since HSMs hold the cryptographic keys and sensitive data and the main aim is to restrict it from falling in wrong hands. The HSM must implement security mechanisms (tamper switches, zeroization circuitries and firmware) which should readily/automatically erase and zeroize all clear-text secret information in a way that it is impossible to recover.
One important factor that HSM design considerations must accord is that the failure of a standalone security mechanism doesn’t compromise the security of the whole HSM. There must be at least two security mechanisms for protection against a particular threat.
The HSM must include controls for visible tamper detection which can prove the physical penetration of the device. Specially designed tamper stickers that are impossible or very hard to reproduce are placed on the HSM’s opening screws and accessories. This protective measure is not only used to deter the attacker but also to prevent HSM users or other staff from intentionally or accidentally opening the device. The air intakes/vents must also be designed in a way that it is impossible to probe the HSM from the outside.
HSM design must assure that it is Electromagnetic interference (EMI) and Electromagnetic Compatibility (EMC) secure. There should be no practical way to deduce any sort of sensitive information based on power consumption & electromagnetic emissions.
The HSM design must guard against substitution and cloning attacks. Cloning of HSM deals with the successful extraction of the HSM key and backup partition from a compromised/stolen HSM and replicating it into a full-fledged separate HSM. There should be no practical way to duplicate or refabricate it from the accessories and components that are available commercially.
HSM design consideration should follow the strict implementation segregation between the normal HSM device boundaries and the cryptographic boundaries. The reason for this is to ensure that there is no chance that the core crypto module holding the CSP (Critically Secure Parameters) is exposed during the maintenance or service of HSM. The sensitive information must only be dealt with in the protected areas of HSM such that these are not prone to accidental or intentional modification or substitution.
HSM vendor must provide a detailed security policy which addresses the proper use of the HSM, key management mechanisms, administrative functionalities, and environmental requirements. The security policy must include all the roles supported by the HSM and illustrate the permissions of each designated role. All the approved functions & operations performed by the HSM must be documented in the security policy and the HSM should not include any hidden feature/functionality.
The security of HSM must be resistant to the changes in operational and environmental conditions which include but not limited to heat/temperate, humidity and operating voltage.
HSM is a vital security component used for the protection of business transactions and user information. Since the PCI SSC has mandated the inclusion of HSM as a mandatory feature for PCI DSS compliance, so the physical security requirements of HSM have also gained importance.
This article summarized and highlighted the core physical security requirements of HSM as per the directions of PCI SSC & PCI DSS.