TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / The Key Role of HSMs in Secure Permissioned Blockchains for Banking and Payment Services

The Key Role of HSMs in Secure Permissioned Blockchains for Banking and Payment Services

November 09, 2020

In many permissioned blockchain networks like Corda, notaries are dedicated nodes. Built as a decentralized service, they replace the role that miners play in other blockchains like the Bitcoin blockchain. Notaries are also in charge of validating and signing transactions.

In what follows, we will see how HSMs would play a vital role in such notary nodes.

Corda Notary Nodes

New call-to-action

A notary is an “abstract” service that offers canonical transaction ordering, transaction validation and timestamping. Corda has “modular” and “agile” notary services that can be validating or non-validating.

In Corda, the notary service can be run by the participants of the network themselves or by a third party, and eventually ‘real notaries’.

Notary Ordering Service

The ordering system is not a validation service. It consists of putting the transactions in a certain order inside blocks, where blocks will be validated (or not). Ordering consists of collecting transactions from clients and ordering them in blocks. An ordering system also checks the permissions of the users (read/write, etc.).

Consensus Algorithms Used by Notaries

Interesting enough, Corda allows notaries to choose among several consensus algorithms (algorithm agility). For example, they may choose to run RAFT, which is high-speed and high-trust or Byzantine Fault Tolerant (BFT), which is low-speed and low-trust.

Here is an example of some of the consensus algorithms that notaries may use.

name abbrev description
RAFT RAFT In RAFT, nodes are following an elected leader. A new leader can be elected at some intervals. RAFT is a voting-based algorithm.
Byzantine Fault Tolerant BFT BFT is a failure mode system aimed at solving problems where an unknown number of components can have defects (e.g., are malicious in the context of blockchains). With BFT, a minimum of 3n components are needed to make sure that n components do not prevent the system to work correctly. BFT is achieved in Corda by PKI.
Istanbul Byzantine Fault Tolerant IBFT IBFT works with BFT validating groups but there is a mechanism that allows adding/removing members from the BFT validators.
Simplified Byzantine Fault Tolerant SBFT SBFT is roughly a BFT algorithm optimized for decentralization
Redundant Byzantine Fault Tolerant RBFT Improved version of BFT
Crash Fault Tolerant CFT CFT bears similarities to BFT but handles faulty components (crashed components) rather than malicious components. It can work up to a level of faulty components of 50%.

There are more BFT-type algorithms though.

A notary service usually provides a unique consensus by attesting that for a specific transaction, this service has not signed a second transaction, consuming some of the candidate transaction’s states.

New call-to-actionNotaries and ZNP

Both validating and non-validating notaries sign a transaction. However, only the non-validating notary gets the outputs, time windows, and identity of the validating notary while the validating notary can read the code of the smart contract. Typically, a non-validating notary checks that there is no double-spend.

A validating notary will see the contents of transactions. This creates an issue in terms of data protection. A non-validating notary will not see the content but in return, this obviously creates a security risk as the notary could sign the wrong transaction.

In such a case, zero-knowledge-proof (ZNP) is used. Such a protocol allows a notary to validate some data without having direct knowledge of it.

Why Permissioned Blockchain Notaries Need HSMs

Here we explain how permissioned blockchain notaries can benefit from blockchains.

Notaries perform two distinct cryptographic operations involving PKI: they sign (P2P messaging) and they notarize (e.g., they sign transactions). For this, they need two distinct keys: the identity private keys and the distributed notary private keys.

The distributed notary key can be copied to all the notaries or it can be held into a single HSM. However, usually, in a typical architecture, all notaries use a dedicated HSM that will help protect the copy of the identity private key. The distributed notary key can still be accessed by all the notary workers from a unique, but highly available HSM.

Notary-based communication between two HSMs

A notary service can automatically perform thousands of validations per second. Therefore, the signing operation must be fast so as to not delay the validation.

Selecting Best HSM to Secure the Business Solution

New call-to-actionSince HSMs hold the identity and distributed notary keys, we can say that the security and protection of keys on HSMs are the backbones of the security architecture. The compromise of these keys may result in the overall compromise of the system, resulting in huge monetary and credibility loss that is the most important factor for banking systems. Hence, top management and system designers should be well aware of the importance of HSMs in their business architectures.

While the incorporation of HSMs is an important parameter, standards/certifications should also be kept in consideration. International certifications help banks gain the trust of users because a globally-certified HSM not only ensures enhanced security for cryptographic operations and throughput. It also provides regulatory/legal compliance.

FIPS 140-2 is the most common and globally-recognized HSM certification, providing maximum security & assurance level of an HSM.

FIPS 140-2 deals with the requirements for certification of HSM cryptographic modules that include both hardware and software components and issues a security compliance rating from one (1: lowest) to four (4: highest) to the HSM. At the minimum, a FIPS 140-2 Level 3 certified HSM should be used in the banking sector..

Summary

Notaries are an essential brick of permissioned blockchains like the ones built from the Corda framework. They need HSMs to hold their keys and to quickly sign transactions and P2P messages.

New call-to-action

References and Further Reading

  • Learn more about Utimaco’s HSMs for blockchains
  • More articles on permissioned blockchains (2018 – today), by Martin Rupp, Priyank Kumar, Ulrich Scholten, Asim Mehmood, Dawn M. Turner and more
  • More articles on eIDAS (2018 – today), by Gaurav Sharma, David McNeal and more
  • More articles on HSMs (2018 – today) by Terry Anton, Dawn M. Turner and more
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

E-Sign S.A. ESYSCO Sp. z o.o. Envoy Data Corporation - Utimaco Hardware Security Modules Partner Versasec Perceptus-sp.-z-o.-o. SecureMetric Technology Sdn. Bhd. CREA plus d.o.o. Safesoft Kft. Utimaco HSM - InfoGuard Swiss Cyber Security VAR Group SpA - Utimaco Hardware Security Modules Partner Compumatica secure networks B.V. AKEA S.A. - Utimaco Hardware Security Modules Partner Real security d.o.o. MALKOM D.Malińska i Wspólnicy s.j. Baas Control s.r.o. Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Macroseguridad intarsys AG Cryptomathic GmbH PrimeKey Labs GmbH Cryptomathic A/S IQuantics Corp MTG - Utimaco Hardware Security Modules Partner Nexus Technology GmbH Cogito Group Pty Ltd Fornetix - Utimaco Hardware Security Modules Partner Telegrupp AS Abrantix AG Utimaco HSM - PTESA_profesionales en transacciones electronicas Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner EUROPEAN DYNAMICS SA. Ascertia - Utimaco Hardware Security Modules Partner Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Cyber Armor Pte Ltd Cryptomathic Inc. Thomas-Krenn.AG Altacom UAB Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Clearkey Consulting - Utimaco Hardware Security Modules Partner Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Primekey Solutions AB Fortiedge Pte Ltd. Nexus - Utimaco Hardware Security Modules Partner CEGA Security PETA (Thailand) Co., Ltd. CREAplus Italia S.r.l cv cryptovision GmbH Nexus - Utimaco Hardware Security Modules Partner Encryption Consulting LLC JJNet International Co., Limited - Utimaco Hardware Security Modules Partner CertiSur S.A. Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Microexpert Limited PKI Solutions Inc. Softline Solutions GmbH Compumatica secure networks GmbH CewTec S.A. MIcrosec Utimaco HSM - QuintessenceLabs Rohde & Schwarz Cybersecurity GmbH
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research