TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
de
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Next event

24/Mar - 25/Mar | Webinar

The Path for Cloudifying Payment HSMs

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / solutions / applications / key injection

key injection

Key injection is the starting point for securely managing a device over its product lifetime in the IoT.

Key injection gives every device an identity.

To make sure device identities can not be hacked, the keys need to be generated by an HSM.

Utimaco HSMs key injection

Key injection: the first step in securing the Internet of Things

The number of connected devices in the Internet of Things (IoT) is growing exponentially. Both consumers and manufacturers are charmed by the new products and services that the exploitation of big data and the connection of devices can bring. At the same time, the risk of manipulation of these devices is growing. And this is equally true, no matter if the connected device is a health monitor, a smart meter or a connected car – only the consequences vary in potential severity. In any case, the authenticity, integrity and confidentiality of the device or the data needs to be guaranteed. How so? By ensuring that each device has a truly unique electronic identity that can be trusted, managed and addressed. This is only possible, if each device uses a semiconductor chip, waiver or electronic control unit (ECU) that has a unique identity – which is injected into the chip during its production process. This process is called key injections is the basis for the secure management of a device over its product lifetime.

Utimaco HSM Key Injection

Every semiconductor needs to be given an identity during manufacturing. To ensure this identity can not be hacked, it needs to be generated by an HSM.

 

Key injection is the starting point for securely managing a device over its product lifetime in the IoT

  1. Key injection: usually on the production floor (but also possible in a remote scenario), one or several digital certificates are injected into a device  (ECU or semiconductor chip) to give it it’s unique identity.
  2. Secure initialization of a device’s identity as it is introduced to the IoT via a PKI. This enables a secure device management including
  3. Secure authentication of users to devices and devices amongst each other
  4. Ensuring secure software updates of devices over their lifetime
  5. Secure communication amongst devices
  6. Secure storage of data obtained and shared by devices in a database using encryption and secure key storage in an HSM, and last but not least the
  7. Secure decommissioning at the end of the life cycle of the device
Key injection is the starting point of securing an IoT device

Key injection is the starting point of securing an IoT device

What are the 3 main attack vectors to securing connected devices via key injection?

If key injection is the first step in securing the Internet of Things, it is essential that the integrity of the keys used is beyond question. Without the integrity of the cryptographic key material, the chain of trust cannot be established. But before looking at the role of Hardware Security Modules in key injection applications, let’s figure out what the three main attack vectors for key injection are:

  1. Compromised keys: Should a cryptographic key be compromised at any stage, the security of the entire infrastructure must be questioned.
  2. Cloned keys: The risk of a third party accessing and replicating key material, i.e. cloning a key, is one of the most dangerous threats for large infrastructures.
  3. Mismanaged keys: Key information needs to be securely managed throughout the life cycle of a device, starting directly at the manufacturing level.

Why Utimaco HSMs constitute the Root of Trust for the IoT

Taking these attack vectors into account, it is obvious that only tamper-proof HSMs – like the FIPS physical level 4 SecurityServer by Utimaco – can establish a solid Root of Trust for key injection scenarios.

A Utimaco HSM provides:

  1. Secure key storage
  2. A secure crypto processing environment
  3. Built-in comprehensive key management

A Hardware Security Module (HSM) creates and secures cryptographic keys, and manages them for strong authentication. Compared to software solutions, Utimaco’s HSMs implement a Random Number Generator that complies to AIS 31class DRG.4 for the generation of highest quality key material. Software solutions, for instance, store keys in main memory—offering attackers the ability to disassemble the software, exploit vulnerabilities and run attacks remotely.

Certified HSMs: The Root of Trust for key injection and managing embedded device

The main challenge in both the production of embedded devices and their life cycle management is the loading of root cryptographic keys and the embedded code. For key injection chip manufacturers and device manufacturers alike, use Certified cryptographic modules – similar to point-of-sale (POS) terminal vendors.

This certification ensures that keys are generated by using the key generation function of a Hardware Security Module, or equivalent device. To ensure tamper resistance, Hardware Security Modules should be certified on True Random Number Generator (TRNG), AIS 31.

Integrated key management solution, typically based on Industry Standards ISO 11568 or ANSI 9.17

Proper key management includes the generation of cryptographic key material, the injection of keys into connected devices (e.g. at the production line), introducing keys in the back-end database servers (symmetric secret key or asymmetric public key), and renewing keys for already deployed devices. In case of asymmetric cryptography, a public key infrastructure (PKI) will be established.

Interested in reading more about

  • securing the IoT? Read our customer case study: Securing the smart grid – SilverSpringsNetwork
  • key management? Download our white paper about key management
  • HSM certifications? Here you will find more information about FIPS 140-2 and the CC certification

Ready to take off?

Download our HSM simulator!

Register for free
Take me there

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Encryption Consulting LLC PETA (Thailand) Co., Ltd. Nexus Technology GmbH Utimaco HSM - PTESA_profesionales en transacciones electronicas Compumatica secure networks B.V. Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Cryptomathic Inc. Nexus - Utimaco Hardware Security Modules Partner MALKOM D.Malińska i Wspólnicy s.j. CEGA Security cv cryptovision GmbH CertiSur S.A. Thomas-Krenn.AG PKI Solutions Inc. Macroseguridad Clearkey Consulting - Utimaco Hardware Security Modules Partner intarsys AG Primekey Solutions AB IQuantics Corp Utimaco HSM - QuintessenceLabs Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner CewTec S.A. Fortiedge Pte Ltd. Altacom UAB Utimaco HSM - InfoGuard Swiss Cyber Security E-Sign S.A. Compumatica secure networks GmbH Safesoft Kft. Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Telegrupp AS Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner SecureMetric Technology Sdn. Bhd. ESYSCO Sp. z o.o. Versasec Cyber Armor Pte Ltd Softline Solutions GmbH Real security d.o.o. CREAplus Italia S.r.l Ascertia - Utimaco Hardware Security Modules Partner Cogito Group Pty Ltd Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner JJNet International Co., Limited - Utimaco Hardware Security Modules Partner MIcrosec Cryptomathic GmbH Perceptus-sp.-z-o.-o. VAR Group SpA - Utimaco Hardware Security Modules Partner AKEA S.A. - Utimaco Hardware Security Modules Partner PrimeKey Labs GmbH Fornetix - Utimaco Hardware Security Modules Partner Abrantix AG Baas Control s.r.o. Rohde & Schwarz Cybersecurity GmbH Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner MTG - Utimaco Hardware Security Modules Partner EUROPEAN DYNAMICS SA. Microexpert Limited Cryptomathic A/S Envoy Data Corporation - Utimaco Hardware Security Modules Partner Nexus - Utimaco Hardware Security Modules Partner CREA plus d.o.o.
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research