A Hardware Security Module (HSM) holds the cryptographic key in a well-defined space within a physical hardware device and enforces that the key cannot be copied nor leave the device. Well known examples of widely use HSMs are smart cards used for credit cards and SIM cards. The Smart Card is designed such that it holds your key, and newer let’s go of your key, so it cannot be copied.
A Hardware Security Module contains at least:
- A secret or private key
- A cryptographic engine
- Protection against extraction of the key
As the HSM contains both the key and the cryptographic engine, the sensitive secret key never needs to leave the confinement of the HSM. Only the data that need to en- or decrypted passes in and out of the HSM.
As the secret key never leaves the HSM, it by design cannot be accessed remotely.
But what if the attacker gains physical access to the HSM?
Obviously, there is at least a theoretical possibility of extracting the secret key from the HSM. HSMs comes in different security grades from very basic to be used under the assuming that the HSM itself is protected from physical access to increasingly more advanced protection levels. FIPS 140-2 defines 4 classes:
Level 1: No specific physical security mechanisms
Level 2: Tamper-evident coatings or seals that must be broken
Level 3: Strong enclosures and tamper-detection/response circuitry
Level 4: Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected. Protection features designed to detect fluctuations outside of the module’s normal operating ranges for voltage and temperature.
Zybersafe TrafficCloak is designed as a Hardware Security Module complying to FIPS 140-2 Level 3. For additional security secret keys are generated within the HSM at the customer site after the devices is sealed at production. This, by design, eliminates any possibility that the keys are copied either during injection in the HSM or prior to the HSM being sealed off for full life circle protection of the secret keys.