Technology Guide: What is a HSM

What is a HSM

Hardware Security Module (or Host Security Module) is a hardware-based key generation process, offering a more secure key generation technique than software-based generation. HSMs provide secure management of private keys in that the keys never leave the module unencrypted.

HSM is physically secure, tamper-resistant security server that provides cryptographic functions to secure transactions in retail financial applications including PIN encryption and verification, debit card validation, stored value card issuing and processing, chip card issuing and processing, message authentication and symmetric key management. HSM may support public key cryptographic operations including digital signatures, certificates, and asymmetric key management. Acting as a peripheral to a host computer, the HSM may provide the cryptographic facilities needed to implement the wide range of data security tasks including those required in the following environments: Automatic Teller Machine (ATM) systems, Electronic Funds Transfer at Point-of-Sale (EFT/POS) systems, Electronic trading and matching systems for bonds and securities, Financial Electronic Data Interchange (EDI) systems, Key management and Internet Commerce.

The most popularly used worldwide are Racal (now Thales) HSMs, Atalla (now HP/Compaq) Network Server Processors and Eracom ESMs. These product families provide essentially the same underlying security functionality but they vary significantly in supporting different client operating environments, throughput and connectivity requirements and interfaces to third-party software solutions. These products are extremely reliable, cost-effective solutions for providing host/server-based cryptographic processing whether DES, Triple-DES or PKI.

Below are the leading HSMs worldwide:

· Racal (now Thales e-Security)

· Atalla (from HP)

· Eracom

· Excrypt (from Futurex)

The Racal (now Thales) Host Security Modules

The Racal (now Thales e-Security) Host Security Module (HSM) is a physically secure, tamper-resistant security server that provides cryptographic functions to secure transactions in retail financial applications including PIN encryption and verification, debit card validation, stored value card issuing and processing, chip card issuing and processing, message authentication and symmetric key management. With the optional DSP-RSA Module, the HSM can also support public key cryptographic operations including digital signatures, certificates, and asymmetric key management. Acting as a peripheral to a host computer, the HSM provides the cryptographic facilities needed to implement the wide range of data security tasks including those required in the following environments: Automatic Teller Machine (ATM) systems, Electronic Funds Transfer at Point-of-Sale (EFT/POS) systems, Electronic trading and matching systems for bonds and securities, Financial Electronic Data Interchange (EDI) systems, Key management and Internet Commerce.

Key features:

· Supports ATM, EFTPOS, and Chip Card Applications

· Visa/MasterCard/American Express PIN and Card Verification Functions

· Tamper Resistant Design

· DES, Triple DES (using two or three keys), RSA

· VISA CASH Loading Support

· Supports ANSI, ISO, and Australian Security Standards

Applications

· ATM Interchange

The HSM is designed for the ATM interchange environment and is in use in many of the world's major ATM interchange networks. The HSM can be customized to suit individual networks and, if needed, the particular requirements of each member of the network. The wide and growing variety of host interfaces in the HSM means that the needs of each member's system can be readily accommodated. In particular, the AMEX, VISA and MasterCard commands are an integral part of all standard firmware releases.

· EFTPOS

The HSM supports a number of EFTPOS (Electronic Funds Transfer at Point of Sale) systems in use around the world. Many of the key management concepts required to secure EFTPOS, such as the Thales Transaction Key method, were pioneered by Racal and implemented in the HSM. The Derived Unique Key Per Transaction and Australian Transaction Key schemes are also available.

· Card Production Facility

The HSM is suitable for use within the client card production area. It can provide a secure means of generating cryptographic card values such as VlSA's CVV (Card Verification Value), MasterCard's CVC (Card Verification Code) and American Express CSC (Card Security Code) as well as securely generating PlNs and PIN mailers.

· Visa Cash Card Reloading

The HSM supports the VISA Cash card reload process, enabling card holders to securely reload value to their cards from an ATM or card reload terminal. The HSM provides the cryptographic processing at the host to support the ATM or reload terminal. The VISA Cash loading functions support the latest VISA specifications (ALGL = 4).

· Data Integrity

The integrity of information transmitted around and stored within systems is of paramount importance to its users. The integrity of information generated at remote terminals can be secured, using message authentication codes (MACs), by Thales PC Security Modules and Smart Card terminals for subsequent verification by an HSM. A number of applications such as Cash Management and Bond Reconciliation can be secured in this way.

· Chip Card Support

The HSM supports Credit/Debit and Electronic Purse chip card applications from Visa, MasterCard and Europay. The transaction processing functions are available as standard card issuing functions on request. For more information contact your local representative.

HSM FEATURES

Standard and High Speed Variants

As the banking and financial industries continue to move toward PIN-based and Smart Card security systems, the demand for higher transaction speeds has never been greater. In its high speed variant, the HSM can process transactions substantially faster than the standard HSM, significantly reducing transaction processing time and lowering the cost per transaction. Furthermore, the high speed HSM's larger I/O buffers enable the processing of long cryptographic messages without requiring multiple chained calls.

Flexible Key Management System

In practice, the security offered by any application is only as good as the key management system designed for it. The HSM supports a variety of key management schemes, including Master/Session Key, Racal Transaction Key, Australian Transaction Key, DUKPT, and Public Key.

RSA Public Key Support (Optional)

The HSM offers a high-speed Public Key subsystem. RSA Public Key cryptography is used for two primary functions:

1) to generate and verify digital signatures and

2) to distribute DES keys encrypted under an RSA Public Key. The HSM can handle RSA key lengths from 320 to 2048 bits. This feature allows the HSM to be used in systems where different key lengths are used for different functions, such as digital signatures and key management. In addition, it protects an organisation's technology investment, as the industry is expected to increase key length requirements to keep ahead of increased threats.

Tamper Resistance

The HSM is designed to comply with FIPS 140-1 level 3 'physical security' requirements. This results in a state-of-the-art design which protects against the following attacks: Internal inspection, probing, movement and abnormal fluctuations in temperature and voltage.

Secure Key Storage and Generation

Once the Local Master Key (LMK) has been formed within the HSM, all other keys are stored encrypted under this key on the host and optionally within the HSM itself. The HSM uses Smart Card technology to store the key components of the LMK. The random number generator design meets the requirements of the FIPS 140-1 verification procedure.

Extensive Host Software Support

The HSM can connect to many different hosts including: Amdahl®, Bull®, IBM, ICL, DEC, HP®, NCR®, Stratus®, Tandem®, Unisys® and PCs.

Security Resource Managers

The Security Resource Managers (SRMs) are optional software products for IBM MVS, Tandem Guardian, and UNIX® systems. The SRMs allow multiple applications to use a single Application Programming Interface (API) to access the cryptographic resource provided by a set of HSMs. The SRM allows different HSM models to be used transparently to customer applications.

· IBM version - operates under OS/390 and provides support for CICS, IMS, and Batch Applications. Support is also provided for assembly language programs as well as high level languages such as COBOL and PL/1.

· Tandem version - operates under the Guardian operating system as a Pathway application and accepts requests either via an application interface module or a server interface. It can also provide applications with a key database that can be managed either by the application or by a supplied key management user interface.

· UNIX version - operates under various flavours of UNIX. It operates as a server to client applications running on the same machine as the SRM or from any machine on the network. The API supports applications written in C or C++.

Atalla Network Security Processors (NSPs)

Atalla (now owned by HP/Compaq) Network Security Processors (NSPs) are a fundamental building block of many payment security solutions. They are the core of the Atalla end-to-end security architecture for multi-vendor enterprise networks. Atalla Network Security Processors provide cost-effective, hardware-based message authentication and transaction protection for networks carrying sensitive data. Traditionally, NSPs have been used in ATM and EFT/POS networks. They are also being used extensively in protecting Internet-based transactions.

Atalla A10000E NSP

The Atalla A10000E network security processor (NSP) from Compaq sets a new performance standard for ATM/EFT/POS network security processors with point-to-point Ethernet TCP/IP host connections. The Atalla A10000E NSP uses the industry-standard DES to protect financial transactions in applications such as ATM, POS, EFT, stored value, loyalty card, corporate fund transfer, and other value-based transactions over private networks.

Atalla A10100 Network Security Processor

The Atalla A10100 is a new-generation, high-performance network security processor (NSP) providing unrivaled protection for Triple DES and other cryptographic keys when safeguarding value-based transactions.

Atalla A8000 NSP

The new Atalla™ A8000 network security processor (NSP) from Compaq is a next-generation NSP built especially for financial institutions’ transaction processors with asynchronous or bisynchronous connectivity requirements.

Atalla A8100 Network Security Processor

The Atalla A8100 NSP is a new-generation network security processor (NSP) bringing unrivaled protection for cryptographic keys and the unique value of point-to-point Ethernet TCP/IP host connectivity to entry-level processing environments.

Atalla A9000 NSP

The new Atalla™ A9000 Network Security Processor (NSP) from Compaq is a next-generation NSP for ATM/EFT/POS network security processors with point-to-point Ethernet TCP/IP host connections. The Atalla A9000 NSP provides mid-range performance at a very attractive price. It uses the industry-standard DES to protect financial transactions in applications such as ATM, POS, EFT, stored value, loyalty card, corporate fund transfer, and other value-based transactions over private networks.

Atalla A9100 Network Security Processor

The Atalla A9100 network security processor (NSP) is a new-generation network security processor optimized for mid-level transaction environments and providing unrivaled protection for Triple DES and other cryptographic keys when safeguarding value-based transactions.

Eracom

Eracom, which specialises in providing IT security solutions, has manufactured and supplied cryptographic hardware and software products for more than 20 years. They support a broad range of Blue Chip customers from a network of offices around the world and have long-established business relationships with international customers including banks, and other finance services companies.

Protecthost white (ESM 2000)

Widely deployed by financial institutions around the world, the protecthost white is used for high-speed cryptographic processing and secure key management. The protecthost white builds on the reputation of its predecessor model to deliver heightened levels of functionality and performance that meet changing technologies and interoperability standards.

The purpose of the protecthost white is to provide physical and logical protection to cryptographic keys and processing while isolating these functions from host systems to prevent unauthorized access to highly sensitive key information. Supporting ISO, ANSI, and Australian Standards, enhanced performance features of the protecthost white includes three levels of performance, processing up to 500 functions per second, over TCP/IP (Ethernet or Token Ring), Ethernet, asynchronous, or IBM channel communications. Typical applications of the protecthost white include securing ATM, EFTPOS, e-cash, wagering, mobile banking, bank clearing, and other financial transaction systems. The protecthost white also has VISANET, MasterCard, and American Express functionality for transaction validations, PIN verifications, and cryptographic key management functions.

Capabilities of the protecthost white include DES and RSA cryptographic processing, digital signature generation, verification, and storage, secure key loading, and PIN mailer generation.

Features:

protecthost white is designed for supporting industrial-strength security and high-speed processing for financial networks.

protecthost white includes standard functions for ATM and EFTPOS such as Key Management, PIN management, Message Authentication and offers Visa, Master Card, and American Express functionality.

Together with an high-performance DES and RSA hardware, protecthost white offers VISA, MasterCard and American Express functionality:

· protecthost white supports SmartCard Keyload, EMV

· protecthost white is backward compatible with ESM Series 90

Protectserver blue (CSA 7000)

Designed for integration into secure eCommerce applications, protectserver blue performs high-speed cryptographic processing within secure tamper-resistant hardware. When installed on a server or client protectserver blue performs on-board cryptographic (DES and RSA) processing parallel to the host’s central microprocessor. Connected by a standard PCI bus, the architecture of protectserver blue minimizes performance degradation of the host CPU. To guard against the cryptographic keys being compromised protectserver blue also arbitrates host access to stored keys and cryptographic functions via a secure access policy implemented in firmware on the adaptor.

Features of Protectserver blue

• Dedicated Cryptographic Processor

• Designed for bulk encryption processing

• Compliant with PKCS#11 (Cryptoki) and Java cryptographic security standards

• Secure real time clock, true random number generator and on-board Microprocessor

• Improved Security through hardware implementation

• Off-loads central CPU Processing

• Tamper Resistant

• Logically and Physically Secure Cryptographic Key storage

• PCI flexibility – multi platform support

• Supports popular e-commerce crypto algorithms

• Digital Signature management

• Up to 20 Megabyte per second DES throughput

Excrypt Host Security Modules

Excrypt products from Futurex provides a proven security solution for the most demanding financial transaction security requirements. All models have certified compliance with ANSI, FIPS, and VISA network security standards.

The Tamper Resistant crypto boundary provides secure storage for keys, certificates, and account PINs. A powerful and straightforward command set provides a flexible development environment, and Best-in-Class performance.

SSP 6000

Full featured stand alone TRSM with IP and asynchronous connections. Flexible, fast, and easy to use. Economical enough for small and growing networks. Powerful enough for demanding applications.

PCE 5500

Full Excrypt command support in a standard bus card, updated with a PCI interface, for developers and integrators that have their own system and software.

RMC 6000

The flagship! Complete flexibility in connectivity, scalable performance, unmatched ease of use and administrative reporting capability. TCP/IP connections are built in.

SSP 500

A stand alone System Security Processor (SSP), with complete PIN security for financial transactions.

PCE 5000

Full Excrypt command support in a standard bus card in a classic ISA format, for developers and integrators that have their own system and software.

RMC 5000

The classic! Proven performance and value. Fully switch and host certified for all major networks. Async and Bisync capable. And it’s easy to expand.

Secure Key Mailer

Excrypt Key Mailer provides an easy and fast way to generate key mailers.

Updated on August 9, 2002