HSM for Dummies

1 How It All Started: A Crypto Recap With its 3845 (table-top devices) and 3846 (rack-mounted devices) series, IBM focused entirely on deployment inside the mainframe. Racal’s application focus was more on alternative deployment for multipurpose usage. Utimaco’s ’Krypto- Server’ was an ISA(E) embedded card system that supported all the necessary requirements of German banking technology. It was also one of the first commercially available devices that came with active tamper-responding technology. A good overview of the devices and their designs is available at http://www.cryptomuseum.com/crypto/index.htm. You can search by manufacturer or device model. What was noticeable back then for such devices was the separate input unit, enabling security administrators to enter key material. These devices were always designed so as to satisfy the following requirements: Physical protection of the data storage areas in which cryptographic keys are kept. (Protection here means detection of unauthorised access.) Moving of program code relevant to security inside the HSM. Access control supported by means of a permissions-and-roles model. Signed and Sealed with Standardization Standards and generally applicable test procedures weren’t broadly available when security modules first emerged, but the industry quickly recognized at a national level that requirements for HSM technology security were necessary. It was for this reason that, in the credit card services sector initially, security experts defined appropriate requirement lists, and then later used them for device approval. Increased internationalization of monetary transactions gave rise to a need for internationally recognized and harmonized standards and test methods. It was the ’big’ credit card companies, Europay, Mastercard and Visa, that defined their own test and approval methods. But since 1995 an internationally recognized certification scheme has existed in the Federal Information Processing Standard (FIPS). Then, in 2012, the ISO launched the first ISO standard (ISO/IEC 19790:2012 Information technology – Security techniques – Security requirements for cryptographic modules), followed by test standard ISO/IEC 24759:2014 Information technology – Security techniques – Test requirements for cryptographic modules. Available internationally now in addition to FIPS are the Common Criteria standard, with its protection profile crypto modules, and the Payment Card Industry (PCI) certification. 13 /index.htm