The Role of Encryption and HSMs in Creating Trust

Peter DiToro, VP of Customer Services, Thales e Security, Peter DiToro Vice President Advanced Solutions, Thales e-Security. He is Responsible for the Advanced Solutions Group at Thales e-Security, Peter and ...  More >>

Humans have been encrypting secrets for as long as there have been secrets to protect. That’s because for as long as there have been humans, some of them have wanted access to information that doesn’t belong to them. In the digital age, this translates into data— and it’s getting increasingly harder to keep it safe. That’s why hardware security modules (HSMs) were invented.

The HSM has become the de facto standard for securing the foundation of any modern crypto system. HSMs are specialized devices used to protect cryptographic keys both at rest and in use. Today’s digital HSM provides a secure platform for managing cryptographic keys and their use over the life cycle of both cryptographic material and associated data. However, a breach of cryptographic keys destroys the integrity of any crypto system, no matter how elegant its implementation.

The number of “things” connected to the Internet will reach 6.4 billion in 2016, according to Gartner Group, an internet consultancy. Each of these “things” can assume an identity, secure a communications channel, gather data on its environment and share that data widely. Clever cryptography will form the basis for establishing IoT identities and protecting the resulting flood of data. HSMs provide the highest level of trust and protection available when it comes to establishing and protecting the cryptographic infrastructure on which trust in a fully functional IoT depends.

  Today's digital HSM provides a secure platform for managing cryptographic keys and their use over the life cycle of both cryptographic material and associated data 

There are a couple of issues with HSMs, however. First, they are expensive. Second, the world of crypto is not well understood within the broader IT community. As cryptographic applications have surged into the mainstream, it can be tempting to cut corners, to deploy sensitive cryptographic operations without sufficient protection. Until the recent explosion in crypto deployments and the corresponding surge in highly public breaches, few thought about securing the foundational aspects of key generation, key management and protection of core crypto applications. Things just had to work to pass first-level scrutiny.

That was before the IoT came along. A smartphone, for instance, has to have an identity. It stores encryption keys and digital certificates. It can easily become a proxy for its owner’s identity in transacting over the internet. Suddenly, we find ourselves transacting with countless things on the internet. Nowadays, HSMs, the means by which trustworthy digital identities are secured, have become more pertinent. The risk of brand damage caused by exploitation of a weak crypto system dwarfs the cost and hassle of HSM deployment. Shortcuts no longer make sense, even in the stingiest applications environments.

Devices and sensors bound for the IoT must have identities, most likely based on digital certificates issued by a Public Key Infrastructure (PKI). When an autonomous entity on the Internet presents its credential and asserts an identity and associated trust level, you want to be able to rely on it. This means that the cryptographic materials that underpin that identity cannot be forged or stolen. You want to trust that you are transacting with the intended entity and not some fraudulent man in the middle.

Digital certificates and keys are being generated by thousands of device manufacturers today. All of these devices need to identify themselves. We assume, often wistfully, that the cryptographic infrastructure that underpins the integrity of these identity assertions is solid. Suddenly, the idea that one’s keys and PKI could get compromised and millions of devices could be put in jeopardy hits home. The scope of the business problem rises from an interesting niche problem set to one with existential implications for modern eCommerce.

Need Proof?

An example of just how real this threat is comes from the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library. Heartbleed acts like a guided missile looking for SSL keys. Once a hacker exfiltrates a copy of those keys, he or she can act as a man in the middle. But Heartbleed is a memory scraper; it works only if the organization is doing its crypto on the server, in which case the keys are in plain text in memory. However, if the organization is securing its SSL keys within an HSM, Heartbleed can’t see them.

Another example comes from Stuxnet, whose creators stole code-signing certificates and their associated private keys from two Taiwanese component manufacturers. This enabled the Worm to replicate itself across servers, quietly installing copies of itself using stolen code signing keys to mask its origin. If those code-signing keys had been maintained and used within an HSM, Stuxnet would have happened to someone else.

Best Practices

Cryptography depends on the integrity of its key management systems and practices. For example, if the root key of a PKI is compromised, the entire system collapses. To avoid this and other disasters, follow these simple best practices:

■ Determine what data is important and where it is: In order to encrypt your data effectively, you have to know where it is. Start with the process of data categorization.
■ If it’s critical, encrypt it: It’s too dangerous to leave data in the clear during any phase of its lifecycle.
■ Deploy an HSM: Get the hard­ened, secure root of trust needed to enable a higher degree of secu­rity when deploying crypto.
■ Choose hard over soft: Rec­ognize that keys should only be used within the parameters of an HSM.
■ Make the knowledge invest­ments needed: Crypto is a tool; using that tool wisely implies understanding how it works. Invest in your people and in the basics building blocks of cryptographic technology.

The online landscape has changed so dramatically in the last few years that organizations cannot afford to NOT use HSMs—there’s just too much to lose. These modules increase the likelihood of securely deploying cryptography, which is especially important for organizations dealing with a high volume of keys.