Organizations have been crucially reliant on the internet for their business workflows. Due to this enhanced exposure, organizations are facing new threats on a daily basis that dictates the incorporation of cryptographic services.
In the past, the malicious adversaries used to target the corporate sectors such as finance and banking, but today, every platform is targeted. Hence the protection of user data and information has been highlighted in every business sector. A vital element used to address some security issues is HSM. PCI SSC has mandated the inclusion of HSM as a part of PCI DSS compliance.
This article covers the physical security requirements for HSMs.
Hardware Security Module (HSM)
An HSM is a dedicated hardware/physical computing device that is responsible for secure key life cycle management along with providing performance-enhanced & accelerated crypto operations. Corporate organizations and banks have expanded their businesses around the world through e-commerce.
HSMs are widely deployed by enterprises for the protection of the client’s sensitive information and business transactions. HSM is the security component that acts as the backbone of the cryptographic infrastructure of the organization and protects the crypto keys at every phase from generation to destruction which also includes the physical security of cryptographic keys and sensitive data from unauthorized access and adversaries.
The tasks performed by HSM can be categorized as:
- Hardware-based secure key generation & management (storage, distribution, backup, and destruction)
- Protection (Physical & Logical) of sensitive data and cryptographic key material
- Accelerated Crypto (Symmetric/Asymmetric/Hash) Operations
PCI SSC & PCI DSS
PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development in PCI and alignment of the company’s policies to PCI DSS (Payment Card Industry Data Security Standard).
PCI DSS is an information security standard to prevent credit card scams and numerous additional security threats & vulnerabilities. Credit/Debit card provider companies/corporations such as MasterCard and Visa etc. implement the mechanism and security controls specified and suggested in the PCI DSS. The entities that store, process and transmit the card information also implement PCI DSS. The importance of HSM can be explained from the fact that HSM has been defined as a role and mandatory component for PCI DSS compliance.
Physical Security Requirements for HSMs
PCI SSC mandates the following physical security requirements for HSMs:
a. Tamper Detection and Erasure
Since HSMs hold the cryptographic keys and sensitive data and the main aim is to restrict it from falling in wrong hands. The HSM must implement security mechanisms (tamper switches, zeroization circuitries and firmware) which should readily/automatically erase and zeroize all clear-text secret information in a way that it is impossible to recover.
b. Multiple Security Mechanisms for One Threat
One important factor that HSM design considerations must accord is that the failure of a standalone security mechanism doesn’t compromise the security of the whole HSM. There must be at least two security mechanisms for protection against a particular threat.
c. Physical Tamper Evidence
The HSM must include controls for visible tamper detection which can prove the physical penetration of the device. Specially designed tamper stickers that are impossible or very hard to reproduce are placed on the HSM’s opening screws and accessories. This protective measure is not only used to deter the attacker but also to prevent HSM users or other staff from intentionally or accidentally opening the device. The air intakes/vents must also be designed in a way that it is impossible to probe the HSM from the outside.
d. EMI/EMC Secure
HSM design must assure that it is Electromagnetic interference (EMI) and Electromagnetic Compatibility (EMC) secure. There should be no practical way to deduce any sort of sensitive information based on power consumption & electromagnetic emissions.
e. Impossible to Replicate / Fabricate
The HSM design must guard against substitution and cloning attacks. Cloning of HSM deals with the successful extraction of the HSM key and backup partition from a compromised/stolen HSM and replicating it into a full-fledged separate HSM. There should be no practical way to duplicate or refabricate it from the accessories and components that are available commercially.
f. Separation of Cryptographic Boundary
HSM design consideration should follow the strict implementation segregation between the normal HSM device boundaries and the cryptographic boundaries. The reason for this is to ensure that there is no chance that the core crypto module holding the CSP (Critically Secure Parameters) is exposed during the maintenance or service of HSM. The sensitive information must only be dealt with in the protected areas of HSM such that these are not prone to accidental or intentional modification or substitution.
g. Detailed Security Policy for HSM Management
HSM vendor must provide a detailed security policy which addresses the proper use of the HSM, key management mechanisms, administrative functionalities, and environmental requirements. The security policy must include all the roles supported by the HSM and illustrate the permissions of each designated role. All the approved functions & operations performed by the HSM must be documented in the security policy and the HSM should not include any hidden feature/functionality.
h. Resistant to Environmental Conditions
The security of HSM must be resistant to the changes in operational and environmental conditions which include but not limited to heat/temperate, humidity and operating voltage.
HSM is a vital security component used for the protection of business transactions and user information. Since the PCI SSC has mandated the inclusion of HSM as a mandatory feature for PCI DSS compliance, so the physical security requirements of HSM have also gained importance.
This article summarized and highlighted the core physical security requirements of HSM as per the directions of PCI SSC & PCI DSS.
References and Further Reading
- Read more articles on PCI HSM Security Requirements (2018 - today) by Asim Mehmood, Martin Schmidt, Utimaco and more
- PIN Transaction Security (PTS) Hardware Security Module (HSM) -
Summary of Requirements Changes from Version 2.0 to 3.0 (2016), by the Payment Card Industry (PCI)
- Payment Card Industry (PCI) Hardware Security Module (HSM) Security Requirements, Version 1.0 (April 2009), by the Payment Card Industry (PCI)
Blog post by Dr. Ulrich Scholten