The Role of HSMs in Public Key Infrastructure (PKI)

In today’s digital age, authenticating users, devices and facilitating the secure electronic transfer of information for a range of industries such as financial services, e-commerce, health, and IoT is an imperative when exchanging data to build trust and secure the business environment.

Public key infrastructure (PKI) does this through a framework of cybersecurity and encryption that protects communications between users and website servers. The underlying hardware security modules (HSMs) are the root of trust which protect PKI from being breached, enabling the creation of keys throughout the PKI lifecycle as well as ensuring scalability of the whole security architecture.

PKI authentication is based on digital certificates and uses encryption and decryption to verify machine and user identities to prove the integrity of digital transactions. With the constant threat of cyber breaches, the ever-growing number of machines used to conduct those transactions must be assured that the information is protected from attacks and can be trusted. This is when the introduction and the role of the HSM becomes fundamental – the hardware device that secures all cryptographic processes by generating, managing and protecting the keys used for encrypting and decrypting sensitive data- critical for the information and security for most organizations.

3 Key Components of PKI Authentication

In securing and communicating electronic transactions and digital information, PKI authentication utilizes three key components: digital certificates, certificate authority, and registration authority. These components are hosted on a secure framework so that PKI can protect identities and private information involved in activities where digital security is needed, including encrypted documents, smart card logins, SSL signatures, etc.

1. Digital Certificates

Digital certificates are at the heart of PKI. They are a form of electronic identification that allows both parties of a transaction to be verified, thus allowing a secure connection between the two. Yes, it is possible for organizations to create their own certificate for internal communications. However, this is not secure enough for external digital transactions. Therefore, PKI digital certificates can be obtained through a Certification Authority (CA), which is a trusted third party issuer.

2. Certificate Authority

The Certificate Authority authenticates users’ digital identities. These identities may range from an individual user, computer system or server. Fraudulent entities are prevented by the CA as the life cycle of the digital certificates are managed in the system. The CA vets the applicants seeking certificates and issues certificates based on their findings.

3. Registration Authority

The Registration Authority (RA) is authorized by the CA to distribute digital certificates on a case-by-case basis to users. All certificates that are requested, received and revoked by both the CA and RA are stored in an encrypted certificate database. A certificate store, which resides on a specific computer, acts as a storage space for all information relevant to a certificate’s history, including private encryption keys and issued certificates.

PKI Performs Encryption

PKI performs encryption through the keys that it generates and uses two different cryptographic keys: a public key and a private key. These keys can be public or private, but they both encrypt and decrypt secure data. Using this two-key encryption system, PKI keeps electronic information secure as it travels between the two parties. Each party is provided with a key to encrypt and decrypt the data.

PKI combines symmetric and asymmetric encryption to protect data:

The symmetric encryption protects the private key generated during the digital handshake (initial exchange) and is passed from one party to the other to allow encryption and decryption of the exchanged information. The private key may be a password, or a random series of numbers or letters generated by a random number generator.

Asymmetric encryption is also known as public key cryptography. It uses two keys, one private and one public. The public key encrypts data while the private key decrypts it. The public key is created for the party sending information to allow them to encrypt the data they are sending. After the second party receives the information, the private key is used to decrypt the information.

How Does Public Key Infrastructure Work?

Asymmetric key methodology is at the core of how PKI functions. Only the owner of a digital certificate may access the private key and choose who receives the public key. The certificate provides the owner the means to give the public key to the users they want to have it. Both keys must work together.

The public key is generated through a digital certificate, which contains information that identifies the public key holder. PKI authentication through a digital certificate is considered the most secure way to protect confidential electronic data. Why? They are almost impossible to falsify because they involve numerous security processes, including registration, timestamping, validation, etc.

PKI Security Only a Piece of the Puzzle

A chain is only as strong as its weakest link. For PKI to protect sensitive digital information as intended, it relies on security and trust. Trust means all cryptographic operations must be conducted in a trust environment that is safe from viruses, malware, exploits and unauthorized access. This is where the HSM comes in.

The hardware security module (HSM) is a trusted network computer where the cryptographic processes that PKI requires to remain secure and can be used virtually or on a cloud environment. HSMs are designed to protect cryptographic keys and are trusted because they:

  • Keep cryptographic material hidden and protected at all times.
  • Strengthen encryption practices across the key lifecycle – from key generation through to storage, distribution, back-up and finally, to destruction.
  • Provide an additional layer of security by storing the decryption keys separate from the encrypted data, ensuring that even if a data breach occurs, encrypted data is not exposed.
  • Are built with specialized, secure hardware, resistant to hacking attempts.
  • Has limited access through a strictly controlled network interface.
  • Run on a secure operating system.
  • Enables scalability and multi tenancy of the security architecture when properly conceived.
  • Simplifies industry compliance and auditability of the PKI through certified hardware and  comfortable audit reporting.

 As organizations look to introduce additional layers of security to protect their business’s data assets, we will continue to discuss the role of HSMs across various security applications in forthcoming articles, in order to reinforce organizations' stronger encryption practices.



Source: Blog post by Dawn Illing


What is the difference between a General Purpose and Payment HSM?

blockchainAlthough we do not give much thought to hardware security modules (HSMs), they are a critical element of security in an organisation’s IT infrastructure used for securing sensitive data.

Read more ...

Hardware Security Module (HSM) Explained

blockchainA hardware security module (HSM) is a small device that allows you to create, manage, and store cryptographic keys. They are considered one of the most secure ways to protect sensitive encrypted data.

Read more ...

The Role of HSMs in Public Key Infrastructure (PKI)

blockchainThe underlying hardware security modules (HSMs) in publick key infrastructure (PKI) are the root of trust which protect PKI from being breached. 

Read more ...

Providing a Secure Blockchain Through the Adoption of HSMs

blockchainThe strong cryptography provided by HSMs will become crucial to blockchain-based fintechs as they generate, store and protect the private and public keys that form the ‘root of trust’ in blockchains.

Read more ...

Hardening your AD FS servers with HSMs

adfssecMicrosoft provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy.

Read more ...