Close this search box.

Cryptographic Key Management: Learn How to Protect Yourself


Hardware Security Module (HSM) basically consists of a physical device that provides extra security for sensitive data. This type of device is used to take care of cryptographic key management for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

Companies can use an HSM to protect trade secrets with significant value. This ensures that only authorized individuals can access the device and use the key stored on it.

Responsible for performing cryptographic operations and Cryptographic Key Management

HSM solutions are designed to meet stringent government and regulatory standards and often have strong access controls and role-based privilege models.

Designed specifically for fast cryptographic operations and resistant to logical and physical tampering, adopting an HSM is the most secure way to perform cryptographic key management. However, its use is not so practical and requires additional software.

The use of HSM should be standard practice for any highly regulated organization, thus preventing these companies from losing business from customers such as the government, financial and healthcare systems, which require strong protection controls for all data considered sensitive in their operations.

It is also important for companies that adopt, as part of their strategies, the care not to take risks due to lack of necessary protection, these being able to tarnish the image of the organization.

Best practices and uses of the HSM

The use of HSMs can provide improved cryptographic throughput and result in a more secure and efficient architecture for your business.

HSM becomes a vital component in a security architecture, which not only minimizes business risks but also achieves top performance in cryptographic operations.

Some of the best practices and use cases for HSMs used by leading security practitioners are as follows:

Storage of certificate authority keys

The security of certificate authority (CA) keys is most critical in a Public Key Infrastructure (PKI). If a CA key is compromised, the security of the entire infrastructure is at risk.

CA keys are primarily stored in dedicated HSMs to provide protection against tampering and disclosure against unauthorized entities. This can be done even for internal CAs.

Storage and management of application keys

Cryptography, considered essential in many businesses, is also helped by the powerful performance of HSMs, doing an incredible job of minimizing performance impact of using asymmetric cryptography (public key cryptography) as they are optimized for the encryption algorithms.

A prime example of this is database encryption, where high latency per transaction cannot be tolerated. But don’t forget to encrypt only what is necessary, so your solution won’t spend time on non-sensitive information.

Encryption operations

Encryption operations are sometimes time consuming and can slow down applications. HSMs have dedicated and powerful cryptographic processors that can simultaneously perform thousands of cryptographic operations.

They can be effectively used by offloading cryptographic operations from application servers.

Full audit trails, logging and user authorization

HSMs should keep the record of cryptographic operations such as key management, encryption, decryption, digital signature and hashing according to the date and time the operation was performed. The process of recording events involves the authenticity and protection of the time source.

Modification of the date and time settings interface requires strong authentication by a smart card or at least two people to sanction or authorize this task.

Destruction of keys in case of attacks

HSMs follow strict safety requirements. The most important content for an HSM is the keys. In the event of a physical or logical attack, they reset or erase all your keys so they don’t fall into the wrong hands.

The HSM should “reset” itself, deleting all sensitive data if it detects any undue tampering. This prevents an attacker who has gained access to the device from gaining access to the protected keys.

The full lifecycle of keys

NIST, the National Institute of Standards and Technology, a non-regulatory agency of the US Department of Commerce, defines the encryption key lifecycle as 4 main stages of operation: pre-operational, operational, post-operational and deletion, and requires that, among other things, an operational encryption period be defined for each key. For more details, click here and see from page 84 to page 110.

Therefore, a cryptographic period is the “time interval during which a specific key is authorized for use”.

In addition, the cryptographic period is determined by combining the estimated time during which encryption will be applied to the data, including the period of use and the period in which it will be decrypted for use.

Long-term encryption

But after all, since an organization may reasonably want to encrypt and decrypt the same data for years on end, other factors may come into play when considering the cryptographic period:

You can for example limit it to:

  • Amount of information protected by a given key;
  • Amount of exposure if a single key is compromised;
  • Time available for physical, procedural and logical access attempts;
  • Period within which information may be compromised by inadvertent disclosure.

This can be boiled down to a few key questions:

  • For how long will the data be used?
  • How is the data being used?
  • How much data is there?
  • What is the sensitivity of the data?
  • How much damage will be caused if data is exposed or keys lost?

So the general rule is: as the sensitivity of the protected data increases, the lifetime of an encryption key decreases.

Given this, we see that your encryption key may have a shorter active life than an authorized user’s access to the data. This means that you will need to archive deactivated keys and use them only for decryption.

Once the data has been decrypted by the old key, it will be encrypted by the new key and over time the old key will no longer be used to encrypt/decrypt data and can be deleted.

Life cycle management of cryptographic keys using HSM

It has often been said that the most difficult part of cryptography is key management. This is because the discipline of cryptography is a mature science where most of the major issues have been addressed.

On the other hand, key management is considered recent, subject to individual design and preference rather than objective facts.

An excellent example of this is the extremely diverse approaches HSM manufacturers have taken to implementing their key management, which eventually led to the development of another product line, Ciphertrust. It has several features of HSMs and others that are unique, such as anonymization and authorization for example.

However, there have been many cases where HSM manufacturers have allowed some insecure practices to go unnoticed, resulting in vulnerabilities that have compromised the lifecycle of cryptographic keys.

Therefore, when looking for an HSM to manage full lifecycle, secure and general purpose, it is essential to inspect those that have excellent customer references, long deployment life and quality certifications.

HSM in a nutshell

To summarize, an HSM is typically a server with different levels of security protection or simply “protection” that prevents breaches or loss. We can summarize it like this:

  • Tamper-evident: addition of tamper-evident coatings or seals on bolts or latches on all removable lids or doors.
  • Tamper resistant: adding “tamper detection/response circuitry” that erases all sensitive data.
  • Tamper proof: complete module hardening with tamper evident/resistant screws and locks, together with the highest sensitivity “tamper detection/response circuit” that erases all sensitive data

With many organizations moving some or all of their operations to the cloud, the need to move their security to this architecture has also emerged.

The good news is that many of the leading HSM manufacturers have developed solutions to install traditional HSMs in cloud environments.

Therefore, the same levels of “protection” will apply as we have a traditional HSM in a cloud environment.

Learn more about the use of HSM in cryptographic key management in our blog and find out how to apply encryption technology effectively in your business by contacting Eval’s experts.

We are available to answer your questions and help you define the best ways to protect your organization against data leakage and theft.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias. 

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a Lei Geral de Proteção de Dados (LGPD). Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos. 

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível. 

Eval, segurança é valor. 


Sobre o(s) autor(es):


Outras postagens