A big part of my job is to advise customers how to protect high value secret keys such as root CA private keys, tokenization key encryption keys, etc. Solutions range from the relatively simple read-only private key file, passphrase protected stored with minimal permissions to storing keys on dedicated, purpose built hardware devices. Purpose built hardware devices used for secure key storage are known as hardware security modules (HSM). A HSM can be thought of as both a secure key storage device and a hardware implementation of crypto algorithms. Unlike purpose built encryption hardware such as SSL accelerators, a HSM is not designed as a high throughput, low latency device designed to convert plaintext to ciphertext at high speeds. Rather, it is designed to limit the exposure of key material stored within it. This is accomplished by performing operations that require access to the key material within the HSM itself (such as digitally signing data). In some cases where necessary, HSMs can also provide the keys to authorized devices/users. Applications which wish to use HSMs typically use a vendor provided driver that integrates with various platforms (for example, Microsoft provides a Cryptographic Service Provider interface that can be used to integrate applications with HSMs).
In general, the design philosophy behind HSMs is that it should fail closed; meaning that if an attacker or unauthorized user attempts to repeatedly gain access to the HSM key material, the HSM will zeroize all stored keys. This design makes sense because if an attacker were to gain physical access to the HSM, it is preferable that the secret keys be destroyed rather than possibly be exposed. However, since the HSM protects high value keys, it is imperative that organizations which make use of HSMs have a robust key backup scheme in place such as sharing the key across multiple HSMs that are physically separated.
HSMs typically have a strong role based authentication mechanism built in that is designed to differentiate between key owners and HSM administrators. This separation of duties between key owners and administrators is crucial as it prevents HSM administrators from gaining access to key material. Authentication can be provided via the use of passphrases, or in some HSMs, via the use of individual hardware keys that are physically presented to the HSM.
Since access to key material and to the HSM itself needs to be carefully audited and tracked, a principle that is implemented in some HSMs is the concept of witness keys. A witness key is a separate set of keys that are distributed to other people (usually from different departments/organizations than HSM administrators or key owners) that must be presented to the HSM before access will be granted to the HSM and/or key material stored within the HSM. Witness key systems are also known as MofN systems, where ‘M’ witness keys out of a total of ‘N’ existing witness keys must be presented before access can be granted.
In summary, proper protection of high value keys is an important role that any security organization should take very seriously. HSMs can be a viable solution to help ensure that key material is stored in a safe, controlled fashion.