At last, Secure HSMs in the Cloud

Sam Ross-Gower
October 14, 2021

Exciting new research from Cryptosense Chief Scientist Riccardo Focardi provides a simple and proven method to remove the risk of API-level attacks and enable widespread adoption of cloud HSMs. 

PKCS#11 Woes

Hardware Security Modules (HSMs) are special-purpose computers for storing cryptographic keys and carrying out operations like encryption and digital signature. They are heavily used in regulated industries such as financial services, as well as for specific functions like Certificate Authorities in more general settings.

“The most important feature of an HSM is its ability to store sensitive credentials and cryptographic keys inside tamper-resistant hardware,” says Riccardo. “This means that every operation is done internally through a suitable API and sensitive data are never exposed outside the device.”

In recent years the widespread adoption of cloud computing has led to a demand for a cloud based HSM operated by the cloud service provider, but this comes with an increased risk since the cloud HSM has to be accessed externally using an API. While there are many advantages to using cloud HSMs - they’re cheaper to operate than traditional on-premise HSMs and the CSP takes on the burden of maintaining them - security concerns over the potential for API-level attacks have curbed the initial enthusiasm for them.

Over the last few decades a multitude of practical API-level attacks have been found and proved feasible in real devices. Notable examples include Ledger hacking an HSM in 2019, and the diverse key-wrapping attacks described in our PKCS#11 white paper. Unfortunately, the latest version of PKCS#11, the most popular standard API for HSMs, does not offer any remediations for these vulnerabilities. 

In the world of physical on-premise HSMs, a typical way to fix these issues was to disable some API functionality using the HSM configurations options. But cloud HSMs typically don't allow customization since they are intended to interoperate with as many applications as possible. In fact, this is part of what makes them affordable: everybody gets the same functionality. So how can we get back security?

Changing the Game

Riccardo’s new paper (co-authored with Flaminia Luccio) explains how we can use the principle of least privilege to divide HSM tasks into separate roles. This means that critical key management operations are only carried out by privileged users who are distinct from the normal HSM users. 

It is the first secure HSM configuration that does not require any restriction or modification of the PKCS#11 API and is suitable for cloud HSM solutions. 

Essentially, you have 3 different user types: 

  1. (NU) Normal Users - these are the apps that need to use the API for legitimate cryptographic operations.
  2. (KM) Key Managers - these users perform key management operations using the API in a controlled way. They handle the keys used to wrap other keys.
  3. (SO) Security Officers - a special user that adheres to the PKCS #11 standard and has no access to the full API. They are mainly concerned with administrative tasks such as creating new HSM users and ensuring the right keys are used for the right things.

Significantly in this approach, production apps are not able to perform the powerful key management functions that are required to carry out API level attacks. Therefore, in the event that a normal user's access is compromised, they will not be able to perform any of the operations only available to KMs or SOs. The higher privileged KM and SO users will access the HSM through special management applications whose credentials will never be used in production applications. 

Riccardo and his fellow researchers have proven the correctness of their proposed configuration by providing a formal model in the state-of-the-art Tamarin prover. They have been able to mathematically prove that no matter how many variations and mixes of API calls a normal user (NU) makes they cannot reveal the keys. Even better, they show how you can implement exactly this user access configuration using the features of Amazon's AWS CloudHSM. Their research will appear in November 2021 at the prestigious ACM CCS conference.

This is a game changer for using HSMs in the cloud.

Cloud Confidence

Thanks to our strong connections with academia, we at Cryptosense are able to address the critical vulnerabilities that our customers face before the mainstream security companies. We currently provide the world's only commercially available HSM fuzzer that enables PKCS#11 device audits without the need for manual analysis.

To assess the security of your HSM configuration, connect with our team to ensure you get the best possible advice and support.