An Alternative to HSMs?
November 27, 2018 by Jeremy Spilman
For years, large sized banks and corporations have been using Hardware Security Modules (HSMs) to help perform their secure cryptographic operations. HSMs are certified by NIST under FIPS 140-2, which is a set of standards and requirements governing the design of the hardware and software components of the HSM. FIPS 140-2 can provide some assurance that the overall system, including hardware tamper resistance, cryptographic primitives, and even user management and configuration, are designed to resist intrusion. HSMs provide a system to generate and store secret keys, and perform cryptographic operations using those keys inside a protected enclave. In short, an HSM holds secret keys inside a closed-source “black box” which in theory an attacker cannot access.
While HSMs have been an attractive security model for large enterprises looking for a stamp of approval, there has not been an affordable alternative for SMB's. As security breaches continue to dominate the headlines, it is our duty in the tech world to deliver strong, open, and accessible cybersecuity solutions that can protect any sized deployment. Which brings us to our topic below: Could there already be an HSM option available for SMB's? To answer this, let's first take a look at the current challenges of integrating a hardware security module into an existing password hashing system.
The three biggest challenges with HSMs are cost, complexity, and vulnerability assessment. Let's start with cost. There are two different ways to deploy an HSM: your own dedicated hardware system and renting an HSM in the cloud. Deploying your own system would be enormously expensive and difficult to manage, so for this article, we are going to look solely at the cloud case. Amazon is a trusted and favorite cloud option for HSMs so we use their pricing in our example. The Amazon CloudHSM service rents for $1.60 per hour, per instance. For reliability, they recommend you have 3 instances deployed across multiple regions. That means the minimum cost to start using Amazon CloudHSM is $42,048 per year. If you ever need to increase your login capacity beyond what a single instance can provide, you would multiply that cost by a positive integer, as each region would need to scale up to continue to provide redundancy.
Price is by far the easiest factor to evaluate. Integrating an HSM into a password hashing process is not a mere programming exercise, but requires experience with cryptographic primitives and provides ample opportunity for catastrophic failure. This is an exercise which should be left only to experienced cryptographers. With this disclaimer in place, conceptually an HSM can be used to encrypt/decrypt your data, as well as “key” the hashing process, an therefore require accessing the HSM for each password hashing attempt. To do this, you would need to build an integration with your password hashing, create your own support for upgrading/downgrading hashes, handle key rotation, and manage your own key backups and recovery. In essence, an HSM is a basic building block which provides access to protected keys, and you would build up from there. We know that many companies do not have the expertise on staff to handle this type of implementation, can’t afford to contract it out on top of the cost of renting the HSM, nor would they have the ability to verify the security properties of a given implementation. Thus, many forgo an HSM altogether, fallback to legacy hashing, and expose their users to an offline attack.
Vulnerability assessment is another challenge with HSM's. Since the system is relying on a secret key, if an attacker is ever able to gain access, even for a minute, the whole thing is compromised. It all reduces down to a secret key (often just 256 bits) which must be kept safe. On the Amazon CloudHSM for example, a privileged account is created on the HSM device which is able to import/export those keys. If the attacker can login to that account, they can export the key. So your security depends on keeping that password for that one user account safe, and keeping your own backups of the key safe.
Finally, there is a matter of trust. FIPS 140-2 certification is not a guarantee that a system is secure, and most certainly it does not guarantee a system will be operated securely. While critical vulnerabilities are routinely discovered in both open and closed source crypto, at least with open source alternatives the discovery is made in the open, patches are publicly announced and documented, and code is available for inspection. Recent high profile failures of HSMs run the gamut from the diminutive Trezor Bitcoin Wallet, to Intel’s own highly touted Secure Guard Extensions (SGX).
So what is the answer for those who can't afford or want an alternative to HSM's? click here to continue reading