Root Causes 121: What Is a Hardware Security Module?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  Once again, we are lucky to have our frequent guest, Alan Grau, VP of IoT at Sectigo. So, Alan, we are going to do one of our “What Is” episodes today where we take a term or an element of the PKI universe and we explain it and I think the one we are going to use today is “What Is HSM?” So HSM stands for Hardware Security Module. It is a term that is bandied about a lot and let’s talk about it. Just start us at the top. What is a Hardware Security Module?

• 

  Alan Grau

  Sure, Tim. A Hardware Security Module is, you know, at some level the name is descriptive. It’s a piece of hardware that is used to ensure greater security for encryption keys within a device or within a system. So that’s the 10,000-foot view. Where it gets to be a little nuanced is there are different types of HSMs for different systems and purposes.

• 

  Tim Callan

  Right. So, make it concrete. So, what does this mean? This is a chip that is sitting on my motherboard in my laptop? Is that what we are talking about?

• 

  Alan Grau

  It could be. So, there are different types of HSMs. So as listeners to the podcast know, Sectigo is a certificate authority company and so part of what we do is we create root certificates and manage those root certificates both for public PKI and certificate use cases and for private use cases and in that case, we have HSMs in our data center where we have those keys stored in a very, very highly protected fashion. Some online where they can be accessed in real time and some that are stored offline and some of those HSMs are network HSMs so it’s actually more like a server that’s connected to the network in which we can store many, many keys and perform very, very high-speed cryptographic operations. So that’s kind of the high end of the HSM world.

  Then we’ve got kind of the middle tier as I would call it, which is what you just described. So, on my laptop, on any Windows laptop of recent vintage, there’s a requirement for a TPM chip. So TPM stands for trusted platform module and so that’s kind of a mid-tier HSM and, you know, so the network HSMs can be tens of thousands of dollars. Right? They can be very, very expensive. A TPM chip is a couple of dollars, something like that, and it can store multiple keys. It can do some reasonably sophisticated or reasonably fast encryption on it. It’s got some strong authentication. I mean that’s one of the characteristics is on a system with an HSM of any kind not only does it store the keys, but it requires an authentication mechanism to be able to be able to access, extract, use keys to issue it commands. So only kind of privileged operators can utilize the HSM and to access those keys.

• 

  Tim Callan

  And that’s why the TPM is safer right? So, you know, if I store the key on my hard disk or if I store the key in the TPM the point is that the TPM the access is considerably more limited?

• 

  Alan Grau

  Yeah. It’s stored in the safe and that safe has a combination to access it, you know, essentially and again, you can think about it as you’ve got a home safe that’s secure or you’ve got a bank vault that requires multiple levels of authentication and is thicker steel walls and all those things so it’s even more well-protected.

• 

  Tim Callan

  Ok. And you said that’s the middle tier. So, what’s the bottom tier?

• 

  Alan Grau

  So, the bottom tier are hardware secure elements for low end devices or for IoT devices. So, some higher-end IoT devices can utilize a TPM and the cost of a couple dollars is reasonable in the overall bill of materials, but if I’m building a very low-end IoT device that I’m gonna sell for $.50 I can’t afford to put a $1.00 TPM on it, right. So, there is some very, very inexpensive hardware secure elements that are designed for IoT devices that cost a few cents. You know, the price range varies because there is a variety of them for even, you know, it’s even more finely divided in that realm but that work on IoT devices, still provide the secure key storage, still can perform some crypto operations with those keys so that the private keys never leave the device, but they aren’t as capable. They aren’t as fast. They can’t store as many keys. They aren’t, you know, they don’t have the same level of capability, but they are well-suited for IoT use case.

• 

  Tim Callan

  Right. So, your point being that that would not be – that chip would not be acceptable for my laptop and because my laptop costs hundreds or thousands of dollars they can afford a couple dollars for a TPM but in the ultra-cheap IoT device scenario you are talking about they simply cannot?

• 

  Alan Grau

  Exactly.

• 

  Tim Callan

  Is it that simple? Are there worries? Are there weaknesses? Are there downsides?

• 

  Alan Grau

  There have been occasions of people finding hardware attacks against certain secure elements but those are rare. They have happened but again, that has always taken a very sophisticated attacker to be able to do that. So there have been a few vulnerabilities that have been discovered but the companies building these devices or these secure elements or HSMs are very security conscious and typically very, very quick to respond and address those.

• 

  Jason Soroko

  So, Alan, just thinking about that for a moment, most of the attacks that I’ve seen, and I’ve been in the room at various DEF CON, BlackHat type conference talks on this very subject. In my notes, I don’t have yet a single successful attack says against something like armed trust zone outside of implementation problems where it wasn’t the armed trust zone itself that was the problem, it was the implementation of it from say a carrier on a mobile device. That’s an example that I’ve seen.

• 

  Alan Grau

  Yeah, and armed trust zone brings up another slightly different flavor of hardware protection that’s important to talk about and that’s the concept of a secure enclave. So, a hardware secure element is in the enterprise data center use case that’s usually a separate board or even a separate server. In the TPM and secure element use case the hardware secure element is a physically separate chip on the SOC. So, the main processor must talk to another chip to do crypto operations. So, the armed trust zone technology builds what’s called a secure enclave. So, it’s a single chip solution in which there are hardware protections built in to provide isolation on that same chip and create what’s called a secure world and then a normal world and in the secure world you’d do all your security critical capabilities. So you run perhaps a very limited RTOS that’s been hardened. You do your crypto operations. You store your security keys and then in the normal world you would have more of a general-purpose operating system. It’s not going to be as tightly vetted for security and other applications that again, are hopefully robust and secure but don’t have the same detailed tight level of analysis for security vulnerabilities as the things running in that secure enclave. As I say, the best example – or maybe not the best but one of the humorous examples – I saw a company once that was putting Linux in the secure enclave and as we know, Linux, while it’s a great operating system, it’s a very, very large operating system. Tons of code and many known security vulnerabilities. So that gets into your point of an implementation issue. That one was rather serious and a mistake that shouldn’t have been made but there have been other more subtle mistakes on implementations that have caused flaws in the implementations.

• 

  Jason Soroko

  Sure, Alan. So, I think one of the important points to note there is that on a single chip what – chipset is what I should say. What ARM has created is the ability to have two separate kernels. Right? As you said, the user space. The normal user space that, you know, where there could be malicious activity going on and a secure space such as where you have a more limited space with a high level of authentication to be able to get at the key material. That’s an important architectural concept and I think, Alan, what I would like to have you comment is the trend, which was started mostly by mobile devices and now has moved towards IoT devices as well where this ability to have this isolated, sometimes code execution zone, right? We’ve heard of TEEs, but this concept of a separate place to put secrets is an important trend towards having secure IoT and secure mobile devices compared to what was in the traditional desktop environment. In fact – and this is the last part of the point I want to make – a lot of architectural diagrams that I’ve now seen say where to put active directory hashes for example, in a Windows computer. Microsoft is trying to hide that within hypervisor environments and perhaps also use in the TPM. These concepts are trying to be reverse engineered and refactored into traditional desktop operating systems whereas with IoT devices and mobile devices that level of separation is kind of inherent in most of the new designs and that’s an important trend and it’s a positive trend in security.

• 

  Alan Grau

  That’s true. I mean anytime you can provide isolation on that level, you are creating a barrier. It gets back to some of the basic security concepts of least privileged, you know, ensuring that people don’t have access to things that they shouldn’t, or processes and systems don’t have access to things that they shouldn’t and that only access is authorized. These technologies whether it’s an enclave using Trust Zone or a trusted execution environment where it’s a single chipset solution or it’s a hardware secure element where it’s a separate chipset performing those operations, you know, both architectures are effective and add a lot of value.

• 

  Tim Callan

  So, I’ll just ask the question. If there’s a place and a secure enclave let’s say or an appliance where all the secrets are, does that become a honey pot? Like is that just giving the bad guys a focus place to attack?

• 

  Alan Grau

  Perhaps. But not really. And I’ll explain that. Again, think of it as a safe. If somebody decides to break into your house and your wallet is just in the cupboard or on the table, they’re gonna be able to get it easily. If they break into your house and it’s in a safe, it’s gonna be much more difficult. All those secrets and sensitive information still need to reside on the device. Now what we’ve done is you first have to break into the device. So, you have to break through the front door, somehow break into the device. Then, you must break into the safe. So, it really does add a lot of value.

• 

  Tim Callan

  All right. Terrific. Anything else to add on this topic, gentlemen?

• 

  Jason Soroko

  Maybe just one last thought about your question, Tim. You know, you think of a safe as a physical object and perhaps with enough crowbars or heavy equipment or dynamite, if you are watching cartoons.

• 

  Tim Callan

  Think you used enough dynamite there, Butch? Yep.

• 

  Jason Soroko

  Perhaps with enough physical force you could get into a physical safe. I think what’s interesting though, however, about these secure elements and as widely ranged as Alan just described them, instead of physical access you must think of it as more like a logical access. We’ve definitely seen attempts at attacks against these kinds of systems based off of side channel attacks which is a whole other topic perhaps we could talk about in a separate podcast, but as Alan said, the attempts to make those safe with thicker steel and the chip in order to quiet down what could be attained through a side channel attack, a lot of those things have been addressed but most of the time the attacker only has access to the logical access of a device. In other words if a mobile device has been compromised with malware for example. So, what can that malware do? Well, it can probably at worst case get to root level access in the user land environment but may never regardless of capability ever be able to break into that secure element on that device because of the complete logical separation. And I think that’s a really important point. If an attacker has physical access, well, as you say, with enough dynamite who knows, but if it’s just logical access, opening that second safe could be very difficult.

• 

  Tim Callan

  Got it.

• 

  Alan Grau

  And generally, if they have done that it’s because of some implementation flaw.

• 

  Jason Soroko

  Exactly.

• 

  Tim Callan

  All right. Well, thank you guys. HSMs, TPMs, secure enclaves, all very important points, important parts of the PKI world. We talk about them all the time. I think it’s great that we just took an episode to explain them and what they were and how they fit together. So, Alan, it’s great having you as always.

• 

  Alan Grau

  Thanks, Tim.

• 

  Tim Callan

  Jason, it’s great to talk to you as always.

• 

  Jason Soroko

  Thank you.

• 

  Tim Callan

  Listeners, thank you for joining us. This has been Root Causes.