DeepSec 2019 Talk: Demystifying Hardware Security Modules – How to Protect Keys in Hardware – Michael Walser
[Editorial note: Cryptography is one of our favourite topics. This is why we invited experts from sematicon AG to show some of their skills and help you navigate through the jungle of false promises by vendors, magic bullets, and misuse of the word „crypto“.]
A secure crypto-algorithm is based on the fact that only the key needs to be kept secret, not the algorithm itself. The key is of high value and must be protected. In this talk we will have a look at how to protect keys and why a dedicated hardware is needed to make sure the key is kept secret and always under the control of the owner. Different use cases require different HSMs (Hardware Security Modules). We will have a look at data centres and cloud HSMs as well as at desktops and embedded solutions like industrial equipment or IoT-Devices.
Afterwards you can visit us at our booth to see market leading HSMs in action and you will have the possibility to discuss features and functions with long-term crypto experts.
We asked Michael a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Isolate keys and secrets from users
- always isolate keys from applications and firmware
- operate with keys only in isolated environments
- take care about standards
- encryption is not an universal problem-solver
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
After more than a decade in the IT-Security Business with strong focus on cryptography it is still an unpleasant truth, that most people do not care about crypto-keys at all. Everybody knows that encryption is important but it is curious that the job seems to be done when the data is encrypted. Crypto-Keys are most of the time stored in software represented by a key file that can be easily copied and lost. These keys are copied every day in backups and are distributed all over the infrastructure.
The reason is simple: they must be available to access the encrypted data for work.
Why do you think this is an important topic?
The biggest breaches in the last years did not happened because something was “hacked”. The reality is that something was “lost” most probably the key to the data. It is if you have the best alarm-system and somebody just steals the key to open the front door. It is important that people start thinking about the fact that the key represents the value of the data and there is a need for strong protection.
Is there something you want everybody to know – some good advice for our readers maybe?
There are solutions to answer the question about how to protect keys and keep them available. It does not matter where: Cloud, IT, IoT or Industrial Systems. There are many types of hardware security modules to use. It just depends on the use case you will have. It is not a rocket science but a question of the right tools available.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Crypto is very much complex when it comes to practical use cases. This is the reason why there are so many easy-to-use tools (including HSMs) do exist for the IT-Industry. But what about industrial systems and IoT-solutions? We do our best to provide the same toolset also for embedded and industrial systems. I really hope, that making things easier will bring more people and engineers on track with strong authentication and cryptography.
Michael Walser is a member of the executive board and CTO of the Munich based security company sematicon AG. In this function, he is responsible for the company’s technical business strategy and advises customers how to securely implement the digital transformation in industry and IT.
After graduating in electrical engineering, he was working as a consultant and advisor on successful IT security and digital payment projects – always focusing on cryptography – for many years. He supported many customers worldwide and was also responsible for the projects’ implementation.
sematicon AG is a Munich-based company specialised in IT security and cryptography. We support our customers in mastering digital transformation successfully and securely in their operations. With a focus on IT, industry and electrical engineering, we offer highly specialised security solutions, which have been developed on the basis of industrial and IoT requirements. For example, our solution for secure and isolated remote access to industrial plants and systems has been declared to be innovative by our customers. Furthermore, we support and advise you in the planning and implementation processes of your security concepts. In our in-house training centre – the sematicon academy – we aim at qualifying employees in all relevant IT security areas. Thus, we offer comprehensive security services for the industrial and electronics sectors from a single source.