{{Refimprove|date=November 2017}} {{Use dmy dates|date=August 2025}} {{short description|Physical computing device}}

[[File:NCipher nShield F3 Hardware Security Module.jpg|thumb|An HSM in [[PCIe]] format]] A '''hardware security module''' ('''HSM''') is a physical computing device that safeguards and manages secrets (most importantly [[digital keys]]), and performs [[encryption]] and decryption functions for [[digital signature|digital signatures]], strong authentication and other cryptographic functions.<ref>{{Citation |last=Sommerhalder |first=Maria |title=Hardware Security Module |date=2023 |work=Trends in Data Protection and Encryption Technologies |pages=83–87 |editor-last=Mulder |editor-first=Valentin |place=Cham |publisher=Springer Nature Switzerland |language=en |doi=10.1007/978-3-031-33386-6_16 |isbn=978-3-031-33386-6 |editor2-last=Mermoud |editor2-first=Alain |editor3-last=Lenders |editor3-first=Vincent |editor4-last=Tellenbach |editor4-first=Bernhard|doi-access=free }}</ref> These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a [[computer]] or [[Server (computing)|network server]]. A hardware security module contains one or more [[secure cryptoprocessor]] [[integrated circuit|chips]].<ref>{{cite book |last1=Ramakrishnan |first1=Vignesh |last2=Venugopal |first2=Prasanth |last3=Mukherjee |first3=Tuhin |title=Proceedings of the International Conference on Information Engineering, Management and Security 2015: ICIEMS 2015 |date=2015 |publisher=Association of Scientists, Developers and Faculties (ASDF) |isbn=9788192974279 |page=9 |url=https://books.google.com/books?id=Gw9pCwAAQBAJ&pg=PA9}}</ref><ref>{{cite book |last1=Gregg |first1=Michael |title=CASP CompTIA Advanced Security Practitioner Study Guide: Exam CAS-002 |date=2014 |publisher=[[John Wiley & Sons]] |isbn=9781118930847 |page=246 |url=https://books.google.com/books?id=LKPCBwAAQBAJ&pg=PA246}}</ref>

==Design== HSMs may have features that provide tamper evidence such as visible signs of tampering or logging and alerting, or tamper resistance which makes tampering difficult without making the HSM inoperable, or tamper responsiveness such as deleting keys upon tamper detection.<ref>{{cite web|url=http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=RDELECTRONICTAMPER|title=Electronic Tamper Detection Smart Meter Reference Design|publisher=freescale|access-date=26 May 2015|archive-date=14 June 2015|archive-url=https://web.archive.org/web/20150614080911/http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=RDELECTRONICTAMPER|url-status=live}}</ref> Each module contains one or more [[secure cryptoprocessor]] chips to prevent tampering and [[Bus_analyzer|bus probing]], or a combination of chips in a module that is protected by the tamper evident, tamper resistant, or tamper responsive packaging. A vast majority of existing HSMs are designed mainly to manage secret keys. Many HSM systems have means to securely back up the keys they handle outside of the HSM. Keys may be backed up in wrapped form and stored on a [[Disk storage|computer disk]] or other media, or externally using a secure portable device like a [[smartcard]] or some other [[security token]].<ref>{{Cite web |title=YubiHSM 2: Backup and Restore — YubiHSM 2 User Guide documentation |url=https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-backup-restore.html |access-date=2025-05-19 |website=docs.yubico.com}}</ref>

HSMs are used for real time authorization and authentication in critical infrastructure thus are typically engineered to support standard high availability models including [[Computer cluster|clustering]], automated [[failover]], and redundant [[field-replaceable unit|field-replaceable components]].

A few of the HSMs available in the market have the capability to execute specially developed modules within the HSM's secure enclosure. Such an ability is useful, for example, in cases where special algorithms or business logic has to be executed in a secured and controlled environment. The modules can be developed in native [[C (programming language)|C language]], .NET, [[Java (programming language)|Java]], or other programming languages.

== Certification == Due to the critical role they play in securing applications and infrastructure, general purpose HSMs and/or the cryptographic modules are typically certified according to internationally recognized standards such as [[Common Criteria]] (e.g. using Protection Profile EN 419 221-5, "Cryptographic Module for Trust Services") or [[FIPS 140]] (currently the 3rd version, often referred to as FIPS 140-3). Although the highest level of [[FIPS 140]] security certification attainable is Security Level 4, most of the HSMs have Level 3 certification. In the Common Criteria system the highest EAL (Evaluation Assurance Level) is EAL7; most of the HSMs have EAL4+ certification. When used in financial payments applications, the security of an HSM is often validated against the HSM requirements defined by the [[Payment Card Industry Security Standards Council]].<ref>{{Cite web|url=https://www.pcisecuritystandards.org/|title=Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards|website=www.pcisecuritystandards.org|language=en|access-date=2018-05-01|archive-date=2019-09-02|archive-url=https://web.archive.org/web/20190902032456/https://www.pcisecuritystandards.org/|url-status=live}}</ref>

==Uses== A hardware security module can be employed in any application that uses digital keys. Typically, the keys would be of high value - meaning there would be a significant, negative impact to the owner of the key if it were compromised.

The functions of an HSM are: * onboard secure cryptographic key generation, * onboard secure cryptographic key storage, at least for the top level and most sensitive keys, which are often called master keys, * key management, * use of cryptographic and sensitive data material, for example, performing decryption or digital signature functions, * onboard secure deletion of cryptographic and other sensitive data material that was managed by it.

HSMs are also deployed to manage [[transparent data encryption]] keys for databases and keys for storage devices such as [[Disk encryption|disk]] or [[Magnetic tape data storage|tape]].{{cn|date=June 2024}}

Some HSM systems are also hardware [[SSL acceleration|cryptographic accelerators]]. They usually cannot beat the performance of hardware-only solutions for symmetric key operations. However, with performance ranges from 1 to 10,000 1024-bit [[RSA (algorithm)|RSA]] signatures per second, HSMs can provide significant CPU offload for asymmetric key operations. Since the [[National Institute of Standards and Technology]] (NIST) is recommending the use of 2,048 bit RSA keys from year 2010,<ref>{{cite web|url=https://csrc.nist.gov/publications/detail/sp/800-131a/rev-1/final|title=Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths|date=January 2011|publisher=NIST|access-date=March 29, 2011|archive-date=May 1, 2018|archive-url=https://web.archive.org/web/20180501225620/https://csrc.nist.gov/publications/detail/sp/800-131a/rev-1/final|url-status=live}}</ref> performance at longer key sizes has become more important. To address this issue, most HSMs now support [[elliptic curve cryptography]] (ECC), which delivers stronger encryption with shorter key lengths.

===PKI environment (CA HSMs)=== In [[Public Key Infrastructure|PKI]] environments, the HSMs may be used by [[Certification authority|certification authorities]] (CAs) and [[Registration authority|registration authorities]] (RAs) to generate, store, and handle asymmetric key pairs. In these cases, there are some fundamental features a device must have, namely: * Logical and physical high-level protection * Multi-part user authorization schema (see [[secret sharing]]) * Full audit and log traces * Secure key backup

On the other hand, device performance in a PKI environment is generally less important, in both online and offline operations, as Registration Authority procedures represent the performance bottleneck of the Infrastructure.

===Card payment system HSMs (bank HSMs) === Specialized HSMs are used in the payment card industry. HSMs support both general-purpose functions and specialized functions required to process transactions and comply with industry standards. They normally do not feature a standard [[application programming interface|API]].

Typical applications are transaction authorization and payment card personalization, requiring functions such as:

* verify that a user-entered PIN matches the reference PIN known to the card issuer * verify credit/debit card transactions by checking card security codes or by performing host processing components of an [[EMV]] based transaction in conjunction with an [[ATM controller]] or [[Payment terminal|POS terminal]] * support a crypto-API with a [[smart card]] (such as an [[EMV]]) * re-encrypt a PIN block to send it to another authorization host * perform secure [[key management]] * support a protocol of POS ATM network management * support de facto standards of host-host key | data exchange API * generate and print a "PIN mailer" * generate data for a magnetic stripe card (PVV, [[Card Verification Value|CVV]]) * generate a card keyset and support the personalization process for [[smart card]]s

The major organizations that produce and maintain standards for HSMs on the banking market are the [[Payment Card Industry Security Standards Council]], [[ASC X9|ANS X9]], and [[International Organization for Standardization|ISO]].

===SSL connection establishment=== Performance-critical applications that have to use [[HTTPS]] ([[Secure Sockets Layer|SSL]]/[[Transport Layer Security|TLS]]), can benefit from the use of an SSL Acceleration HSM by moving the RSA operations, which typically requires several large integer multiplications, from the host CPU to the HSM device. Typical HSM devices can perform about 1 to 10,000 1024-bit RSA operations/second.<ref>{{cite web|url=http://secappdev.org/handouts/2010/Filip%20Demaertelaere/HSM.pdf|title=Hardware Security Modules|author=F. Demaertelaere|publisher=Atos Worldline|access-date=26 May 2015|archive-url=https://web.archive.org/web/20150906093444/http://secappdev.org/handouts/2010/Filip%20Demaertelaere/HSM.pdf|archive-date=6 September 2015|url-status=dead}}</ref><ref>{{Cite web|title=Preparing to Issue 200 Million Certificates in 24 Hours - Let's Encrypt|url=https://letsencrypt.org/2021/02/10/200m-certs-24hrs.html|access-date=2021-05-19|website=[[Let's Encrypt]]|date=10 February 2021|archive-date=2022-03-19|archive-url=https://web.archive.org/web/20220319075102/https://letsencrypt.org/2021/02/10/200m-certs-24hrs.html|url-status=live}}</ref> Some performance at longer key sizes is becoming increasingly important.

===DNSSEC===

An increasing number of registries use HSMs to store the key material that is used to sign large [[zonefile]]s. [[OpenDNSSEC]] is an open-source tool that manages signing DNS [[zone file]]s.

On January 27, 2007, [[ICANN]] and [[Verisign]], with support from the [[U.S. Department of Commerce]], started deploying [[Domain Name System Security Extensions|DNSSEC]] for [[DNS root zone]]s.<ref>{{Cite web|title = ICANN Begins Public DNSSEC Test Plan for the Root Zone|url = http://www.circleid.com/posts/20100127_icann_begins_public_dnssec_test_plan_for_the_root_zone/|website = www.circleid.com|access-date = 2015-08-17|archive-date = 2015-09-23|archive-url = https://web.archive.org/web/20150923203650/http://www.circleid.com/posts/20100127_icann_begins_public_dnssec_test_plan_for_the_root_zone/|url-status = live}}</ref> Root signature details can be found on the Root DNSSEC's website.<ref name="root dnssec">{{Cite web |url=http://www.root-dnssec.org/ |title=Root DNSSEC |access-date=2015-08-17 |archive-date=2017-09-10 |archive-url=https://web.archive.org/web/20170910160611/http://www.root-dnssec.org/ |url-status=live }}</ref>

=== Blockchain and HSMs === [[File:Trezor Safe 7.jpg|thumb|A quantum-ready cryptocurrency hardware wallet]] [[Blockchain]] technology depends on cryptographic operations. Safeguarding private keys is essential to maintain the security of blockchain processes that utilize asymmetric cryptography. The private keys are often stored in a [[cryptocurrency wallet]] like the hardware wallet in the image.

The synergy between HSMs and blockchain is mentioned in several papers, emphasizing their role in securing private keys and verifying identity, e.g. in contexts such as blockchain-driven mobility solutions.<ref>{{Cite book |last1=Shbair |first1=Wazen M. |last2=Gavrilov |first2=Eugene |last3=State |first3=Radu |title=2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC) |chapter=HSM-based Key Management Solution for Ethereum Blockchain |date=May 2021 |chapter-url=https://ieeexplore.ieee.org/document/9461136 |pages=1–3 |doi=10.1109/ICBC51069.2021.9461136 |isbn=978-1-6654-3578-9 |s2cid=235637476 |url=http://orbilu.uni.lu/handle/10993/46760 |access-date=2023-08-13 |archive-date=2022-07-06 |archive-url=https://web.archive.org/web/20220706193730/https://orbilu.uni.lu/handle/10993/46760 |url-status=dead }}</ref><ref>{{Cite book |last1=Pirker |first1=Dominic |last2=Fischer |first2=Thomas |last3=Witschnig |first3=Harald |last4=Steger |first4=Christian |title=2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP) |chapter=Velink - A Blockchain-based Shared Mobility Platform for Private and Commercial Vehicles utilizing ERC-721 Tokens |date=January 2021 |chapter-url=https://ieeexplore.ieee.org/document/9357605 |pages=62–67 |doi=10.1109/CSP51677.2021.9357605|isbn=978-1-7281-8621-4 |s2cid=232072116 |url=https://zenodo.org/record/4564041 }}</ref>

===Automotive HSMs=== Automotive hardware security modules (HSMs) are embedded cryptographic coprocessors integrated into [[Electronic control unit|electronic control units (ECUs)]] to protect in-vehicle systems and communication buses against manipulation and misuse.<ref name="WoGe12">{{cite conference|title=Design, Implementation, and Evaluation of a Vehicular Hardware Security Module|author=Marko Wolf and Timo Gendrullis|year=2009|url=http://www.marko-wolf.de/files/WoGe12_Automotive_HSM.pdf}}</ref>

They act as a hardware [[root of trust]] by securely generating and storing cryptographic keys and offloading security-critical operations such as [[secure boot]], encryption, decryption, authentication and attestation.<ref name="WoGe12" /><ref name="cunha2025">{{cite journal|title=Security First, Safety Next: The Next-Generation Embedded Sensors for Autonomous Vehicles|author=Luis Cunha, João Sousa, José Azevedo, Sandro Pinto, and Tiago Gomes|date=2025-05-27|journal=Electronics|volume=14|url=https://www.mdpi.com/2079-9292/14/11/2172}}</ref>

In modern ECU designs, HSMs are one of several hardware primitives that can underpin a hardware root of trust alongside secure elements, [[trusted platform module|trusted platform modules (TPMs)]], one-time programmable (OTP) and read-only memories (ROM), and physical unclonable functions (PUFs). Their use provides dedicated hardware support for cryptographic operations, but also introduces trade-offs in die area, power consumption and latency, so they are typically integrated into mid- and high-end automotive domain controllers rather than the smallest microcontrollers.<ref name="cunha2025" />

Automotive HSMs are typically accompanied by dedicated firmware and software components that manage access to cryptographic services. These include HSM firmware, secure boot loaders, cryptographic libraries, and middleware that expose security services to the operating system and application software.<ref name="Pott2021">{{cite journal|title=Firmware Security Module|author=Claudius Pott, Philipp Jungklass, David Jacek Csejka, Thomas Eisenbarth, and Marco Siebert|date=2021-04-30|journal=Hardware and Systems Security|volume=5|url=https://link.springer.com/article/10.1007/s41635-021-00114-4}}</ref> In [[AUTOSAR]]-based systems, HSM firmware may interface with standardized service layers to provide cryptographic operations to applications.<ref name="Kandimala2012">{{cite conference|title=Safety and Security Features in AUTOSAR|author=Nagarjuna Rao Kandimala, and Michal Sojka|date=2012-11-15|url=https://rtime.felk.cvut.cz/publications/public/autosar-safety-security.pdf}}</ref>

== See also == * [[FIPS 140]] * [[Public key infrastructure]] * [[PKCS 11]] * [[Secure cryptoprocessor]] * [[Security token]] * [[Transparent data encryption]] * [[Security switch]] * [[Trusted Platform Module]]

==Notes and references== {{Reflist|30em}}

== External links == {{Commons category|Hardware security modules}} {{Spoken Wikipedia|date=2023-10-12|EN-Hardware security module-article.ogg}}

* [https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules Current NIST FIPS-140 certificates] * [https://www.commoncriteriaportal.org/products/index.cfm Current CC certificates for HSMs (under "Products for digital signatures")] * [https://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf A Review of Hardware Security Modules] {{Webarchive|url=https://web.archive.org/web/20170829090252/https://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf |date=2017-08-29 }}

[[Category:Banking technology]] [[Category:Computer security hardware]] [[Category:Cryptanalytic devices]] [[Category:Cryptographic hardware]]