Cointime

Cointime

Download App
iOS & Android

Single-Tenant or Multi-Tenant HSMs? Do You Trust Your Cloud Provider Not To Peek At Your Keys?

Validated Individual Expert

Your encryption keys are your crown jewels. Lose or compromise them, and you are likely to have significant costs. In fact, a breach of a trust infrastructure has been assessed as the most costly of all cybersecurity attacks.

And, so, we are increasingly moving our data infrastructures from on-premise to the public key. So where should we store our encryption keys? Well, it all depends on which level of FIPS 140–2 you need to comply with.

For AWS, we can use an HSM (Hardware Security Module) to store our private and symmetric keys, but this is a multi-tenant system, and where you share the HSM with others. There should be no way that other AWS customers can have access to your keys, but there is the opportunity for AWS to access them. This is FIPS 140–2 Level 2.

For FIPS 140–2 Level 3, we have separation from other users and from AWS, and where we run a CloudHSM. This is much more costly and starts at around $1.45/hr to run in AWS (as compared to around $1/month for using a key in the HSM).

FIPS 140 levels

In 2019, FIPS 140–3 replaced FIPS 140–2. It defines 11 areas of design involved in designing and implementing modules [here][docs]. This includes four security levels for the cryptographic module specification; cryptographic module interfaces; roles, services, and authentication; software/firmware security; operating environment; physical security; non-invasive security; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks. Each layer builds on the previous level, and where Level 1 is the lowest level, and Level 4 provides the highest level. For those working in finance and in high-risk areas, Level 3 is often the benchmark, while in defence-related areas, Level 4 would often be applied. Table 1 outlines the differences between the levels.

Table 1: FIPS 140–3 overview

Physical security

For physical security, the tamper-proof nature of the target system is key, and where tamper detection becomes important at the higher levels of security.

Security levels

As Figure 1 illustrates, Level 1 provides a minimum security level, while Level 2 implements methods around role-based authentication, and also integrates physical tamper evidence. As we move up to Level 3, we integrate identity-based authentication and also have an isolation barrier between the identity system and the place where the keys are stored. This would integrate a secure enclave (such as with the Apple T2 chip), or a hardware security module (HSM).

For Level 4, we see formal models, detailed explanations, and pre/post conditions. It also contains a great integration of tamper detection, with EFP (Environmental Failure Protection) and EFT (Environmental Failure Testing). This would involve testing where other components around the target system were to fail, and for the target to not be compromised. A typical focus is around side channels, such as for radio frequency (RF) or electromagnetic (EM) radiation from devices.

Figure 1: FIP 140 levels

Isolation

For isolation, a method often used is key wrapping, and where a key is protected outside a trusted environment. Within the Cloud, AWS CloudHSM (hardware security module) supports AES key wrapping with the default initialization vector — 0xA6A6A6A6A6A6A6A6- or a user-defined value. This provides a FIPS 140–2 Level 3 environment and where the keys in their raw form are only handled within a trusted cloud instance. The wrapped keys can then exist outside this but only be converted into their actual form within the CloudHSM. A key generated within the CloudHSM can then be wrapped for export from the environment, or imported from an external wrapped key. The AWS CLI is on the form which defines a key handle (with -k) and the wrapping key handle (with -w):

> wrapKey -k 7 -w 14 -out mykey.key -m 5Key Wrapped.Wrapped Key written to file "mykey.key: length 612Cfm2WrapKey returned: 0x00 : HSM Return: SUCCESS

Conclusions

And, so, you need to decide whether you want to share your HSM with others, or run your own. Basically, it typically comes down to the level of FIP 140–2 we want to comply with. Level 3 is much better than Level 2, but you might struggle a bit in getting all our Cloud services to integrate with it, so often it is a balance between the two.

https://billatnapier.medium.com/single-tenant-or-multi-tenant-hsms-do-you-trust-your-cloud-provider-or-not-to-peek-at-your-keys-da28831a5217

Comments

All Comments

Recommended for you

  • Securitize raises $47M in funding led by BlackRock to enhance innovation and expansion in digital asset securities ecosystem

    Miami-based company Securitize, which specializes in tokenizing real-world assets, has raised $47 million in funding. The round was led by BlackRock, with participation from Hamilton Lane, ParaFi Capital, Tradeweb Markets, Aptos Labs, Circle, and Paxos. The funds will be used to enhance the company's innovation and expansion as it consolidates its position in the digital asset securities ecosystem. BlackRock's first tokenized fund, the BlackRock USD Institutional Digital Liquidity Fund, has also been launched on Ethereum and is available to investors by subscribing to the fund with Securitize.

  • Web3 game Shadow War completes $5 million financing, led by Momentum 6

    Game studio Patriots Division has raised $5 million in seed and Series A financing for its Web3 game Shadow War. The Series A funding was led by Momentum 6, with participation from iAngels, Cointelligence Fund, Xborg, Andromeda VC, Cogitent Ventures, and Cluster Capital.

  • BTC falls below $57,000

    According to market data, BTC has fallen below $57,000 and is currently trading at $56,999.99, with a daily decline of 5.48%. The market is volatile, so please be prepared for risk control.

  • CoreWeave, an AI cloud service provider, completes $1.1 billion Series C financing led by Coatue

    CoreWeave, a cloud service provider focusing on artificial intelligence, announced the completion of a $110 million Series C financing round. Coatue led this round of financing, with Magnetar (the main investor in the previous round), Altimeter Capital, Fidelity Management & Research Company, and Lykos Global Management participating.

  • Cointime MAY 1 News Express

    1.Celsius Network destroys 94% of total supply of CEL, worth over $89 million2.USDC Treasury destroyed more than 200 million USDC3.Pike was suspected of being hacked and lost 479 ETH4.Fantom launches $6.5 million development fund, betting on safer memecoins5.Yesterday, the U.S. spot Bitcoin ETF had a net outflow of $162 million6.The balance of Binance Bitcoin wallet increased by 6249.36 in the past 24 hours, and 15565.89 inflows in the past 7 days7.In April, NFT sales on the Bitcoin chain exceeded US$685 million, setting the third highest monthly record in history8.On-chain content distribution agreement Metale Protocol completes additional $2 million in seed round financing9.A whale deposited 1,140 MKR into Coinbase, losing about $1.1 million10.The Bitcoin stablecoin project, bitSmiley, goes live with its Alphanet V1, marking its debut deployment on the Bitcoin Layer 2 network, Bitlayer.

  • Barcelona-based Web3 Video Games Startup GFAL Raises $3.2M in Seed Funding to Expand Team and Accelerate Production Plans

    Barcelona-based startup GFAL has secured $3.2 million in seed funding from investors including Supercell Ltd and Mitch Lasky. The company plans to use the funds to expand its team and accelerate its game production plans, which leverage AI and Web3 technology for immersive gameplay. GFAL's Elemental Raiders mobile game soft-launched in March 2023, with plans to build on this for a 2024 launch. CEO Manel Sort expressed gratitude for the investment and excitement to work with former colleagues from Digital Chocolate.

  • BTC falls below $58,000

    Golden Finance reported that according to OKX market data, BTC briefly touched $57,700 and is now trading at $58,581.53, with a daily decline of 7.15%. The market is volatile, so please be prepared for risk management.

  • On-chain content distribution agreement Metale Protocol completes additional $2 million in seed round financing

    Metale Protocol, a content distribution protocol on the blockchain, announced the completion of an additional $2 million seed round of financing. Waterdrip Capital led the investment, with participation from Aipollo Investment and Ultiverse. As of now, the total size of its seed round financing has reached $4 million. Metale Protocol was formerly known as Read2N, a Web3 decentralized reading application. The new funds will be allocated to its content creation fund to stimulate more content creation activities and promote the construction of its protocol as a platform for issuing and distributing content assets on the blockchain.

  • DWF Ventures announces investment in blockchain game developer Overworld

    DWF Ventures announced an investment in Overworld, a chain game developer. Overworld recently announced plans to launch another NFT series, and in addition, Overworld will soon launch the main world arena.

  • Cryptool invests $2 million in digital currency trading platform Bittime

    On May 1st, investment firm Cryptool invested $2 million in cryptocurrency trading platform Bittime in Series A funding. Founded in 2017, Cryptool focuses on first and second-level investments in digital currency, with a total investment of $30 million by 2023.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company