2

Typical USB tokens (Nitrokey, YubiKey...) allow an everyday user to store PGP keys and use them to encrypt email, harddrives and so on.

The same vendors also offer distinct products called HSMs (Nitrokey HSM, YubiHSM). The suggested use case is protecting CA certificates. They also have a USB token form factor.

Why is a different hardware product required for this use case?

lofidevops
  • 3,550
  • 6
  • 23
  • 32
  • 1
    In `YubiSecure?` R Künnemann gives the following description: ```In the second part of the paper, we analyze the security of the protocol with respect to an adversary that has temporary access to the authentication server. To address this scenario, Yubico offers a small Hardware Security Module (HSM) called the YubiHSM, intended to protect keys even in the event of server compromise. ``` – J.A.K. Jul 11 '18 at 12:34

2 Answers2

4

Hardware Security Modules's (HSM's) are used in systems where a company has determined that the risk involved requires a higher level of control that a personal key.

The Use of HSM's for Certificate Authorities

HSM's are common for CA applications, typically when a company is running there own internal CA and they need to protect the root CA Private Key, and when RAs need to generate, store, and handle asymmetric key pairs.

Uses outside of a CA

HSM's are suggested for a companies Privileged Access Security System. These system's use the concept of a "vault" which is unlocked via a key or multiple keys. These keys are usually only required on startup of the vault.

With vaulting systems, typically options for storage are:

  • Store them on the server. This is not very secure even when you limit access to the server.
  • Store them on Disk/USB. This requires that disk be mounted every time the system is restarted (trouble if you do regular restarts).
  • Store them on a HSM.

In secure systems, this allows key to be generated without a human needing access to it, stored in a system that is FIPS Level 2+ compliant, and only accessed when a system starts.

Using an USB Key vs a HSM

Primarily, end user USB's are designed for the end-users access. They are storing keys which might authenticate them, have encryption keys for data they are responsible for, or are part of a process that identifies the user is who they say they are.

Examples of this are the use of a YubiKey to hold the private encryption key for sensitive company data. You might have access to a trade secret, or are allowed to perform analysis on compliance critical data such as PII and Healthcare or Credit Card Data.

HSM's are not designed to be a personal authentication unit. They are installed on servers to provide a secure generation, storage, auditing, and distribution of keys for high risk applications and systems.

Examples include the storage of server certificates for authentication between systems, encryption keys which are used by processes but don't need to be seen by humans, and shared keys between servers used to access encrypted data or establish encrypted connections.

Pseudo-Summary

You could think of the use cases in terms of people verses systems.

If a company has a need to provide increased security of systems which a person uses require access to as part of there job, something like a YubiKey makes sense.

If a company has a need to provide increased security to systems where processes and the systems themselves need access but a user wouldn't normally be required to know, then a HSM is the better option.

Anecdote

Imagine walking around with they key to your companies entire certificate authority in your pocket that provides the authenticity for 1200 servers and that Key slipped out a hole in your pants. Now imagine the nightmare of having to re-issue a new CA certificate, all the new signing certificates, and all the server certificates.

edits:

At the suggestion of @MikeOunsworth, I updated and expanded this answer.

Shane Andrie
  • 3,780
  • 1
  • 13
  • 16
  • YubiKey does offer FIPS Level 2+ versions of their end-user devices (https://www.yubico.com/products/yubikey-fips/), so there must be other differentiators between their end-user and HSM products? – Mike Ounsworth Jul 11 '18 at 16:24
  • 1
    The YubiKey end-user product is meant to protect a small number of keys, with a limited set of algorithms. If you look at the specs for the HSM, it's meant to handle keys in larger quantities, with a wide set of algorithms. It's also performance tuned for handling cryptographic functions inside a workflow (like verifying certificates for access-control, on ie. a VPN gateway or directory server), not just for a single user's login every once-in-a-while. – nbering Jul 11 '18 at 17:09
  • @MikeOunsworth End-user devices might need to meet FIPS compliance for certain things, such as working with PII, HIPPA, or PCI data. However these keys are typically designed to hold a persons access, not a systems. I might give you a YubiKey for securely storing you authentication, and I might use an HSM to store server authentication, private keys, shared keys, etc that a process might need. – Shane Andrie Jul 11 '18 at 17:52
  • 1
    @ShaneAndrie You should include those in your answer (then I'd upvote). As it reads now, the only difference is FIPS, which is .. wrong. – Mike Ounsworth Jul 11 '18 at 17:54
  • so a sysadmin might buy an end-user USB token that she carries around herself and uses to encrypt email, but she buys an HSM USB token that she plugs into a physical server machine and leaves it there? couldn't a remote attacker with root access still utilize the HSM? – lofidevops Jul 12 '18 at 14:58
  • (I'm guessing there's some aspect of the use case or threat model that I'm still missing) – lofidevops Jul 12 '18 at 14:59
  • Upvoted a promised :) – Mike Ounsworth Jul 12 '18 at 16:32
  • 1
    @d3vid Yes, an attacker with root access to the server can utilize the HSM for as long as they maintain control of the server (ie removal of malware or disconnection of the USB stick will end it). Compared to crypto keys stored in software where they can make a copy of the private key and send it back to the attacker. (Like forcing someone to open a door at gunpoint vs secretly making yourself a copy of the key to come and go as you please). – Mike Ounsworth Jul 12 '18 at 16:36
  • 1
    @d3vid Also of note is that HSM typically have a strict interface for use and applications are designed to interface with them, not necessarily people. This can limit an attackers progress, even with root permissions. – Shane Andrie Jul 16 '18 at 14:37
3

[This is speculation based on vendor website -- I have no direct experience with these devices]

My speculation is that a specialized HSM version of the device is not required, but since it is designed for this specific use-case, it will have more features tailored to this use-case. Much like how you don't need a hammer to drive in nails; you can use the handle of a screw driver.

Taking the Nitrokey product comparison sheet as an example, we can see that the end-user devices support a wide range of end-user applications like PGP and 2FA / OTP, a built-in password manager, encrypted USB storage on the device, etc. Meanwhile, the HSM only supports cryptographic keypairs, can hold many more keypairs, and has specific features for managing PKI/CA keys.

Nitrokey product comparison table

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207