Overview of Hardware Security Module
A Hardware Security Module (HSM) is a physical computing device that provides extra security for sensitive cryptographic operations like code signing. HSMs protect private keys used for code signing and provide strong cryptographic functions to sign code or firmware updates. Using an HSM for code signing is considered a best practice as it enhances security and prevents theft or misuse of signing keys. This article covers best practices for setting up, configuring, and managing an HSM for code signing.
How to Select the Right HSM
When choosing an HSM for code signing, the most important factors to consider are:
- FIPS Validation: Select an HSM that is FIPS 140-2 Level 3 validated. FIPS validation ensures the cryptographic functions and security levels meet stringent standards set by the US and Canadian governments.
- Algorithms Supported: The HSM should support secure hash algorithms like SHA-256 and signing algorithms like RSA 2048+ or ECC P-256/P-384. These are the minimum requirements for code signing certificates today.
- Key Protection: Opt for an HSM with physical tamper resistance and protections like encrypted memory, battery-backed RAM, physical sensors, etc. This secures the private keys from extraction or duplication.
- Remote Administration: Choose an HSM that can be administered remotely since code signing keys need to be accessible from signing servers. Opt for a network-attached HSM with remote tools.
- Scalability: Pick an HSM that can scale up in terms of cryptographic performance and the number of keys stored to meet future needs.
- Vendor Support: The HSM vendor should have good technical support and firmware/software updates to fix any issues or vulnerabilities discovered over time.
How to Setup and Configuration HSM
Once an appropriate HSM is selected, it needs to be installed securely and configured properly for code signing:
- Physically install the HSM in a secure environment with restricted physical access to prevent physical tampering.
- Connect the HSM to a dedicated signing server or appliance via a direct USB or network connection. Do not connect it to any other systems.
- Install any required HSM middleware, drivers, libraries, etc., on the signing server to enable communication.
- Initialize and configure the HSM according to the manufacturer’s instructions. Set an administrator PIN and authentication credentials.
- Generate signing keys within the HSM and protect them with separate usage passwords. Use secure passphrases.
- Configure access control policies so only authorized users/services can access the signing keys.
- Enable logging and auditing features to record key usage and HSM events. Forward logs to a centralized monitoring system.
- Register the HSM with public key infrastructure, such as a certificate authority, to manage public key certificates.
How to Generate and Store Code Signing Secure Key
Best practices for generating and storing code signing keys on the HSM include:
- Use the HSM’s random number generator and key generation functions to create keys. Do not create them externally.
- Generate 2048-bit or higher RSA keys or 256-bit ECDSA keys. Lower key sizes are not recommended.
- Enforce multi-factor authentication for key activation, such as an access card plus PIN.
- Create separate keys for development, test, and production environments.
- Store keys securely within the HSM and never export private keys.
- Back up keys to another HSM via secure key transfer protocols. Do not create plain text backups.
- Assign keys unique labels, IDs, and descriptions when generating them for easy organization.
- Set key expiration dates through public key certificates and renew them periodically.
How to Managing Access and Usage of Code Signing Keys
To securely manage access and usage of code signing keys:
- Assign granular user access rights so only authorized users can access keys.
- Enforce dual control so key activation requires M of N administrators to approve.
- Allow only the signing application to integrate with the HSM to access keys. Limit other access.
- Protect key access with smart cards, secure tokens, or multi-factor authentication.
- Create access logs each time keys are accessed and used for auditing.
- Run regular key ceremonies for tasks like renewing expiring keys, destroying old keys, etc., under multiple persons’ supervision.
- Allow remote administration only over TLS-secured connections and VPNs.
- Disable unused key ports and services on the HSM to minimize the attack surface.
Handling Key Compromise
- In case of incidents like key compromise, loss, or suspected tampering:
- Immediately revoke the impacted key’s certificate through the certificate authority.
- Destroy the compromised key material securely by resetting or zeroing the HSM.
- Revoke access authorizations for the compromised key from the HSM.
- Generate a new key using approved procedures and get it certified by the CA.
- Analyze the root cause, check HSM logs, and determine the impact of the compromised key.
- Report the issue to stakeholders, development teams, and users who are impacted by the key.
- Update code signing policies and procedures to prevent similar incidents in the future.
Audits and Firmware Updates
Regular security practices include:
- Perform audits to ensure controls like access rules, logging, passwords, etc., are correctly configured.
- Test disaster recovery procedures to ensure keys can be recovered from backups.
- Upgrade HSM firmware when new versions are released to get security patches.
- Periodically validate FIPS certification has not expired, and algorithms are still approved.
- Evaluate physical security controls around the HSM, such as CCTV monitoring, locked racks, tamper evidence, etc.
- Hire external auditors or consultants to assess the code signing process and HSM deployment periodically.
Final Thoughts
Using an HSM provides a high level of assurance and security for code signing keys. Following best practices for selection, setup, key management, access control, auditing, and maintenance is essential. HSMs significantly enhance trust in code integrity and authenticity by protecting the core cryptographic material. With proper HSM deployment and operational procedures, organizations can securely sign code to safeguard users and ensure critical firmware and software updates are genuine.
Frequently Asked Questions
What key types can be generated and stored on an HSM?
HSMs support generating and storing asymmetric private keys like RSA and ECDSA, which are commonly used for code-signing certificates. Symmetric keys for bulk encryption can also be secured in an HSM.
Are HSMs necessary for enterprise-scale code signing?
Yes, HSMs provide essential hardware-based security for enterprise code signing needs. The cryptographic operations are offloaded from application servers into a hardened device. This is superior to software-based key storage.
How are keys loaded onto an HSM?
Keys can be generated directly within the HSM. Alternatively, keys externally generated can be injected into the HSM through cloning, which encrypts them for import.
Does using an HSM impact code signing performance?
Properly sized HSMs are designed to offload cryptographic operations from servers so they improve overall code signing performance. The network connection between the signing server and HSM needs to be fast for optimal throughput.
What happens if an HSM fails?
HSMs provide redundancy capabilities through features like high-availability clustering and secure backups. Keys can be recovered from backups into a spare HSM, minimizing downtime if an HSM fails or needs to be taken offline.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.