Modern Cryptographic Hardware

Jun 15, 2024

Modern Cryptographic Hardware: TPM, HSM, and Secure Enclave

Trusted Platform Module (TPM)

  • Specialized hardware for providing cryptographic functions on individual computers.
  • Used for tasks like generating random numbers or cryptographic keys.
  • Has persistent memory for storing keys unique to the machine.
    • Useful for secure key generation and full disk encryption.
    • Can store keys for systems like BitLocker.
  • Password protected; resistant to brute force and dictionary attacks.
  • Primarily provides encryption functions for a single device.

Hardware Security Module (HSM)

  • Used for large-scale cryptographic functions in data centers.
  • Can provide secure storage for encryption keys for hundreds or thousands of devices.
  • Often clustered with redundancy in power supplies and network connectivity.
  • Can include additional hardware like cryptographic accelerators for fast encryption/decryption.
  • Centralized HSM securely stores keys, preventing unauthorized access.
  • Used in scenarios with many web servers needing secure key storage.

Key Management Systems (KMS)

  • Centralizes management of diverse encryption keys.
  • Can be on-premises or cloud-based.
  • Allows for management from a single console.
  • Keeps keys separate from the data being protected.
  • Supports creation and association of keys like SSL/TLS, SSH, Active Directory, and BitLocker keys.
    • Automates key rotation.
    • Provides logging and reporting of key usage.
  • Dashboard example:
    • Summary of key types, certificate authorities, expiration dates, licensing details.
    • Key details for SSL, SSH.
    • Reporting on key usage and activity.

Challenges in Modern Data Security

  • Data spread across multiple systems (laptop, mobile phone, home computer, etc.).
  • Persistent advancements in attack methods necessitate evolving defense techniques.
  • Need to protect rapidly changing data.

Secure Enclave

  • Security processor built into devices for data privacy.
  • Separate from the primary CPU.
  • Built into mobile phones, laptops, and desktops.
  • Different manufacturers have different names, but generally called a Secure Enclave.
  • Functions:
    • Has its own boot ROM for process management and monitoring during boot.
    • True random number generator.
    • Real-time data encryption in/out of memory.
    • Built-in cryptographic keys used as the root for system cryptography.
    • AES encryption in hardware.
  • Ensures data privacy even if a device is lost or stolen.