WO2007010333A1

WO2007010333A1 - Host security module using a collection of smartcards

Info

Publication number: WO2007010333A1
Application number: PCT/IB2005/052438
Authority: WO
Inventors: Hani Girgis; Nader Iskander
Original assignee: Hani Girgis; Nader Iskander
Priority date: 2005-07-20
Filing date: 2005-07-20
Publication date: 2007-01-25

Abstract

A full-fledged practical Host Security Module, HSM, using a collection of smartcards. It is a new way for making an HSM at a very small fraction of the cost of making a traditional HSM for the same throughput-performance and without trade-offs. From the hardware prespective, it is made of a collection of smartcards and a communication handler that can communicate with these smartcards, this communication handler can be even be a process that runs on the host computer itself that will use the HSM. From the software prespective it is made of a security module software that resides on each of the smartcards in the collection and a communication handler software that would reside on the computer that manages the smartcards collection from the communications point of view. This invention eliminates the need for the very expensive physically secure enclosures of the HSMs and gives many other benefits described in detail in the disclosure. It is a full-fledged practical HSM in the sense that it does not miss any of the capabilities of traditional HSMs, like secure printing of secrets and keys, secure interaction with the security officers, interaction with other critical devices, interaction with the host computer...etc. The invention also describes the method for managing such a possibly very large collection of tiny security devices through maintaining secure signed list of ID's of these security devices. All the security officers must agree in order to add or remove a 'security module' from the list. This prevents fraudulent smartcards from being added to the collection. Also, if one or more smartcards were stolen from the collection, anti-theft techniques ensure that they will not be usable and in all cases the local master keys are never brought out in clear from any of the smartcards in the collection.

Description

Description HOST SECURITY MODULE USING A COLLECTION OF

SMARTCARDS

Technical Field

[1] HSM: Host Security Module, which is a security equipment that enforces the critical security processes of a host computer. Relying on HSMs protects the system from server-side attacks. Server-side attacks are usually insider attacks, i.e. attacks from employees that work on the system such as system administrators, developers...etc. HSMs today are used primarily in military such as in nuclear command and control and in card payments, especially in PIN based card payment networks.

[2] Smart cards: tiny chip computers that are physically secure and are used mainly by clients to authentication themselves to services.

Background Art

[3] The HSM technology:

• The HSM is usually made of a computer inside a physically secure enclosure, i.e. tamper-resistant or tamper-evident or tamper-proof or the like...

• The critical security processes are executed inside the HSM itself, not on the host computer.

• An HSM acts as a peripheral device to the host computer. See Figure 2 in the drawings section. The host sends a command to the HSM through for example the serial port or Ethernet and receives a response back from the HSM.

• The HSM technology is primarily used for military and card payments to ensure system security, but it can also be used for other fields to secure the server side operations, like for example the authentcation and authorization of clients.

• HSMs radically prevent attacks on the server-side, especailly the insider- attacks. No developer or administrator can attack a system that relies on HSMs.

• HSMs provide military-grade security, i.e. security equivalent to having a computer system inside a physically secure room made of very thick concrete walls and thick iron door with multiple strong locks that are under the control of multiple security officers, which are generally between two to twelve security officers but in most implementations they are three or four.

• The HSM technology was a breakthrough because it brought equivalent security to military-grade physically secure rooms that cost a few million dollars with just a physically secure prephiral equipment, i.e. the HSM which costs a few tens of thousands of dollars. It is a two orders of magnitude cost reduction, i.e. hundred times less cost.

The idea behind the HSM technology is that, not all the operations need to be protected by physical security. So, the host computer will do all the un-critical operations and pass only the critical operations to the HSM; yet the host computer cannot affect the security because the operands are already encrypted by keys known only by the HSM.

HSMs are based on the split-control concept where more than one security officer, usually three to twelve security officers, need to agree in order to perform an operation that may involve security hazards. Each security officer proves his identity to the HSM through at least two-factor authentcation, usually a physical key or a smartcard and a PIN.

A security hole can not happen unless all the security officers cooperate and agree to make such a security breach.

Having all the security officers agree to make a fraud is considered a very unlikely thing to happen. This is a military security concept. Even the president himself can be one of these security officers. Less critical operations require less number of security officers, like two- officers for example, while a high-critical operation may require all the security officers to be present.

HSMs are equivalent to a computer inside a physically secure safe. Having levels of critial operations is like having a critical safe inside another bigger safe; the inner safe requires further keys and secrets to open. HSMs are field specific, i.e. there is an HSM for card payments, an HSM for 3D Secure, an HSM for nuclear command and control... etc. When HSM is in use, the security of the host computers cannot affect the security of the system. AU the developers of the host computer and all the administrators of the host computer cannot break the security, because the operands of the operations that the HSM performs are encrypted under keys known only by the HSM and other HSMs or other tamper resistant security modules in the system, like for example PIN pads which are also physically secure. So, server-side attacks and insider attacks are radically eliminated. The operations that an HSM performs are critical operations related to the field in which it is used for, they are not the generic encrypt or decrypt commands. These operations are usually implemented as firmware in the HSM. The firmware of the HSM is not changeable during the normal field operation of the HSM. The main feature that distinguishes an HSM from a hardware cryptographic accelerator or a PKCS#11 device is that the HSM has business logic that executes inside the secure enclosure, while cryptographic devices simply does generic cryptographic operations.

Cryptographic devices protects the secret keys inside it, but HSMs does more than protecting the keys; HSMs protect the critical operations and critical data, by making the critical data encrypted under its local keys and having all the operations that are needed for processing the critical data implemented as firmware inside the HSM. So, the critical data never needs to be clear outside the HSM.

The HSM is not a big database for data or keys. The HSM rely on protecting only a small set of keys inside it, called the local master keys, while keeping all the other keys and critical data, which need protection, in encrypted form outside the HSM. They are usually kept encrypted under the local master keys, so only the HSM can decrypt these keys and critical pieces of data. So, the only keys that the HSM stores inside it are the local master keys, by which it can decrypt the data and the other keys and perform the needed operations inside the HSM itself.

Unlike cryptographic devices, the clear data is never clear or available to the host computer. The HSM never brings back the clear data to the host computer. The HSM does the processing on the critical data inside it; this is why the HSM is field specific, because each field deals with different set of data and requires specific operations.

A backup copy of the HSM local master keys are stored on the officers' keys, which can be smartcards or whatever crypto device; they are stored in split form, i.e. no single officer has the complete local master keys; all the security officers must agree together to form the full local-master-keys inside a new HSM device. This process is needed for both replacing an old HSM with a new one, and in case of an HSM lost its local keys due to theft prevention counter measures or physical shocks. It is important to note that neither local master keys nor its components are ever in clear outside an HSM, because the local master keys are the most critical thing for an institution that relies on the HSM.

In addition to secure interaction with the security officers, HSMs operate in online transaction processing mode, where it receives commands and replies with responses to the host; security officers need not to intervene during this time. This is the most common use of the HSM. Host Security Modules need to have high throughput that is usually measured in Transactions Per Second, TPS, which is the number of transactions that the HSM can process in one second. Typically, an HSM processes between IOTPS to a few hundered transactions per second depending on whether the HSM is an entry-level HSM or a high-end HSM.

HSMs normally operate in online transaction processing environments, where the host computer sends commands to the HSM and receives a reply back. The critical parameters of these commands are generated by other tamper resistant security modules, so even the host cannot decrypt it or tamper with it.

Interaction with the security officers is usually an occasional task, like for example, creation of a new key agreement that need to be made or a critical batch task need to be performed; but the normal operation is usually online transaction processing from the host without the need for the intervention of security officer.

HSMs are also used for secure printing of secrets, keys and PINs. It is extremely important to note that an HSM is not a mere cryptographic device in a physically secure enclosure. An HSM provides a much higher security logic than a cryptographic device or token. An HSM executes the secure business logic inside its physically secure enclosure, but a cryptographic device executes only the cryptographic operations inside its physically secure enclosure.

An HSM protects the keys, processes and ensures data security. But a cryptographic device protects only the keys.

The HSM does not assume that the host system is trusted in any way. While in an environment where a normal cryptographic device is used, the host system must be trusted for th data, because the host will have access to the clear data. But systems that rely on HSMs, the data is in clear form only inside the HSM. A person skilled in the art of HSMs understandands that the HSM provide true military grade security service to a system and that any attack on the host computer cannot break the security of the system, because the critical data is never in clear outside the HSM. It is the HSM that does the processing, i.e. the business logic, of the critical data. This processing can be done inside the HSM only, so the host has no way to break the security of the system; as a result, the attacks on the server side are eliminated.

To re-emphasize, an HSM is not a mere hardware cryptographic accelerator. An HSM provides security service, while a hardware cryptographic device provides just cryptographic services. In the market, a Host Security Module is a very different product than a hardware cryptographic device for acceleration of cryptographic operations and protecting keys. Also the pricing is very different. Only very few companies produce Host Security Modules, but hardware cryptograhpic devices like SSL accelerators and PKCS#11 devices are commodity products.

• An HSM implements business logic related to a certian field, like card payments for example, inside it. But a cryptographic device provide general purpose cryptographic operations like encrypt, decrypt, sign...etc.

• A Host Security Module never gives access to low-level cryptographic operations, because this makes the data security dependent on the host system. HSMs provide only high-level operations related to the field inwhich it is made for, e.g. card payments or nuclear command and control... etc.

• Host Security Modules must have means for interaction with security officers in a sufficiently secure way

• A Host Security Module usually secures a host that is part of a bigger system that also relies on other HSMs and/or Tamper Resistant Security Modules, TRSMs. For example the system can be composed of other terminals that has TRSMs in it, like secure PBSf pads, in addition to other hosts that rely on other HSMs. See Figure 3.

• So, the critical data is passed from one TRSM to the other, but never in clear outside a TRSM.

The HSM is a TRSM suitable for host systems. But not every TRSM is an HSM.

• An HSM can directly communicate with other devices, like secure printers for printing secure PIN mailers and other critical secrets, or smartcard personalization devices, or terminal key injectors...etc. This communication does not happen through the host, it is rather communicated directly in a secure way with the HSM.

• In secure HSMs, the communication between these devices and the HSM must be encrypted; which means that these devices themselves contain TRSMs to ensure the secure key agreement with the HSM.

[4] Secure interaction with security officers involves

• A console, which can either be a dummy console, i.e. a screen and a keyboard, or a secure console like for example a physically secure PIN pad device with screen and keypad

• Security officers need to authenticate themselves to the HSM using a something that you have and a something that you know and sometimes optionally a something that you are, i.e. biometrics • For the "something that you have" authentication factor, smartcards or tokens are usually used; very old HSMs however, used a full sized IC chip to be kept by the security officer!

• For the "something that you know" authentication factor, PINs or passwords are usually used; this can be entered on the HSM console that is assumed to be secure

[5] Using smart card as a tiny tamper resistant security module for devices, but not for a host, i.e. not a Host Security Module:

• This is a very old idea where smart cards are used as the security module of low-throughput transaction systems, like a transaction terminal such as an ATM machine, or a POS terminal or a PIN pad. The smartcard is embedded in the ATM machine or POS terminal, for adding security to it, but not to the host. They are usually called a SAM, i.e. Security Access Module.

[6] An array for smart cards as a processing power, i.e. a server computer:

• This idea was thought of and mentioned many times many years ago, but with no useful invention based on it.

Disclosure of Invention

Technical Problem

[7] The HSM technology is a great technology for securing the server side of computer systems against numerous attacks, especially internal attacks from developers and administrators on the host systems or server computers. But until today, it is used in very limited domains, like nuclear command and control, card payments and lately in the server side of 3D Secure systems; 3D Secure is a method introduced by Visa for securing Internet credit-card transactions. In systems where HSMs are used, no employee can ever break the security of the system. Only the security officers must all agree in order to make security-critical operations.

[8] The problem is that the cost of manufacturing an HSM is very high, hence very few fields, like card payments and nuclear command and control, can actually afford relying on the HSM technology. But it is known that the HSM technology can bring great military-grade security benefits to many other field as well, if HSMs were sufficiently affordable. Attacks on the servers and internal attacks are threatening many fields today. Even in the bank itself, the HSMs are used to protect the card payment system and the PINs of the cardholders, but the Internet banking usernames and passwords are usually not protected by HSMs! So, even banks are sometimes unable to afford the use of HSMs in all the areas. It is not just because HSMs are expensive, but primarily because the use of HSMs is standardized only for critical fields like card payments, but for the web-applications field, the HSMs are not even heard of because they are too expensive for that domain. Now, even if the bank buys some more HSMs to secure his Internet banking website from server-side attacks instead of the traditional weak solutions like firewalls and the like, the vendors of the web application servers technologies, like .NET and Java 2 Enterprise Edition are not adapted to use the HSM technology; they are not even aware of the HSM technology, because the HSM technology is too expensive for the e-business domain. But if the HSM technology becomes affordable to the normal e-business, then all the technology providers will be able to standardize the use of this high-level of security to their products; even for databases, operating systems, ERP solutions, hospital management information systems, Internet trading, mobile trading...etc. All the fields will be able to rely on this military-grade security.

[9] Again, it is very important to remember that cryptographic accelerators are not Host

Security Modules, even if some bad vendors call it HSM. The HSM is not a general purpose cryptographic facility. The HSM executes critical business logic related to a specific field inside the HSM. There is no general purpose HSM. The HSM provide security service, which is far much more than mere cryptography, but a cryptographic accelerator provides only cryptographic service. In the e-business and web-application servers domain, cryptographic accelerators are very common, like SSL accelerators and hardware cryptographic service providers, but these are not HSMs. When HSMs would enter these fields, they would add military-grade security to those fields, by ensuring that only certified secure business processes, not just cryptography, to execute inside the military-grade physically secure environment of the HSM, under the split- control of the security officers.

[10] So, if Host Security Modules, were more affordable to normal e-businesses; every organization would use it to ensure military-grade security to its server side system and eliminate the nightmare of hackers who can break into the internal network of the organization; hackers will simply not be able to do anything critical after they break into the network, because all the critical processes and data are protected by the HSM. Even, attacks from internal employees such as administrators and developers will never result in breaking the security of any of the processes or data protected by the HSM. All the control over security is in the hands of the security officers, only. Even a single security officer cannot do anything, all the security officers must agree in order to do something critical. But all normal operations and online transaction processing does not require the intervention of the security officers. So, security officers are never a bottleneck. The HSM technology is truly amazing, but very expensive.

[11] To summarize, there are three factors that strongly affect the widespread usage of the HSM technology: 1. Hardware costs: the HSM is made of a computer inside a physically secure enclosure. This physically secure enclosure costs a lot and hence causes the cost of the HSM to be high.

2. Scalability costs: HSMs are usually a bottle-neck to throughput. If slightly more throughput is needed, there is no way other than adding another HSM to the system or replacing the existing HSM with a new high-speed one. In both cases, another big expense is made. Because even the low-end HSMs are expensive.

3. Customizability costs: as mentioned previously, HSMs have business logic inside it that is implemented on the firmware. This firmware logic is usually implemented by the HSM manufacturer. If the institution owning the HSM has a new operation or a customization that it wants to add to the HSM internal operations, then it will have to go to the manufacturer to custom develop it; which is usually a very expensive and time consuming task. Some HSM manufacturers in fact made available for their customers the development kit for writing the HSM code, but still these development kits are very expensive and require at least one spare HSM for development; they are also written in low-level programming languages like assembly and C. Also a lot of custom security logic is needed by those HSMs to ensure that only authorized code can be loaded on it; otherwise developers can write malicious code and load it on real HSMs that are used for life operation and hence break the security.

Technical Solution

[12] The solution presented by this invention, as shown in Figure 1, is the use of a collection of smartcards to make a practical full-fledged HSM at a very small fraction of cost of manufacturing HSMs in the traditional way, without any trade-offs to security or throughput-performance.

[13] The solution enables all features of full-fledged HSMs to be implemented, such as:

• Secure interaction with security officers

• Secure printing of confidential data like PINs, keys, passwords...etc.

• Secure interaction with other devices, like key injection systems, smartcard personalization systems, actuators.... etc.

[14] The main software components of the current invention

1. The security module smartcard software, which is the software that implements the HSM business logic on each smartcard of the collection

2. The communication handler software, which is computer software that facilitates communication with the smartcards, because the smartcards cannot communicate with multiple devices directly due to its limited interface. The communication handler software also load-balances the operations on the smartcards. [15] The main hardware components of the current invention

1. A number of smartcards, each loaded with the said security module smartcard software

2. A computer able to communicate with these smartcards, running with the communication handler software

[16] It is important to note that no big physically secure enclosure is needed any more in this invention.

[17] The communication handler software can reside on any computer that is not necessarily secure. From the security point of view, this communication handler software is exactly like the cable between the host computer and the traditional HSM. Tapping the cable between the HSM and the host computer does not affect security, because no critical-data is sent in clear over this line at all; Any person skilled in the art of the HSM technology knows that attacking the whole host computer, not just the communication cable between the host and the HSM, cannot break the security of the system in any way; this is because the critical processes and data are protected inside the HSM. This is the main essence behind the prior-art HSM technology, which is preserving security while not assuming the host computer to be secure in any way.

[18] How the host interacts with this new generation inventive HSM:

• The host sends the command to the communication handler as if he is sending it to a traditional HSM.

• The communication handler selects an idle security module smartcard, i.e. one of the smartcards in the collection, and sends the command to it to be processed and the reply is sent back to the host through the communication handler.

• Of course, like in all modern HSMs, the communication handler supports multiple concurrent host computers to connect in parallel to this inventive HSM, and can dispatch multiple commands to the idle smartcards in the collection in parallel and brings the reply back to the corresponding host.

[19] How the security officers prove their identity to this new generation inventive

HSM:

• Although this inventive HSM relies on smartcards to make the HSM itself, but the security officers also need other smartcards or security tokens to authenticate themselves to this inventive HSM, exactly like with any normal HSM.

• For the "something that you have" authentication factor, it is imporant to note that this new generation inventive HSM does not have a smartcard reader housed inside the physically secure enclosure of the HSM, because there is no such big physically secure enclosure in the current invention. The solution presented by the current invention for this problem is to ensure the security in the communication between the security officer's smartcard and all the smartcards in the HSM's collection of smartcards through cryptographic key agreement rather than physically protecting the communication channels, because physically protecting the communication channels will bring huge costs that would over-kill the benefits of this invention. So, either the smartcard or token of the security officer or the smartcard reader of the security officer must have a key agreement with all the HSM's smartcards, which can be based on public key cryptography or pre-injected symmetric keys, both are very practical. The secure communication protocol must ensure both confidentiality and integrity, through encryption and MACing or digital signature enveloping or any other protocol that ensure condifentiality and integrity, because the clear local master key components will be transferred over this channel.

• The smartcard or token of the security officer must have secure access to the identities of the smartcards in the collection. This can either happen by keeping the list of the ID's of the HSM's smartcards collection inside the smartcard or token of each security officer or keeping a digitally signed copy of this list.

• The system treats each smartcard in the HSM's collection of smartcards as a full-fledged HSM by its own, and the security officers must agree to add it to the collection before transferring the local master keys components to it.

• The other authentication factors, like the "something that you know" and the "something that you are" can either be provided directly to the smartcard on the reader itself, or have a key agreement between the reader of that authentication factor and the HSM, as was done in the case of the "something that you have" factor. For example, the PIN of the security officer can be the PIN of the smartcard of the security officer and can be provided directly on the smartcard reader of the security officer with an integrated PIN pad, or a separate PIN pad with a key agreement with the HSM.

[20] How the security officer interact with this new generation inventive HSM:

• The console can either be a personal computer that is assumed to be secure. One way of doing this is using the inventive idea in our previous patent application: SECURE PIN ENTRY USING PERSONAL COMPUTER: PCT/ IB2004/050628, through the idea of booting the computer that will host the console applicatoin, which can be the same as the communication handler software, from a secure bootable source. This is a low-cost alternative to a dedicated secure PIN entry device.

• The other option is using a traditional secure PIN entry device with a screen and key pad with key agreement between it and the inventive HSM

[21] Communication with other devices like secure PIN mailer printers, key injectors, personalization systems of other smartcards...etc.

• Key agreement should be present between the device and the HSM as a single entity. This is now a very common way, as in Atalla's secure PIN printing facility

[22] Normal HSMs, usually has a port for communication with the printer, a slot for inserting the sercurity officer's smartcard, a port for communication with the host, and a port for the console. Now, using the idea of key agreement, each smartcard acts as a full-fledged HSM and the constraint that the smartcard has a single serial interface is no more a problem, because all the communication with each device in the external world can be secured relying on public key cryptography or pre-agreed symmetric keys.

[23] The communication with the host is not so critical with regards to security, and does not essentially need key agreement or encryption, because the critical pieces of data exchanged with the host is already encrypted; only the HSM, i.e. any of the security module smartcards in the collection can understand and use it.

[24] The dramatic cost reduction comes from the fact that traditional HSMs use big physically secure enclosures, which are unnecessary too large for the silicon inside. So, if only the necessary silicon is packed together in the same manner of smartcards, the full HSM can be made at a much lower cost.

[25] Making a very compact HSM will surely make a considerable cost reduction, because the cost of the physically secure enclosure is directly proportional to the dimensions of the volume being secured. But using smartcards that are already produced in mass production for other purposes adds a great additional cost reduction than to manufacturing custom compact HSMs.

[26] The HSMs of the current invention are easily programmable and more secure than traditional HSMs, because smartcards programming environments are currently very well established, like Global Platform for secure loading of smartcards appliations and the JavaCard technology and even the .NET smartcards technology. They are much well established and easier and far much cheaper to develop software for it.

[27] Consequently, the customer himself can implement new security processes for his

HSM and have it signed by the security officers and loaded on all the smartcards, through the communication handler software. The code can be normal smartcard code or scripts interpretable by an engine in the security module software that is already on every smartcard in the HSM collection. [28] How theft protection can be implemented in this new generation HSM

• First it is very important to note that the physical theft of the HSM does not cause a significant problem to the security, because all the security critical operations cannot occur without the security officers (the split control security rule in military grade security)

• But for adding further security it is usually preferred that the HSM would be completely unusable if theft attempts were detected.

• One way of doing this is by making the local master keys in the smartcards of the HSM to be in volatile memory in the smartcard. So, any tearing or loss of power to any of the smartcards will cause all the local master keys in that smartcard to disappear or at least gets disabled. This ensures that any attempt to steal any or all the smartcards will cause the stolen smartcard(s) to be unusable. This is similar but not exactly the same to what happens in traditional HSMs. The disadvantage, is that in case of normal power-interruption to the HSM, all the security officers will have to come again to load the local master keys on the HSM.

• One modified way to the above solution is to make the local master keys nonvolatile, but just cause a small variable to be volatile and be initialized with a different value after tearing. Then to enable to HSM after power disconnection, all what is required is entering an answer to a challenge that one or two of the security officers can make remotely using their security tokens on a normal computer or even on a mobile phone.

• Another way is to have a solid-state accelerometer inside the smartcard that would sense any strong shaking that would normally be caused in thefts that would send interrupts to the smartcard environment to disable the smartcard in case of strong shaking.

[29] How more throughput can be added to the HSM to enable fine-grained linear scalability:

• Just adding one more smartcard loaded with the security module software in it to the collection and then having the secuity officers authorize it to be added to the collection

• This realizes fine-grained linear scalability

• It is fine grained because you add as much additional through-put as needed by just adding more security module smartcards to the collection, i.e. more smartcards adapted with the security module software

• It is linear because the load-balancing performed by the communication handler does not cause any overhead, because it runs on a normal non-secure computer that is already extremely fast to perform the load-balancing without any significant overhead. The work done by the communicaiton handler and specifically the load-balancing part of it is not processing-power intensive at all, compared to the intensive cryptographic computations and critical processes done by the security module smartcards. So, the communication handler software would not cause any bottle-neck; hence the scalability of this inventive HSM is ensured to be linear.

• It is important to note that the managability of the collection is done from the communication prespective by the communication handler software, and from the security prespective, through the security officers keys and/or peer checks from the security module smartcards

Advantageous Effects [30] This invention brings dramatic reduction in the costs of manufacturing HSMs in addition to a bunch of other interesting benefits, without any trade off to performance or security. [31] The current invention dramatically reduces the physical security and hardware cost of the HSM through three main factors:

1. Extracting all the components of the HSM that do not necessarily need to be placed inside the physically secure enclosure to outside the secure physical enclosure; hence the final volume of that needs to be physical secured will be far much smaller. It is important to note that processor and memory chips are far much larger than the actual silicon that does the work. For example, in a typical microprocessor, over 98% of its volume is dummy ceramics for physically supporting the large number of pin-outs of the processor. If only the actual silicon of the processor and memory is packed together with just a few external pin-outs or contacts, without any ceramics or circuit boards, the actual volume of this tiny packing will be much smaller than even the smallest die! The reason why the volume factor is extremely important: The physically secure enclosure that encapsulates the traditional HSM represents the most significant portion of the hardware cost of an HSM. The cost of the physically secure enclosure is directly proportional to the dimension of the volume being secured; in other words it is proportional to surface area of the volume being secured; this is because of the cost of the material and manufacturing process required to achieve this physical security.

2. Instead of custom manufacturing a tiny HSM following the model in the above step, use the pre-manufactured smartcards instead. This brings the huge economies of scale benefits of smartcards. Smartcards are already produced in millions for use in other industries; using smartcards brings mass production benefits to the HSM industry that the HSM industry itself did not create. HSMs are usually produced in very small quantities compared to smartcards, because the market for HSMs is considered much smaller than smartcards.

3. The communications handler can run on very low-cost non-secure computers; it can even work without a dedicated computer altogether. For example it can run as an auxiliary process on the host computer itself. [32] Using modern smartcards like USB smartcards, iButton smartcards, SD-Memory smartcards, smartcard-like tokens, high-speed smartcards...etc rather than the old traditional smartcards brings other further cost reductions to the hardware of this inventive HSM:

• The slow serial interface is no more a bottleneck to the throughput of the smartcard. In the old standard smartcards, the serial communication bandwidth was just 9600kbps while modern smartcards, like the new USB smartcards can even utilize the full speed of the USB 2.0 interface, i.e. 480Mbits/second. Having higher throughput, means less number of smartcards will be needed in order to achieve a certain total throughput of this inventive HSM

• Dramatic reduction to the cost of the smartcard readers: Modern smartcards usually implement communication protocols other than the original standard ISO 7816 serial protocol. These protocols usually require far less sophisticated reader device than the standard smartcard reader. This results in a dramatic reduction in the costs of the interface with the smartcards. Some modern smartcards implement, inside the chip itself, the full USB interface, hence requires just a very low-cost simple connector, with no electronics inside at all, to be able to connect to a USB port of a computer or a USB hub. Dramatic cost reduction of the communication hardware that interfaces the communication handler with the security module smartcards implies another significant total cost reduction to this inventive HSM.

• Modern smartcards utilize advanced cryptographic processors with extremely optimized architectures for cryptographic operations. So, even at a very low clock-rate the cryptographic operations would execute in much less time than on a normal processor running at a much higher clock-rate. The 'security module' application that runs on the smartcard is usually a cryptographic operations intensive application, hence having it run on a smartcard with a good cryptographic processor results in a much higher performance; sometimes even higher performance than executing it on normal processor running at a much higher clock rate. This directly affects the throughput of the smartcard and consequently less number of smartcards is needed in order to achieve a certain total throughput of this inventive HSM. • Modern smartcards today run at much higher clock-rate than old traditional smartcards; this is in addition to the highly optimized cryptographic processor architecture. Also, the memory technologies used in some modern smartcards are ten thousand times faster than in traditional smartcards, e.g. Fujitsu FRAM. This dramatically affects the throughput of the smartcard and consequently less number of smartcards will be needed in order to achieve a certain total throughput of this inventive HSM. [33] The current invention also reduces the logical security and software costs, as clarified in the following five points:

1. Smartcards platforms, like JavaCard on Global Platform are usually considered very secure and already acquire the highest level of security certifications, like FIPS-140 level 3 or higher and Common Criteria CAL 5+ and is already accepted as the most secure security element by military, governments and the wholesale and retail financial industry, i.e. ANSI X9.9 and ANSI X9.24

2. Developing smartcard software is now very easy, clean and supported by very elegant development kits. Like Sun's JavaCard development kit and many others.

3. Proving the security of a JavaCard application is much easier than tracing the security of software developed for proprietary platforms using a very low- level language like assembly or C. The firmware of traditional HSMs today is programmed in assembly or C or in a propietary language.

4. On smartcards, the developer already has a well-established platform with very rich API's, while for proprietary platforms these benefits are missing

5. The communication handler can run on normal computers, hence the cost of developing it is much lower than writing software for a special dedicated computer, like in the case of traditional HSMs. Also, customizing and enahancing it is very easy and does not introduce any security hazards. One excellent benefit of this flexibility is that the HSM can support a wide variety of communications and messaging protocols for the communication with the host; the communication controller software can do this translation without any security hazard.

[34]

[35] Here is again a simplieifed list of the three secrets behind the dramatic cost reducdtion that this invention provides:

1. The cost of the physical enclosure: the physically secure enclosure constitutes a very considerable part of the cost of an HSM. The cost of this expensive enclosure is proportional to the spacial dimensions of the HSM. But since the actual silicon of the processor, EEPROM and RAM is actually very small, then manufacturing tiny HSMs brings dramatic cost reduction. HSMs today use normal processors with lots of ceramics for the pinouts, boards, fans, memory chips with lots of ceramics, pinouts and boards. If only the silicon is tied together and be put in a very small physically secure enclosure then the cost of the physically secure enclosure will be very cheap because it is very small, hence the HSM cost will be dramatically cheaper.

2. Massive mass production effect: Now if instead of manufacturing the above custom tiny HSM; smart cards already has all these properties and are already producted in billions for other purposes. Taking some of these already manufactured smart cards to make an HSM gives an enormous mass-production cost-reduction effect that the HSM industry can never acheive by itself. The HSM industry would be getting an enormous mass-production effect and benefits that it did not make by itself, simply because smartcards are already being produced in hundreds of millions for other purposes.

3. Modern smartcards effect: the slow serial interface of smartcards is now broken. Years ago, it was known that fifty percent of the time taken to execute an operation on a smart card is taken just in transferring the data through the very slow serial interface, which was just 9600Kbps. But now, modern smartcards of many kinds has much higher bandwidth interface and also very high speed processors and memory and good crypto-oriented architectures. There are smartcards today that are able to communicate at 115000Kbps and others communicating and USB 1.1 and even full USB 2.0 speed and sometimes with SD-Memory interfaces which are very high-speed. Also very advanced crypto processors and 32-bit architectures are used. All of these make much less fewer smartcards needed to make an HSM using smartcards comparable to a normal HSM with regards to throughput and performance. Another effect of modern smartcards, is that they usually do not need a sophisticated smartcard reader, modern smartcards like e-gate USB smartcards for example, require just a connector with no electronic cirtcuit inside it rather than an expensive sophsticated smartcard reader which traditional smartcards require, see Figure 5. Also, iButton is another example of smartcards that also require a very simple low-cost reader. So, the second effect of modern smartcards is the great breakdown of the smartcard readers costs and sometimes the total elimination of the need for a smartcard reader altogether, like in USB smartcards.

[36] In a sample real implementataion that we the inventors made, we were able to acheive the performane of a typical entry-level Host Security Module, i.e. 10TPS, using only four normal USB sniartcards connected to a simple USB hub. Of course the security officers has their own smart cards other than those four USB smartcards that make up the HSM itself. This implementation showed the dramatic breakthrough that this invention provided to the HSM industry. A traditional 10 TPS HSM would cost over $15000; now using the current invention, we were able to make an equivalent HSM with the same security features and the same throughput for just $150!! Which is a two orders of magnitude cost reduction!

[37] This proved that this invention enables the HSM to be manufactured at two orders of magnitude less than a normal HSMs. It is a new breakthrough in the physical security history. Exactly as the normal HSMs caused a breakthrough in the 1950's and made equivalent security to physically secure rooms at a cost that is less by two orders of magnitude; this invention caused a cost reduction of additional two orders of magnitude to acheive the same level of military-grade physical security to host computer systems.

[38] Also, exactly as normal HSMs enabled financial institutions to have military-grade security; this invention will allow normal e-businesses to have this same level of security because of the hundered times cost reduction.

[39] Also, smartcards today are programmable with high level languages like Java and

.NET languages, so implementing custom business logic is much cheaper and much easily verifiable, even mathematically through commodity tools available today in the market for the modern languages.

[40] Also, the security for loading code on smartcards securely is already well covered by the Open Platform standards, which are now called the Global Platform, which is a standard for loading multiple smartcard applications securely on a smartcard with ultimately provable security. Open Platform was originally invented by Visa and then provided as a separate organization called Global Platform. So, it is well approved to be very secure.

[41] Almost all modern smartcards today support Global Platform and are already FIPS certified and achieve high common criteria levels, so getting this invention certified for market use in every specific field is a very straight-forward task, because the underlying hardware and system (which are the already physically and logically secure smartcards) are already FIPS and common criteria certified at the most stringent levels.

[42] It is important to note that the word smartcard is not necessarily a credit-card shaped or SEVI-sized smartcard, it can be any programmable security token that is nomally intended for mass-production for use for client-side security or terminal security rather than server-side security. To name some examples: e-Gate USB smartcards, the iButton from dallas semiconductors, SD Memory with embedded smartcards...etc. The key point is that these tiny crypto devices are already certified for high-security like FIPS and common criteria, and are physically secure, i.e. tamper- ■ proof or tamper-evident or so and the most important thing is that they are already manufactured in mass production for use in other industries, like client authentication or client or terminal security like in SAM cards of POS terminals. This invention makes a collection of these tiny devices, i.e. the smartcards or the like, to function as a true reliable, full-fledged HSM, for securing host computer systems, i.e the server side.

Description of Drawings

[43] Figure 1: The Invention: 'HSM using a collection of smartcards' and a communication handler.

[44] Figure 2: (prior art) a typical deployment of an HSM: An HSM connected as a peripheral to a host.

1. the host computer that needs an HSM to add security to it; most modern HSMs allow for multiple hosts in the same institution to use its service in parallel as long as they rely on the same local master key

2. the typical HSM, which is basically an equipment with physically secure enclosure, where critical processes that are burnt inside the HSM as firmware execute inside it. The host connects to the HSM through TCP/IP or serial port or SNA or any other communication protocol. Some HSMs support more than one communication protocol for the host to connect to it.

3. the database of keys and critical data (e.g. PIN offsets) that the host keeps on behalf of the HSM. This does not lower the security in any way, because all these data and keys are encrypted under the local master keys that are protected inside the HSM. So, only the HSM can make use of it, according to the secure processes that the HSM implements. These security processes are not modifiable by the host, usually only the manufacturer of the HSM has access to implementing new firmware to the HSM.

4. The "other device" can be any other critical equipment that the HSM is designed to directly interact with. For example, a key injection device that injects keys in secure PIN pads that are used in POS terminals. Another example, is a smartcard personalization machine. It can even be a an actuator that would start a nuclear reactor.

5. the printer is usually either a dot-matrix printer without a ribbon and uses special carbonated PIN mailer paper for secure printing of PINs, keys and other secrets, OR a laser printer with a secure DBVIM that has key agreement with the HSM. The Secure DEvIM technology is a secure printing technology that is available in the market today through multiple vendors.

6. the console is like the printer, there are two options, either a dummy console with no processing in it, so there is no fear that it would capture the critical key components and security officer "something that you know" factor that are entered on it, OR a secure PIN pad used as a secure console, where the data between this secure console and the HSM is encrypted through special key agreement. 7. the security officer's device is usually a smartcard, that authenticates the security officer to the HSM, and also carries a component of the local master key. AU the security officers must agree together to load their components on a certian HSM, so that the HSM would be loaded with the complete local master keys. No single security officer has the complete local master keys. Usually, the security officers authenticate themselves to the HSM, one after the other, not in the same instance, so the HSM would normally have a single smartcard reader in its physically secure enclosure.

[45] Figure 3: (prior art) a sample system that relies on HSMs: a card payments network.

A customer would enter his confidential PIN on the secure PIN entry device; the secure PIN entry device would encrypt the PIN using the key which the acquirer bank injected in it; the ATM terminal would send the encrypted PIN along with the requrested operation to the host computer of the acquirer bank; the host computer will discover from the card number, that this cardholder is an international visa customer, not his customer, so he forwards the transaction to the inter-bank switch, but with the PIN encrypted under the key between the acquirer host and the inter-bank switch; now the inter-bank switch, i.e. visa in our case, would forward the transaction to the issuer bank; now the issuer bank can verify the PIN by passing it to the HSM; the HSM of the issuer bank would tell whether the PIN was correct or not; the response of the transaction goes back to the inter-bank switch and then to the acquirer bank to give the service to the cardholder. This example is very well known in the PIN-based card payments world. The HSM technology is what made the secure card payments industry possible. Without the HSM technology, the ATM machines would not have been possible, because simply the cardholder would claim that he did not make the transaction and that an employee in the bank stole the PIN from the database. The HSM technology guarantees that this could never happen; so the legal liability of the PIN is on the cardholder. The ATM PIN is like the legal signature that no one can ever steal, as long as the HSM technology was in place.

[46] Figure 4: (prior art) a normal HSM: 'based on physically secure enclosure'

[47] Figure 5: (prior art) Part A of the diagram shows a SIM-sized USB-enabled smartcard having the 'security module' application installed in it. Part B of the diagram shows a connector that enables the USB-smartcard to have a USB connector; this connector usually does not have any electronic circuits in it. Part C shows a USB SIM- sized smartcard inserted in the connector. [48] Figure 6: Best Mode: the collection can be up to about 120 USB 'Security Module¹ smartcards. Because the USB standard has a limit of up to 127 USB devices connected to a single computer. The host computer runs its normal processes in addition to the 'communication handler' without any fear of security problems, as clarified earlier. The laser printer with Secure DIMM is a known way for making a key agreement between a computer and the printer's memory to have all the communication between them to be encrypted, in the case of this invention, the key agreement is between the 'security module' and the printer. Also, there are many solutions for tamper-evident secure PIN mailer paper, which gets folded and closed securely inside the printer. Another example of commercial tamper-evident secure paper is the Hydalam laser printable secure paper. Also, shown in the diagram are the security officers' smartcards; usually they do not need to be all inserted in the HSM at the same time; the security officers use their smartcards to do critical operations like loading the local master keys or changing a critical setting in the HSM or starting a critical command like printing a batch of PINs on secure PIN mailer paper or setting a key agreement with another institution. Less critical operations does not require all the officers to be present, just two are usually enough, while high-critical operations require all the security officers to be present and authenticate themselves to the HSM.

[49] Figure 7: (Best Mode continued) This diagram shows the main blocks of the

'security module' application: which is an HSM firmware adapted to run inside a smartcard and has secure key agreement with the secure console and with the security officers' devices. Each smartcard in the collection will have the 'security module' application installed on it. The initial Key agreement between each smartcard having the 'security module¹ application and the secure PIN pad and the officers' devices can be based on public key cryptography or initial pre-injected symmetric keys. For the public key solution, the PIN pad would display the ID of the 'security module' that is handling the communication with it, based on the certificate of the 'security module'.

[50] Figure 8: (Best Mode continued) Each security officer's device can be a smartcard loaded with a 'security officer' smartcard application that is able to authenticate the 'security module' smartcard being communicated with, and add/remove 'security module' smartcards from the collection that represents the HSM; in addition to the standard operations done by security officers' devices, like for example keeping a component of the local master keys; other functions are not shown in figure. Part (A) in the diagram shows the main blocks of the 'security officer' application: which is a smartcard application that runs on the smartcard of the security officer. Part (B), represents the list that contains the ID's of the 'security module¹ smartcards in the collection that forms the HSM, should be digitally signed by all the main security officers, who have local master key components. This list prevents fraudulent smartcards to be placed in the collection and also enables the 'security module' smartcards to do initial self-check that all the smartcards in the collection are present. [51] Figure 9: Invention mode:

1. is an i-Button or USB smartcard or the like, in a collection spanning from 1 to n.

2. a reader for the security officer's device.

3. Communication port for host, printer or other devices, this can be an Ethernet adapter, or a collection of serial or parallel ports or any other communication port with no special security requirement

This embedded computer needs not to have a physically secure enclosure, because the smartcards inside it are already tamper-proof and all the critical processes are done only inside it and there is no way to fake or bypass it.

Best Mode

[52] See figure 6 through 8

[53] In addition to the apparatus described in the figures. The inventive secure process for making and initializing a collection of smartcards for use an HSM is as follows:

1. The HSM vendor brings a number of smartcards that should be securely loaded with the "security module" application, from a smartcard vendor. He will also receive the keys for secure loading of applications on the cards in a secure way and have these secure keys accessible to his secure smartcards personalization system. Exactly, like what is done in for example the personalization of EMV smartcards.

2. The personalization involves ensuring a unique ID for every smartcard, and signing a digital certificate for each smartcard using the private key of the secure personalization system, i.e. the vendor's private key. That's in addition to having the public of the personalization system stored securely in each card, to ensure that the card can securely authenticate other cards and devices whose certificates are signed by the secure personalization system or any subkey thereof.

3. The vendor also personalizes another much smaller number of smartcards to be used as "security officer" keys, i.e. security officer devices. This is done by securely loading them with the "security officer" application

4. The personalization of the "security officer" cards involves ensuring a unique ID for every smartcard, and signing a digital certificate for each of them using the private key of the secure personalization system; exactly like what was done with the "security module" cards. That's in addition to having the public of the personalization system stored securely in each card, to ensure that the card can securely authenticate other cards and devices whose certificates are signed by the secure personalization system or any subkey thereof.

5. The vendor also personalizes a much smaller number of PIN pads, by having its public key stored securely in the PIN pads, this enables the PIN pad the securely authenticate the "security module" cards and also the "secuity officer" cards. Optionally the PIN pad can also be personalized with a secure ID and a certificate, exactly like the "security officer" cards; this enables the "security module" cards and the "security officer" cards to authenticate the PIN pad. In both cases, the PIN pad can create a secure encrypted channel with any "security module" card and with any "security officer" card. Modern PIN pads are based on smartcards to drive them, so all these personalizations are usually done to a smartcard, and a secure HSM console application is loaded on the secure PIN pad, or the card inside it, depending on the programming model of the PIN pad.

6. A customer would normally buy a number of a "security module" smartcards, like for example twenty or thirty, and a smaller number of security officers' cards, like for example five or six.

7. The customer would also get the "communication controller" software from the vendor.

8. The customer will also get one or two personalized PIN pads from the vendor.

9. The customer will also buy a USB hub, to enable the connection of a USB smartcards in this example Best Mode. If smartcards that use other technologies, like iButton or even normal smartcards were used, the corresponding reader communication equipment will be required. These things will either be provided by the vendor or the customer would buy it by himself.

10. The customer would install the communication controller software on a comptuer and start the software.

11. The customer will follow the instructions by connecting the PIN pad and one of the "security officer" cards

12. The PIN pad and the "security officer" cards will ensure they trust each other by verfiying each other certificates, in case of mutual authentication. The security officer can now set or change the PIN for his smartcard and generate an LMK component

13. Same thing will be done for the other security officers

14. Being driven by the communication controller, the "security module" cards can be added one by one and be added to the securely signed list of collection and loaded with the LMK components of each security officer. 15. The list is kept secure, by having it signed by all the security officers.

16. In the future, after each manual addition or deletion of a "security module" card to the collection, the list should be updated by having all the security officers to sign it.

17. The communication controller can now be configured with the TCP/IP port on which it will serve the host interface

18. Multiple hosts is also possible, and actually a typical case. Because, usually hosts have load-balancing and fail-over backup systems, that should all have access to the same HSM.

[54] This process ensures that the collection of smartcards are always under control of the security officers. Even when the LMK needs to be loaded again on this inventive HSM.

[55] This process also ensures that no one can add a malicious smartcard to the collection, because the list that contains the ID's of the smartcards in the collection is signed.

[56] The security officers verify the physical anti-counterfiet features of each smartcard, before adding it to the collection, but after adding it to the collection they are sure that even when they need to reload the Local Master Keys on the collection again for any reason, no fraudulent smartcard will take the local master keys. Because the authentic smartcards have digital certificates; the physical anti-counterfiet features need not to be verified manually again.

Mode for Invention

[57] See best mode and Figure 9. Figure 9, is just another packaging of the same idea in the best mode, where the communication handler is a prepackaged computer that houses the smartcards inside it; so, the end product would look exactly like a normal HSM; of course this packaging need not to be the expensive physically secure packaging, because the current invention eliminated the need for this very expensive packaging. This mode uses normal un-secure packaging, yet delivers the same security level as traditional HSMs at a very small fraction in cost. Usually a secure PIN pad is also shiped with the product, that has key agreement with the security module smartcards in the HSM. This PIN pad functions mainly as a secure console for the HSM, to enable the security officers to interact securely with the HSM.

Industrial Applicability

[58] HSM manufacturers will greatly want to use this invention to manufacture their next generation HSMs, rather than manufacturing the HSM in the normal way. The most important reason is the two orders of magnitude cost reduction. Additional benefits are the ease of software customization because smartcards are programmable in secure high-level languages like Java and the simplicity of the ceritifcation process because smartcards are already FIPS and common criteria evaluated and certified for physical security and also the operating systems of smartcards are extremely secure and trusted.

[59] These next generation low-cost HSMs, will additionally enable the HSM industry to enter all the fields that were previously unable to afford the HSM infrastructure costs. Like mobile operators, stocks trading systems on the Internet and on the Mobile, e- commerce and m-commerce systems, all e-businesses and m-businesses that need secure user identification of users, all intranets and extranets, accounting systems.... etc. All these fields and many others were not able to afford the costs of the HSM infrastructure, though HSMs bring true military-grade physical security that truely prevent server side attacks, especially internal attacks. Now, using the current invention, all these fields and other fields should become able to have this ultimate level of security at an affordable cost. Of course the critical processes for each field will need to be specified, because HSMs are domain specific rather than general purpose cryptographic devices.

[60] An example of use: Mobile operators today do not use HSMs to prevent insider attacks of their subscribers lines; The authentication keys are kept in databases that are not military-grade secure; i.e. administrators and applications have access to it! HSMs will radically eliminate the possiblity of server-side attacks. HSMs will also enable mobile operators to provide secure identity service to service providers, rather than the un-guaranteed caller ID. The reason is that the identity is already protected from the client side by smartcards, i.e. the SIM cards, and now by using an HSM in the server side which is this invention, the identity will be also protected from the server side. Now since the protection is complete from both the client side and the server side, then the secure identification of the user can be sold as a secure user identification service to third parties, like banks to enable mobile banking for example and other service providers.

Claims

[1] A collection of smartcards and a communication controller functioning as a host security module, where the said smartcards are adapted with a security module application which is a smartcard application implementing the functionality of a host security module and the said communication controller is a computer adapted with software to make load balancing on the said smartcards and to facilitate the communication with the other devices that were normally attached directly to the host security module and where the said security module smartcard application establishes a key agreement with the security officer device.

[2] The said security officer device is also a smartcard adapted with a security officer smartcard application that enables key agreement with host security module. The said key agreement enables secure communication between the said security officer device and the said smartcards of the said collection.