|
Home > |
|---|
This section chapter discusses general security and handling issues related to the SafeNet HSM and its host computer.
The SafeNet cryptographic module is a multi-chip standalone module as defined by FIPS PUB 140–2 section 4.5. The module is enclosed in a strong enclosure that provides tamper-evidence. Any tampering that might compromise the module’s security is detectable by visual inspection of the physical integrity of the module. In addition, any attempts to physically tamper with the token would likely result in the destruction of its circuitry and components, thus ensuring that your keys and sensitive objects are safe from an attacker.
The module’s physical design also resists visual inspection of the device design, physical probing of the device and attempts to access sensitive data on individual components of the device.
If an attacker with unlimited resources were to simply steal a SafeNet HSM, and apply the resources of a well-equipped engineering lab, it might be possible to breach its physical security. However, without the Password (password authenticated module) or the PED Keys (PED-authenticated module), such an attacker would be unable to decipher any signal or data that they managed to extract.
It is your responsibility to ensure the physical security of the module to prevent such theft, and it is your responsibility to enforce procedural security to prevent an attacker ever having possession of (or unsupervised access to) both the cryptographic module and its authentication secrets.
It is your responsibility to ensure the physical security (access) of passwords or PED Keys, and to ensure that personnel who might need to input passwords do not allow themselves to be watched while doing so, and that they do not use a computer or terminal with keystroke logging software installed.
The data sheets provided by SafeNet show the environmental limits that the device is designed to withstand. It is your responsibility to ensure that the unit is protected throughout its working lifetime from extremes of temperature, humidity, dust, vibration/shock that exceed the stated limits.
We do not normally specify operational tolerances for vibration and shock, as the SafeNet HSM is intended for installation and use in an office or data center environment. We perform qualification testing on all our products to ensure that they will survive extremes encountered in shipping, which we assume to be more demanding than the intended operational environment.
It is also your responsibility to ensure that the HSM appliance is installed in a secure location, safe from vandalism, theft, and other attacks. In summary, this usually means a clean, temperature-, humidity-, and access-controlled facility. We also strongly recommend power conditioning and surge suppression to prevent electrical damage, much as you would do for any important electronic equipment.
The following assumptions are made about the environment in which the SafeNet cryptographic modules will be located and installed:
•Those responsible for the SafeNet HSM must ensure that the authentication data for each SafeNet HSM account is held securely and not disclosed to persons not authorized to use that account.
•Those responsible for the SafeNet HSM must ensure that it is installed, managed, and operated in a manner that is consistent with the local security policy.
•The host IT environment must be configured and checked to ensure that any applications installed in the host environment, that require access to the HSM are legitimate, are valid and have been vetted for authenticity and integrity (i.e., have not been modified for malicious purposes).
•Those responsible for the SafeNet HSM must ensure that it is installed and operated in an environment that is protected from unauthorized physical access.
•Those responsible for the SafeNet HSM must ensure that there are procedures in place such that, after a system failure or other discontinuity, recovery of the SafeNet HSM and the host IT environment is possible without compromise of IT security.
•Those responsible for the SafeNet HSM must ensure that those using the SafeNet HSM (including Security Officers and Token/Partition Users), have a level of competence sufficient to ensure its correct management and operation. This competence may be established through a combination of training and the accompanying Installation Guide and Configuration, Administration, and Reference documentation.
•Procedural and physical measures must prevent the disclosure of cryptography-related IT assets to unauthorized individuals or users via the electromagnetic emanations of the SafeNet HSM .
•Those responsible for the host IT environment must ensure that no connections are provided to outside systems or users that would undermine IT security.
•Those responsible for the host IT environment must ensure that the power supplied to the SafeNet HSM is adequately protected against unexpected interruptions and the effects of surges and voltage fluctuations outside the normal operating range of the device.
•Those responsible for the host IT environment must ensure that the SafeNet HSM is operated in an environment in which there is provided adequate protection against disasters such as fire and flood.
•Those responsible for the host IT environment must ensure that the SafeNet HSM is located in an environment that is adequate to protect security-relevant and cryptographic key data and the SafeNet HSM firmware from interference or inadvertent modification by strong electromagnetic radiation from other sources.