X.509 is a standard used for public-key certificates or digital documents. An assigned cryptographic key pair is paired with a user, organization, website, or device.

X.509 certificate is a digital certificate that uses the X.509 Public Key Infrastructure (PKI) standard to verify the ownership of a public key. The certificate can be used for asymmetric or symmetric encryption, which can belong to a user, website, device, or an organization. An X.509 certificate contains information about the certificate’s owner and about the certificate itself. Some of the data includes:

  • Version: X.509 version applicable to the certificate, which suggests the information the certificate would include.
  • A unique serial number of the certificate
  • The algorithm used by the issuer to sign the certificate
  • Name of the Issuer (Certificate Authority)
  • Validity Period of the certificate
  • The name of the owner of the certificate
  • Public Key associated with the certificate
  • Optional extensions

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Anuradha is a cybersecurity expert with 15 years of experience in Cybersecurity space. She is currently working as Senior Encryption Consultant at Encryption Consulting LLC.

Hardware Security Module

HSMs – Key Management

What is a Hardware Security Module (HSM)?

A hardware security module (HSM) is a physical computing device that protects and achieves strong authentication and cryptographic processing around the use of digital keys. Through an isolated, tamper-proof environment, these devices are built to create and secure cryptographic keys, protect critical cryptographic operations, and lastly enforce implemented policies over the use of these keys. HSMs can come in various forms: PCI e-cards, USB tokens, and network attached appliances are all common.

The Rise of Hardware Security Modules

Organizations have begun realizing the importance of HSMs. The global deployment rate of these devices has risen from 26% in 2012 to 41% in 2017 according to the 2018 Global Encryption Trends Ponemon Institute Research Report. With technology’s ever-changing environment, organizations must keep up to be successful. These changes can lead an organization down two paths. One may lead to growth and prosperity, but the other may lead to destruction and despair.

Growing Concerns:

  • Cyber-Warfare
  • Data Privacy Regulations
  • Mobile Payments
  • Internet of Things

Organizations from all industries are being affected by their data management through encryption or key management. HSMs can offer organizations the ultimate security.

Securing Data using Hardware Security Modules

Hardware Security Modules boasts many impressive features and administrative functions.


  • Generate Encryption Keys
  • Store Keys
  • Crypto Operations Processing
  • Restrict Access only for those Authorized
  • Federal Information Processing Standard 140-2 Levels 3 or 4

For a key generation, an HSM uses a true entropy-driven, hardware-based Random Number Generator, usually built to compliance to level PTG.2 of the BSI Specifications AIS20 and AIS31, and as pertains to Hash_DRBG from the NIST SP 800-90A. Secure Private and Secret keys can only be generated by data returned by such DRBGs (Deterministic Random Bit Generator).

Whether the stages of lifecycle from creation, import, usage, rotation, destruction, and auditing, the HSM maintains protection over encryption keys to ensure data is never exposed. Once the keys are created and stored in the HSM, authorization will only be allowed through a series of key cards and passphrases to gain access, as most HSMs provide support for both multi-factor authentications, and can require access via the “4-eyes” principle.

Risks of Software-only Cryptography

For those that choose to bypass HSMs, software-only cryptography is the next option. However, those choosing software-only cryptography must understand the risks that come with this decision

The two types of attacks on Software-only Cryptography:

Logical Attacks –

mainly involving an attack on main memory or discs in servers to locate the crypto keys

  • Vulnerability during stage operations in server memory.
  • Core Data Dump
  • Accessible by Passphrase

Physical Attacks –

the removal and scanning of old hard drives or memory.

  • Technicians have forcibly removed and frozen hardware to locate cryptographic keys

How does an HSM protect against these two specific threat vectors? The protected secrets never exist outside the HSM, and inside the HSM only ever exist ‘in the clear’ during use, and while inside protected RAM (CPU cache memory, with code running in the cache memory also). Any data-at-rest on the device will be AES256 encrypted. And FIPS 140-2 Level 3 and higher HSMs will react to environmental changes such as temperature (higher or lower than normal), changes in the electrical feed (over- or under-voltage), and Level 4 HSMs extend this protection to the physical, and will erase themselves if the HSM hardware is damaged.

Security Compliance & Regulations

While organizations face many different drivers to encrypt data, fifty-five percent of organizations have said compliance with privacy and data security requirements is their top driver according to the 2018 Global Encryption Trends Ponemon Institute Research Report. Universally, countries are beginning to set a standard for privacy, for those organizations handling sensitive information. Those who wish to ignore these regulations and laws will be at the mercy to hefty fines.

Major Global Regulations:
Major United States Regulations:
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH)
  • The Payment Card Industry Data Security Standard (PCI-DSS)

The Future of Hardware Security Modules

In today’s environment, organizations must adapt to the new digital world. By deploying HSMs, organizations will be laying out the foundation for enterprise encryption and key management. Your cryptographic keys and digital identity will have maximum security. Whether dealing with Public Key Infrastructure (PKI), Document Signing, Code Signing, Key Injection, or Database Encryption, HSMs will provide the utmost security with respect to cryptographic keys now, and in the future.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

With cloud adoption soaring to whopping 96% in 2018 according to CIO, it’s no wonder that cloud security is a hot industry topic. In today’s dynamic world, many companies are accelerating their digital transformation by moving data and applications to the cloud; benefiting from scalability and reduced costs at the same time. With cloud becoming an integral part of any enterprise, the questions that many ask include:

How to ensure cloud data security?

Where and how to manage encryption keys in the cloud?

How to ensure your data is securely stored and protected in a multi-cloud  environment?

How to ensure vendor independence in a multi-cloud environment?

Hardware Security Modules (HSMs) have been around for a long time and have over the years become synonymous with “security”. Many organizations that host their data and applications on-premise will use HSMs – physical security units that authenticate, generate and store cryptographic material to protect their most valuable assets. The HSM acts as the centralized Root of Trust providing the ultimate level of security that no software can offer. While this is a great option for on-premise scenarios, it becomes complicated if you’re in a multi-cloud environment.

Say you do decide to go with the Key Management Service (KMS) offered by your Cloud Service Provider (CSP), what happens if your environment is a combination of private, public, hybrid or multi-cloud? The important question to ask would be if your CSP’s KMS supports data and applications hosted outside of their own data environment. Every enterprise has a unique cloud environment and getting locked-in with one vendor in the name of data security is probably not the best option. What you want to be looking for is a solution that is CSP-agnostic meaning supportive of various cloud environments so you can make the most of the benefits and services offered by key providers like Google, Azure, and AWS.

Another consideration regarding your CSP’s KMS is the proximity of your valuable data assets and your encryption keys. Is it safer to keep your house key under the doormat or in a locked vault in a secure storage facility? At the end of the day, KMS is nothing more than software which undoubtedly lacks the stringent security protections of a dedicated unit like an HSM. As a best practice, it’s important to separate your encryption keys from your encrypted  data assets to minimize the risk of a catastrophic data breach.

We are back at where we started. If HSM is the ultimate security solution, then wouldn’t it be ideal to be able to have access to HSM-level security for your cloud applications and workloads without taking on the expense and responsibility of managing your multi-cloud environment HSM? Today, solutions like HSM-as-a-Service or HSM-in-the-Cloud offer the best of both worlds combining the security of an HSM with a flexibility of a KMS. This might be the solution for you if you’re looking for:

Multi-cloud deployments

Migration flexibility – no CSP and cloud lock-in

Reducing your capex

Innovate  in the cloud – place your own firmware and custom code on the HSM

With the right strategy and solution, you can ensure your cloud security is treated like your on-premise security. Get in touch with Utimaco to learn more about CryptoServer Cloud and how you can secure your cloud data without limiting your agility and potential. 

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Let's talk