It just makes sense to put the tightest security on the servers that store the guarded secrets for all user authentications. If those servers are compromised it means the security of all cryptographic keys and passwords resident on that server are compromised — or in other words, a disaster.
Yubico originally developed the YubiHSM, (a “Hardware Security Module”), to process the encryption, decryption, and storage of secrets on its own servers. Today, the YubiHSM is Yubico’s offering for easy, affordable, and secure protection of authentication secrets related to the Yubico OTP stored on the authentication or key server. The device protects data at rest against remotely conducted intrusion attacks and internal threats like employees copying secrets.
The current version of YubiHSM features a secure element and a change from the original larger form factor to a smaller nano design with a molded plastic harness.
- Works with any standard USB port, across multiple operating systems including Linux and Microsoft Windows.
- Offers encryption with a Message Authentication Code (MAC), HMAC-SHA1 hashing, AES encryption/decryption, and cryptographic True Random Number Generation.
- Provides a physically isolated environment for cryptographic processing.
- Has no moving parts and requires no additional maintenance once installed.
- Capable of supporting any counter-based OTP protocol including YubiOTP (Yubico’s OTP implementation) and OATH-HOTP authentication.
- Works with the Yubico Validation Server.
EASY AND AFFORDABLE
The YubiHSM installation does not require any specialized setup and it is quickly configured as it requires no additional drivers or software to use,. It consumes less than 0.2 W compared to over 300 W for some HSM hardware and, at $500, is priced tens of thousands of dollars below traditional HSM hardware.
ENCRYPTS AND PROTECTS SECRETS
The YubiHSM is configured by default to support Yubico’s OTP validation, but can be configured to handle AES encryption/decryption, secure comparison of decrypted data or HMAC-SHA1 validation with the key stored on the YubiHSM. In addition, it can be used to generate truly random numbers derived from the physical characteristics of the computer and USB port to which it is attached.
SECURING Yubico OTP SECRETS
The YubiHSM processes the encryption, decryption, and storage of keys. When called to validate a Yubico OTP, it will load the OTP and the associated encrypted key into its onboard processor and perform the decryption and comparison. Subsequently, it will only pass the validation results and associated data (such as usage counters) back to the host machine; the decrypted key and plaintext OTP never leave the YubiHSM hardware. This provides a great level of security for secrets, should an authentication server become compromised –- the secrets themselves remain secure in the YubiHSM hardware, encrypted with a 128-bit AES key.
The YubiHSM has been validated by internet security experts and is currently used by more than 100 organizations, including leading internet companies and US Department of Defense contractors. YubiHSM also protects the YubiCloud, Yubico’s hosted validation service.
A RANGE OF USE CASES
- Authentication Service: You run an authentication service; secrets are stored on a computer that has to be accessible from the internet and you are concerned it will be hacked some day.
- Restrict Access: You want to prevent system administrators and staff who have physical access to the server to copy the database and get access to sensitive data.
- Prevent Compromise: You need an architecture that prevents a hacker from compromising your secrets, but allows you to run your service full speed.
- Support YubiKeys: You have a smaller fleet of Yubikeys and want to do the authentication yourself without having to implement a complete authentication server with a database.
- Cost Sensitive: You have rejected typical HSMs for cost reasons (they are typically $15k per unit or more + maintenance fees).