YubiHSM - Securing secrets on servers
The YubiHSM is Yubico’s take on the Hardware Security Module (HSM), designed for protecting secrets on authentication servers, including cryptographic keys and passwords, at unmatched simplicity and low cost.
How It Works
The YubiHSM is a small USB dongle which you plug into your authentication server, and acts as a random number generator, store for cryptographic keys as well as a cryptographic processor. The YubiHSM creates or receives secrets and encrypts them before they are transmitted to the authentication server for storage. With this approach, an unlimited number of secrets can be transmitted, stored and authenticated without risk of being compromised.
The YubiHSM further has an internal store for up to 1000 Yubikey identities and can act as a self-contained authentication server itself. In this mode, the YubiHSM emulates the Yubico WSAPI protocol, thereby allowing quick migration to- or from the YubiCloud service or other WSAPI applications.
The YubiHSM communicates with the authentication server using a simple serial protocol and no cryptographic secrets can leave its secure environment. With a minimal footprint application and a limited protocol stack, the risk of remotely conducted attacks is significantly reduced.
Core Benefits
- Allows you to continue to store secrets on your authentication server, using basic server hardware.
- Protects against remotely conducted intrusion attacks and internal threats like databases and secrets being copied by staff.
- Supports multiple redundant application servers and separate secret generation servers.
- Provides a self-contained authentication server and storage for up to 1000 Yubikeys.
- Provides a general-purpose cryptographic toolbox for encryption, encryption + MAC, hashing and cryptographic random number generation.
-
Powered from the USB port. Huge energy saving vs. an additional server -
< 0.2W vs > 300W. Basically maintenance-free with a high MTBF by design. -
Priced at $500 per unit with no maintenance fee. Can be ordered here.
Use Cases
Yubikey OTP verification
- Secure key generation and key wrapping to facilitate remote usage
- OTP validation with secure elements stored on disk
-
OTP validation with built-in database with space up to 1000 identities.
General-purpose HSM use cases
- AES encrypt/decrypt/decrypt-compare with key stored in HSM
- HMAC-SHA1 with key stored in HSM
-
Entropy generation
HSM indirection use cases
- AES encrypt/decrypt with any of millions keys secured indirectly via key in HSM
- HMAC-SHA1 with any of million keys secured indirectly via key in HSM (enables use in OATH validation server context)
- Generate secured keys and store in AEAD format
- Kerberos (no reference implementation available yet)
- All keys for principals are stored in secure AEAD format on KDC and attached HSM is used to encrypt/decrypt all data to/from principals
-
Secure password validation with password hashes stored in AEADs only readable to YubiHSM
Future YubiHSM use cases are likely to include support for Asymmetric Cryptography (RSA), more AES modes (CBC, CTS, CCM) PKCS #11 library and OATH Server.
References
The YubiHSM is successfully verified by leading Internet security experts and 50+ organizations, including US Department Of Defense contractors. It is also used by Yubico for protecting YubiCloud, our hosted validation service. Current use cases include protection of YubiKey encryption keys, OATH token secrets and passwords.
» Download the YubiHSM reference manual (PDF)
» To Python framework and example applications
» Download the .INF file required to install YubiHSM on Windows systems
» Download the Basic YubiHSM Windows Monitor utility (Windows Executable)
» Download the manual for the Basic YubiHSM Windows Monitor utility (PDF)
