• Deutsch Deutsch German de
  • English English English en
Contact: +49 (89) 413 293 000
sematicon AG
  • News
  • Solutions
    • Solution Overview
    • se.MIS™ Industrial Remote Mangement
    • se.SAM™ Network HSM
      • se.SAM™ N200 Usecases
      • se.SAM™ N200 (Rack)
      • se.SAM™ N200X (Industrial)
    • se.SAM™ Crypto Modules
      • se.SAM™ U Serie (USB)
      • se.SAM™ P-Serie (PCIe)
    • se.SAM™ Embedded
  • Services
  • Support
  • About Us
  • Crypto Corner
  • Contact Us
  • Menu Menu

Keys in hardware: encryption using an HSM

  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

Keys in hardware: encryption using an HSM

In many cases, confidential data, e.g. personal, access, financial data or company secrets, have to be encrypted and stored in server or cloud applications. Unauthorised access by an attacker, but also system or backup administrators can therefore be prevented.

Many programming languages provide functions or libraries to facilitate data encryption. The key is either hidden in the file system or compiled in applications. For professional attackers, extracting the keys is no big challenge. Therefore, the protection of the keys enormously important in order to ensure a secure use of cryptography. The necessary keys have to be safeguarded in a medium, which makes an extraction impossible for unauthorised persons. Such a secure key storage medium is called hardware-security-module or HSM.

Im folgenden Beispiel wird gezeigt, wie man in Python

  • in einem HSM einen symmetrischen AES Schlüssel (AES-256) generiert,
  • den generierten Schlüssel für eine HSM-basierte Datenverschlüsselung nutzt und
  • den verschlüsselten Inhalt mit Hilfe des HSMs wieder entschlüsselt.

HSM-Safe (Credentials, Personal Data, Business Secrets, Finance Data)

Als HSM nutzen wir die se.SAM™ N200 Crypto Appliance über die integrierte REST-API, bei der wir die Ergebnisse per JSON Objekt zurückerhalten. Für die ersten Schritte empfehlen wir die kostenfreie Version von Postman.

#!/usr/bin/python3
import requests
import json

url = 'http://192.168.178.49/n200/web/postv1'
# optional: url = 'https://192.168.178.49/n200/web/postv1'

headers = { 'Authorization': 'Basic YWRtaW46YWRtaW4=' } # admin / admin
core = "1"
pin = "pin123456"
## Generate Key
payload = {'command': 'gensymkey',
'core': core,
'keysize': '256',
'acl': 'FFFF',
'pin': pin}
response = requests.request("POST", url, headers=headers, data=payload)
if response.status_code != 200:
    print(response.status_code)
    print(response.text)
    exit()
jsonreturns = json.loads(response.text)
keyid = jsonreturns['result']
print("Generated keyid: %s" % keyid)
## HSM Encrypt Data
payload={'command':'encrypt',
'core': core,
'keyid' : keyid,
'pin': pin,
'mode': 'ECB',
'cleartext_data': 'This is the secret text that will be encrypted by the network HSM'}
response = requests.request("POST", url, headers=headers, data=payload)
if response.status_code != 200:
    print(response.status_code)
    print(response.text)
    exit()
jsonreturns = json.loads(response.text)
cipher_data = jsonreturns['result']
print("Cipher data: %s" % cipher_data)

# STORE cipher_data in file or database now!
#

# RELOAD cipher_data from file or database once required…
## HSM Decrypt Data
payload={'command': 'decrypt',
'core': core,
'keyid': keyid,
'pin': pin,
'mode': 'ECB',
'cipher_data': cipher_data}
response = requests.request("POST", url, headers=headers, data=payload)
if response.status_code != 200:
    print(response.status_code)
    print(response.text)
    exit()
jsonreturns = json.loads(response.text)
cleartext_data = jsonreturns['result']
print("Cleartext data: %s" % cleartext_data)

Die Vorteile des Beispiels liegen auf der Hand:

  1. Nur berechtige Anwendungen (siehe Authorisierungsheader, zusätzlich IP-Adressen Check oder MFA-Schutz) können das HSM benutzen.
  2. Anwendungen benötigen zusätzliche Daten für die Ver- und Entschlüsselung, die einmalig gespeichert werden müssen.
    • Schlüssel-ID/ keyid
    • Individuelle PIN passend für die Schlüssel-ID
  3. Die Daten werden mit dem richtigen Schlüssel am HSM verschlüsselt und zurückgeliefert.
  4. Der Schlüssel verlässt niemals das HSM.
  5. Die Schlüsselbenutzung am HSM wird protokolliert und überwacht.
  6. Der Security-Administrator kann den Zugriff auf Schlüssel jederzeit untersagen. Somit bleibt die Verschlüsselung – auch für externe Dienste oder Cloud-Anwendungen – unter vollständiger Kontrolle durch das Unternehmen.

Der Sourcecode ist von der sematicon AG erstellt und darf frei genutzt werden.

Sie haben Fragen zur Verschlüsselung mit einem HSM? Wir helfen gerne bei der Umsetzung!

Contact us
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

Weitere Beiträge

N200 Appliance und Lottoschein 6 aus 49

Calculating the correct lottery numbers “6 out of 49” – 100% correct and 100% secure

1. April 2022
Read more
https://www.sematicon.com/wp-content/uploads/2022/03/lotto.png 542 542 Michael Walser https://www.sematicon.com/wp-content/uploads/2019/03/sematicon.png Michael Walser2022-04-01 01:00:552022-03-30 21:35:59Calculating the correct lottery numbers “6 out of 49” – 100% correct and 100% secure
varISO-Siegel_9001-27001_FIN_rgb_Beitragsbild

sematicon AG is successfully certified according to DIN EN ISO/IEC 27001!

21. February 2022
Read more
https://www.sematicon.com/wp-content/uploads/2022/02/varISO-Siegel_9001-27001_FIN_rgb_Beitragsbild.png 827 827 André Neumann https://www.sematicon.com/wp-content/uploads/2019/03/sematicon.png André Neumann2022-02-21 11:32:072022-02-21 11:43:38sematicon AG is successfully certified according to DIN EN ISO/IEC 27001!
varISO-Siegel_9001-27001_FIN_rgb_Beitragsbild

sematicon AG is successfully certified according to DIN EN ISO 9001!

20. February 2022
Read more
https://www.sematicon.com/wp-content/uploads/2022/02/varISO-Siegel_9001-27001_FIN_rgb_Beitragsbild.png 827 827 André Neumann https://www.sematicon.com/wp-content/uploads/2019/03/sematicon.png André Neumann2022-02-20 13:09:042022-02-21 11:44:44sematicon AG is successfully certified according to DIN EN ISO 9001!
Page 1 of 7123›»

Neue Beiträge

  • varISO-Siegel_9001-27001_FIN_rgb_Beitragsbildsematicon AG is successfully certified according to DIN EN ISO/IEC 27001!21. February 2022 - 11:32

    sematicon AG is successfully certified according to DIN EN ISO/IEC 27001! Now we can officially demonstrate the high importance of data and information security in our company.

  • varISO-Siegel_9001-27001_FIN_rgb_Beitragsbildsematicon AG is successfully certified according to DIN EN ISO 9001!20. February 2022 - 13:09

    sematicon AG is successfully certified according to DIN EN ISO 9001! Now we can officially demonstrate that we meet the high standards of quality management.

  • Recording: Industrial IT & OT Security Event 20218. November 2021 - 10:36

    The first IT & OT Security Event of our partner CyProtect AG took place on 28.10.2021.

    Experts from Fortinet, Kaspersky, sematicon und Software AG were invited to give an up-to-date overview of the dangers of increasing cybercrime in the industrial sector and to demonstrate necessary countermeasures and solutions.

    The manufacturers presented various solutions that securely combine the different interests of OT and IT. These solutions cut a very good figure in the overall picture and offer an effective security and automation concept for IT & OT.

Categories

  • Crypto Corner (3)
  • Hardware Security Module (HSM) (3)
  • News (16)
  • Partnerships (4)
  • Python Code Examples (2)
  • Videos (1)
  • Corporate Information
  • Data Privacy Notice
  • General Terms and Conditions
Scroll to top

Diese Website verwendet Cookies. Durch die weitere Benutzung der Website erklären Sie sich damit einverstanden.

OKMehr

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Datenschutzerklärung
Einstellungen akzeptierenVerberge nur die Benachrichtigung