Security is a driving factor in how 5G networks are built and operated – every element of a 5G network is required to have security controls in place for the purpose of delivering confidentiality, integrity, and availability so that the network can provide users with a secure communications platform.
What is HSM?
HSM (Hardware Security Module) is a dedicated system to physically and logically secure the cryptographic keys (key generation and key storage) and cryptographic functions in the network. HSM is a purpose-built appliance that includes the hardware, software, and firmware necessary for these functions in an integrated package. This is a well-known solution used in IT networks and different business segments that are now made available to mobile networks.
An HSM is a physically secure computing device that safeguards and manages digital keys, performs encryption/decryption functions, and provides strong authentication mechanisms. They typically come in two form factors, a PCIe card or a 1U network attached server.
The first HSM was built in 1973 by Mohammed Atalla [Egyptian engineer, physicist, cryptographer, inventor, and entrepreneur.], entitled the Atalla box, which was used for ATM transactions. Although initially targeted toward the payment market, HSMs are now the de facto standard for managing encryption keys for a variety of use cases.
The functions of an HSM are:
- Onboard secure cryptographic key generation.
- Onboard secure cryptographic key storage, at least for the top-level and most sensitive keys, which are often called master keys.
- Use of cryptographic and sensitive data material, for example, performing encryption or digital signature functions.
- Offloading application servers for complete asymmetric and symmetric cryptography.
An HSM can be trusted because:
- It is built atop certified, well-tested, specialized hardware.
- It runs a security-focused OS.
- Its entire design actively protects and hides cryptographic information.
- It has limited access to the network through a moderated interface that is strictly controlled by internal rules.
Without a hardware security module, ordinary operations and cryptographic operations take place in the same locations, so attackers can access ordinary business logic data alongside sensitive information such as keys and certificates. Hackers can install arbitrary certificates, expand unauthorized access, alter code, and otherwise dangerously impact cryptographic operations.
5G Use Cases for HSMs
The five main use cases for HSMs within the 5G ecosystem are:
- 3GPP (3rd Generation Partnership Authentication Framework) with PQC (Post-Quantum Crypto).
- SIM/eSIM provisioning during manufacturing and OTA (Over-The-Air).
- Secure Communication (SSL/TLS/IPsec/MACsec).
- Code Signing for Software Intensive Environments.
- Database/VM/Container Security.
Protect subscriber sensitive data for 5G
- Subscriber Privacy:
- Generate encryption keys, store home network private keys, and perform crypto operations to de-conceal the SUCI.
- Subscriber Authentication Vector Generation:
- Store master keys and run authentication algorithms within the secure confines of the HSM to protect authentication-related keys during the authentication execution process.
- Subscriber Key Provisioning:
- Store encryption keys for provisioning and storage systems, and perform encryption/decryption of provisioning and storage system keys, to secure authentication-related keys during SIM personalization and provisioning.