Isolating sensitive data and operations is a fundamental issue in computing. Ideally, we want to minimize the possibility of a software defect comprom

The Taxonomy of Hardware Security Mechanisms

submited by

Style Pass

2024-09-30 00:00:02

Isolating sensitive data and operations is a fundamental issue in computing. Ideally, we want to minimize the possibility of a software defect compromising the security of a device. However, in order for the software we write to be useful, it typically needs to interact with that sensitive data in some form or fashion. So how do we interact with sensitive data without being able to access it?

The answer is that we bring only the operations that must access the sensitive data closer to the data, then force all other software to invoke those operations via some sort of interface. These restrictions are implemented in hardware, either in the same processor that the insecure software runs on, or on a physically separate component. When the hardware protections are implemented in the same processor, the secure environment it typically referred to as a Trusted Execution Environment (TEE) or secure enclave. When a separate component, it may be referred to as a Hardware Security Module (HSM), smart card, Secure Element (SE), or, if you’re Apple, a Secure Exclave. The definitions vary depending on who you ask, but most folks will generally refer to large data center scale PCI devices, such as the Marvell LiquidSecurity devices used by Google’s Cloud HSM service, as HSMs. Smaller components, which may be present on the same board as a laptop, phone, or embedded device, are typically referred to as secure elements. These small dedicated components are also sometimes referred to as smart cards, though the prevalence of smart card chips on payment and identification cards has led to more common association with these passive use-cases (e.g. inserted into a reader or brought into proximity with an interrogating device). It all gets quite convoluted, but as this excellent comment from a Stack Overflow user succinctly states:

“In a nutshell, if it hurts when you drop it on your foot, it’s an HSM. If you carry it in your wallet, it’s a smartcard. If it’s a non-removable smartcard, it’s a secure element.”