Yubico originally developed the YubiHSM to process the encryption, decryption, and storage of secrets on its own servers. Today, the YubiHSM, a hardware security module, is Yubico’s offering for easy, affordable, and secure protection of authentication secrets related to the Yubico OTP stored on the authentication or key server. The device protects data at rest against remotely conducted intrusion attacks and internal threats like employees copying secrets.
The current version of YubiHSM features a secure element and a change from the original larger form factor to a smaller nano design with a molded plastic harness.
Securing Yubico OTP SECRETS
The YubiHSM processes the encryption, decryption, and storage of keys. When called to validate a Yubico OTP, it will load the OTP and the associated encrypted key into its onboard processor and perform the decryption and comparison. Subsequently, it will only pass the validation results and associated data (such as usage counters) back to the host machine; the decrypted key and plaintext OTP never leave the YubiHSM hardware. This provides a great level of security for secrets, should an authentication server become compromised –- the secrets themselves remain secure in the YubiHSM hardware, encrypted with a 128-bit AES key.
The YubiHSM has been validated by internet security experts and is currently used by more than 100 organizations, including leading internet companies and US Department of Defense contractors. YubiHSM also protects the YubiCloud, Yubico’s hosted validation service.