YubiHSM
Yubico originally developed the YubiHSM to process the encryption, decryption, and storage of secrets on its own servers. Today, the YubiHSM, a hardware security module, is Yubico’s offering for easy, affordable, and secure protection of authentication secrets related to the Yubico OTP stored on the authentication or key server. The device protects data at rest against remotely conducted intrusion attacks and internal threats like employees copying secrets.
The current version of YubiHSM features a secure element and a change from the original larger form factor to a smaller nano design with a molded plastic harness.
Securing Yubico OTP SECRETS
The YubiHSM processes the encryption, decryption, and storage of keys. When called to validate a Yubico OTP, it will load the OTP and the associated encrypted key into its onboard processor and perform the decryption and comparison. Subsequently, it will only pass the validation results and associated data (such as usage counters) back to the host machine; the decrypted key and plaintext OTP never leave the YubiHSM hardware. This provides a great level of security for secrets, should an authentication server become compromised –- the secrets themselves remain secure in the YubiHSM hardware, encrypted with a 128-bit AES key.
Trusted Solution
The YubiHSM has been validated by internet security experts and is currently used by more than 100 organizations, including leading internet companies and US Department of Defense contractors. YubiHSM also protects the YubiCloud, Yubico’s hosted validation service.
- CATEGORY Two-Factor / Multi-Factor Authentication , Yubico
Core YubiHSM Features
- Works with any standard USB port, across multiple operating systems including Linux and Microsoft Windows.
- Offers encryption with a Message Authentication Code (MAC), HMAC-SHA1 hashing, AES encryption/decryption, and cryptographic True Random Number Generation.
- Provides a physically isolated environment for cryptographic processing.
- Has no moving parts and requires no additional maintenance once installed.
- Capable of supporting any counter-based OTP protocol including YubiOTP (Yubico’s OTP implementation) and OATH-HOTP authentication.
A Range of use Cases
- Authentication Service: You run an authentication service; secrets are stored on a computer that has to be accessible from the internet and you are concerned it will be hacked some day.
- Restrict Access: You want to prevent system administrators and staff who have physical access to the server to copy the database and get access to sensitive data.
- Prevent Compromise: You need an architecture that prevents a hacker from compromising your secrets, but allows you to run your service full speed.
- Support YubiKeys: You have a smaller fleet of Yubikeys and want to do the authentication yourself without having to implement a complete authentication server with a database.
