Mitigation-page

MID-060: Dedicated Hardware Cryptographic Modules

Mitigation Level: Intermediate

Description

A hardware-based cryptographic module can be an effective solution for a device when a purely software-based cryptographic library (MID-027) does not sufficiently mitigate against threats of concern (e.g., to side channel attacks, cryptographic key compromise) or meet performance constraints. Dedicated cryptographic modules can implement hardware-based defenses that are not possible in a software library. In processor-constrained designs, hardware acceleration of cryptographic algorithms can enable implementing stronger algorithms and key sizes than may be practical in a software-only solution. As with software cryptographic libraries, implementors should prefer modules that have been examined, tested, and vetted by independent laboratories according to industry approved specifications. Modules should also be evaluated for their protection against side channel attacks, especially based on power consumption and electromagnetic emittance.

Note: This has several important distinctions from MID-028 - Hardware-backed Key Storage. In the MID-028 case, key material may reside in hardware-backed or hardware-based storage, but the hardware lacks the means to perform cryptographic operations using that key without exposing it to the system’s processor. A fully hardware cryptographic module is capable of performing cryptographic operations internally on provided data without exposing the keys.

IEC 62443 4-2 Mappings

  • CR 4.3 – Use of cryptography 

  • CR 1.9 – Strength of public key-based authentication: RE (1) Hardware security for public key-based authentication

  • CR 1.14 – Strength of symmetric key-based Authentication: RE (1) Hardware security for symmetric key-based authentication

  • CR 1.5 – Authenticator management: RE (1) Hardware security for authenticators

References

[1] NIST. “Cryptographic Module Validation Program.” nist.gov. Accessed: Aug. 28, 2024. [Online]. Available: https://csrc.nist.gov/projects/cryptographic-module-validation-program