MID-060: Dedicated Hardware Cryptographic Modules

Mitigation Tier: Intermediate

Description

A hardware-based cryptographic module can be an effective solution for a device when a purely software-based cryptographic library (MID-027) does not sufficiently mitigate against threats of concern (e.g., to side channel attacks, cryptographic key compromise) or meet performance constraints. Dedicated cryptographic modules can implement hardware-based defenses that are not possible in a software library. In processor-constrained designs, hardware acceleration of cryptographic algorithms can enable implementing stronger algorithms and key sizes than may be practical in a software-only solution. As with software cryptographic libraries, implementors should prefer modules that have been examined, tested, and vetted by independent laboratories according to industry approved specifications.

Note: This has several important distinctions from MID-028 - Hardware-backed Key Storage. In the MID-028 case, key material may reside in hardware-backed or hardware-based storage, but the hardware lacks the means to perform cryptographic operations using that key without exposing it to the system’s processor. A fully hardware cryptographic module is capable of performing cryptographic operations internally on provided data without exposing the keys.

IEC 62443 4-2 Mappings

• CR 4.3 - Use of cryptography 

• CR 1.9 – Strength of public key-based authentication - RE (1) Hardware security for public key-based authentication

• CR 1.14 – Strength of symmetric key-based Authentication - RE (1) Hardware security for symmetric key-based authentication

• CR 1.5 – Authenticator management - RE (1) Hardware security for authenticators

References

[1] NIST. “Cryptographic Module Validation Program.” nist.gov. Accessed: Aug. 28, 2024. [Online]. Available: https://csrc.nist.gov/projects/cryptographic-module-validation-program

MID-060