Skip to main content
Cyber-Security

Common Cryptographic Tools

β€” Dusty

Common Cryptographic Tools
Photo by Lachlan Donald / Unsplash

What are Cryptographic Tools?

As discussed in our previous post on Encryption Keys, most of the encryption process involves publicly known information, such as the inner workings of the algorithm and the key size used. Additionally, your encrypted data may be captured by attackers. Despite this, they cannot decrypt your data without your encryption key.

But if the encryption key is the only thing protecting your data, what is protecting your encryption key?

This is where cryptographic tools come into play. They serve multiple purposes, ranging from generating cryptographic keys to securely storing and managing them.

Types of Cryptographic Tools

Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) is a specialised hardware security chip built into many modern computers. It provides a tamper-resistant environment for storing and generating cryptographic keys and digital certificates.

For example, full-disk encryption solutions like BitLocker store keys within the TPMs to prevent unauthorised access. Additionally, some TPMs can be firmware based.

TPMs also offers a number of other secure cryptographic features:

  • Cryptographic Processor: Includes cryptographic processors that can generate random numbers and cryptographic keys for both symmetric and asymmetric encryption.
  • Platform Integrity/Secure Boot: Measures system integrity by verifying if the system’s configurations are unchanged during the boot process.
  • Persistent Memory: Contains a root key (Endorsement Key) established during manufacturing that cannot altered.
  • Versatile Memory: Capable of storing additional cryptographic data.
  • Security Features: Protects against brute-force attacks by enforcing a global lockout period after a number of unsuccessful authorisation attempts.

Hardware Security Module (HSM)

A Hardware Security Module (HSM) is a dedicated, tamper-resistant hardware device used to securely generate, store, and manage cryptographic keys.

Unlike TPMs, HSMs are external devices typically used in highly sensitive environments, such as financial institutions and government agencies.

They can perform functions such as:

  • Key Management: Store, generate and protect up to thousands of cryptographic keys.
  • Cryptographic Processing: Handling encryption, decryption, and digital signing operations, off-loading the computational overhead from other systems.
  • Tamper Detection: HSMs have tamper-resistant features, such as "self-destruct" mechanisms that erase stored keys if unauthorised access or tampering is detected.
  • Cluster Redundancy: Multiple HSMs can be used together in clusters to ensure redundancy in the case of individual failure or power outages. This ensures high availability and reliability for critical systems.

Key Management System (KMS)

A Key Management System (KMS) provides centralised management of cryptographic keys across multiple services and platforms, ensuring secure key generation, storage, distribution, rotation, and destruction.

For example, KSMs can ensure that all keys are; generated and stored using a Hardware Security Module; distributed using only secure systems and by authorised parties; and are rotated or destroyed on a regular basis.

This can help enforce the requirements for legal, regulatory or industry standard compliance.

Additionally, KMS features include:

  • Multi-Service Support: KMS can be deployed on-premises or through cloud-based solutions, to handle an array of keys from multiple services and platforms.
  • Centralised Management: Provides a single interface for consistent key management across all platforms. Allows for logging of all key activities and associating all actions with specific users.
  • Separation of Duties: KMS can enforce the storage of encryption keys separate from the platform in which the encrypted data is stored. Thus adding an extra layer of security due to the separation between the keys and the data they encrypt.
  • Regular Rotation: Able to enforce regular rotation of all encryption keys across multiple services and platforms. This ensures that any undetected key compromise is mitigated by the next rotation date.

Secure Enclave

A Secure Enclave is an isolated hardware processor that securely handles sensitive data and cryptographic operations separately from the primary system processor.

There are many different vendors using this term to describe slightly different technologies, but it is most commonly known in Apple devices to protect device specific functions. This can include tasks such as storing encryption keys, managing biometric data (Touch ID and Face ID), and ensuring secure boot processes.

While some functions of a Secure Enclave are very similar to a TPM, it also has some key functions and features that set it apart:

  • Isolated Processing: Operated independently from the main processor and operating system to ensure security even if the rest of the system is compromised.
  • Protected Memory: Utilises real-time encryption to maintain its own isolated protected memory space.
  • Cryptographic Processing: Uses a True Random Number Generator to ensure secure cryptographic processing and key generation.
  • Root Cryptographic Keys: Maintains a unique cryptographic key tied to each device to ensure sensitive data is protected from unauthorised access.
  • AES Engine: Utilises a dedicated AES256 engine for highly efficient symmetric encryption.
  • Secure Boot ROM: Maintains secure Read-Only-Memory that analyses boot configurations and digital signatures to ensure only authorised software is booted.
  • Secure Storage: Secure Enclaves utilise separate non-volatile storage to ensure the security of user encryption keys.