Playing with Hardware Security Modules (HSMs) and other Hardware-related Stuff

This page offers a series of theses offered by Utimaco.

Utimaco is a global provider of professional IT security solutions with headquarters in Aachen, Germany and Campbell (CA), USA and the leading manufacturer in the development of hardware security modules and compliance solutions for telecommunications providers in the field of regulation.

If you are interested in any of these theses, contact Christopher Meyer, Product Manager HSM, christopher.meyer@utimaco.com (and put juraj.somorovsky@upb.de into cc)

Facing Cloud Crypto Challenges: An Open Standard RESTful Crypto API

With a steadily growing adoption of Cloud and especially SaaS and PaaS deployments there's an increasing demand for standards how to use crypto without any clients. As the cloud's native language, REST appears to be a natural choice for building a cloud crypto API. Additionally, there's a trend to make APIs easy to use and secure by default by taking the heavy lifting of algorithm and parameter choice away from the user (please refer to NaCl: Networking and Cryptography library, libsodium and Tink for details).

The objective of this research proposal is to design a lightweight, RESTful Crypto API that combines simplicity and secure-by-default attributes. To make it highly adoptable the design should be following zero-trust principles (please refer to Zero Trust for details). As a PoC the project committee will present a full functional implementation interacting with a state-of-the-art Hardware Security Module.

Scientific Contribution

  • Evaluation of secure algorithm and parameter choices that make it hard to be "misused"

  • Design of an Open Standard that provides a completely new way to using crypto in the cloud

  • Evaluation in how far zero trust models can be applied to APIs - Crypto APIs in particular

Requirements

  • Strong Background in Cryptography

  • Experience in designing RESTful APIs

Frodo without a Ring - Real-world implementation of a PQC Key Exchange Mechanism

Due to the advantages of quantum computers, most of the widely used asymmetric crypto algorithms (RSA, ECDSA, DH, ECDH) will be considered insecure and thus have a devastating impact on data security. Therefor, "NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms" (for more details please refer to Post-Quantum Cryptography Standardization).

The objective of this thesis is to implement and optimize the "FRODO" algorithm for key encapsulation in an Utimaco SecurityServer Hardware Security Module (HSM) and compare it to an already existing implementation of the "New Hope" key exchange algorithm.

Scientific Contribution

  • Evaluation of a new cryptographic interface and security architecture

  • Evaluating coding best practices under real world conditions

Requirements

  • Coding skills in C/C++

  • Background in Cryptography

  • Ideally experience with PQC

Hard as Granite - Porting Software to Trusted Execution Environments

A Trusted Execution Environments can be used as an isolated execution environment to provide enhanced protection for code and data. It offers isolated execution, confidentiality and integrity and as such can add significant value for applications with a special need for security guarantees (please refer to Trusted Execution Environment for more details).

Hardware Security Modules act as a secure vault for cryptographic keys and passwords and thus prevent from incidents such as e.g. key theft, manipulation or misuse. Since attacks mainly target the weakest link in the chain, most real life attacks on HSMs focus on misusing already authenticated access to an HSM by either hijacking a client machine or stealing HSM credentials stored on the client machine.

The objective of this thesis is the evaluation and development of a PoC for protecting sensitive information and moving critical parts of an existing HSM client into the TEE. The main goal is to protect the HSM client and eventually stored HSM credentials.

Scientific Contribution

  • Evaluation how existing applications can benefit from TEE without a complete re-write-

  • Evaluation on practicality of middleware solutions for TEE

  • Evaluating coding best practices under real world conditions

Requirements

  • Coding skills in C/C++

  • Hands-on experience with TEEs such as e.g. SGX or TrustZone

  • Background in Cryptography

Taming the Beasts - Connecting OpenSSL and PKCS#11

OpenSSL is introducing the new concept of “Providers”. A provider, in OpenSSL terms (for more details refer to [1]), is a unit of code that provides one or more implementations for various operations with different algorithms. An operation represents one of the basic cryptographic functions such as eg. encryption/decryption, key derivation, MAC calculation, signing/verification, etc.

The objective of this thesis is the development of an OpenSSL provider that implements a bridging interface to PCKS#11. As a proof of concept, the student is given access to a Utimaco's SecurityServer HSM and its PKCS#11 implementation to test the provider in a real-world setup.

Scientific Contribution

  • Evaluation of a new cryptographic interface and security architecture

  • Evaluating coding best practices under real world conditions

Requirements

  • Coding skills in C/C++

  • Hands-on experience with cryptographic interfaces - ideally OpenSSL and PKCS#11

  • Background in Cryptography

Further information: