Home
You have arrived at version 2 of the Bali HSM Proxy™ project. This project implements the client side of the low energy bluetooth based protocol used to communicate with a Crater Dog Technologies™ hardware security module (HSM) code named ArmorD™. To learn about a prototype implementation of an ArmorD device click here.
The following diagram shows how both components fit into the larger
Bali Nebula™ architecture.
The HSM proxy implements the Bali Crypto Interface and can be plugged into the Bali Digital Notary™ component of the architecture.
Public key cryptography is used by computer systems everywhere to ensure that they are "who" they claim to be and to keep the communications with those systems confidential. But the security of this approach depends on preventing the private key from being stolen. For systems that are running in a physically secure environment like the cloud, this is no problem. But what about mobile devices which may be lost or stolen and with them their private keys?
The ArmorD™ device provides a patented mechanism to protect a private key in a way that permits a mobile device using the HSM proxy to digitally sign any reasonably sized byte stream (<10K bytes). This allows the user of an application running on the mobile device to safely perform a multitude of security related tasks including:
- Automatically unlocking their mobile device or laptop computer
- Logging the user into a website without the use of a password or two factor authentication
- Authorizing a business transaction with a merchant either at a brick and mortar store or online
- Signing a legal document in a way that cannot be forged or tampered with
What makes this approach special is the fact that neither the ArmorD™ nor the mobile device maintains the private key, so if either one of them is lost or stolen, the private key cannot be compromised. In fact, the private key is never actually stored anywhere. And yet, the public key is available to anyone and can be used to validate the digital signature that was created using the private key.
The Bali HSM Proxy™ communicates with the remote ArmorD™ device to provide the following simple low level cryptographic operations that can be used to construct a multitude of higher level security applications:
- generateKeys - generates a new public-private key pair and returns the public key
- rotateKeys - replaces the existing public-private key pair with a new one and returns the new public key
- eraseKeys - erases any existing key pair
- digestBytes - returns a SHA512 digital digest for a specified array of bytes
- signBytes - uses the private key to generate a digital signature for a specified array of bytes and returns the signature
- validSignature? - checks to see whether or not a specified array of bytes and a digital signature of those bytes was generated using the private key associated with a specified public key
A user carrying both a mobile device containing the Bali HSM Proxy™ and a wearable device containing the ArmorD™ HSM with them can use applications running on their mobile device to perform many security related tasks without worrying about whether or not the private key that is being used by the applications to digitally sign things is safe. The private key does not reside anywhere and therefore cannot be stolen or compromised.
To dive in deeper on the parts of the HSM proxy that interest you most, click on links listed in
the side bar in the upper right corner