Articles:

Building V-OS with HSM

Kok Yik-Siong, Roddy - Cryptography Architect

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code.  These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

Ensuring that this process is secure is paramount, otherwise it will be the very thing to undermine the security that we have painstakingly put in place.  We have deployed this process on a Hardware Security Module (HSM), to provides high quality random bits from a physical source that we need to guarantee unbiased keys.  V-Key builds our own custom firmware for the HSM, for processing V-OS keys, and executes this firmware within the secure confines of the HSM.

With this arrangement, even while running our proprietary security tools with the HSM, the cryptographic secrets and keys never have to leave the secure environs of the HSM memory, be it encrypting license files or wrapping generated keys.

 

Manufacturing Software

We liken the secure build process of the virtual secure element to the manufacturing process of a physical secure element.  We impose on ourselves strict requirements we would expect of a physical manufacturing process.  These include clear red/black separation, single step generation, and access control.

Our HSM codes consist of two main portions; the host executable code running in the host server, and the custom firmware running within the HSM.  We utilize emulator tools to develop and test our codes for both portions, using test values for debugging.  These are rebuilt and migrated to our non-production test HSM, where we can undertake the production process mirroring the production HSM server.  Rigorous testing can then take place in this setup, with fully randomized values, to generate firmware for quality assurance testing.

In production, we utilize an offline HSM server housed in a commercial data center that provides round the clock monitoring and biometric access controls for physical security.  With the required administrative controls, all accesses to this production HSM is tracked.

 

Red/Black Separation

The HSM inherently encourages good red/black separation, which is to ensure that plain data and secrets (red) do not exist in insecure environment (black) like the host machine, and are handled only in the secure (red) environment.  With custom algorithms for building our firmware, we need to find a way to handle these secrets within a HSM’s secure space, prompting us to implement our own custom HSM firmware.  In turn, the design of our key management is done with these in mind.

 

Single Step Generation 

The generation of a firmware involves setting up the required long-term keys, followed by generation of the required secrets and keys in the HSM.  These are then built with existing source libraries and packaged into binaries to be used by the mobile apps.  In addition, for different customers and use scenarios, the process needs to cater to the different configurations they may use and ensure they have a unique set of firmware keys.

This sophisticated process has been streamlined and handled by our single host executable, to make it seamless and straightforward for ourselves and our customers to generate the required firmware binaries.

 

Access Control

Software can be built almost everywhere, as long as a compatible OS is available and there is source code and toolchain access.  With access control imposed on the build process for production, we can maintain control over the creation and distribution of the manufactured virtual secure elements.

We utilize the password controls provided by HSM and OS platform, and implement a split password process, where various critical steps can only be undertaken when two parties with each half of the password are present.  Administrative controls then ensure that no single party will gain access to both halves of a password, even at different times.  These passwords when not in use, are stored securely, and require authorization from management before they can be retrieved for use.  Coupled with the administrative controls imposed by the data center hosting our offline production HSM, we are able to maintain a tight control over the access to our production process.

 

Security Consciousness

When V-Key first embarked on our first batch of production firmware, we made sure that we have a secure process put in place from the start, from getting a trusted data center for physical security to designing the workflow to ensure that security is not compromised for the sake of convenience.  We believe that this security consciousness is essential for building virtual secure elements that we ourselves can trust enough to use.

 

Other articles:
Article:
Heralding a Fintech Revolution: Q&A with Benjamin Mah, CEO, V-Key

Benjamin Mah, CEO of V-Key shares how people-first payment technologies will transform the fintech industry and how digital security pioneer V-Key is enabling this.

Article:
The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.

Article:
What tomorrow looks like

V-Key is building towards a soon-to-be-realized future where all mobile users can enjoy unprecedented security and convenience. Take a peek ahead with us, and share our vision of what the future of mobile security looks like.

Article:
Mobile security that works for everyone

Article:
Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Article:
Three steps to fight the Mobile Security status quo

50 minutes per day. That’s the amount of time an average user spends on Facebook, Facebook Messenger, and Instagram. There are lots of reasons for the “stickiness” of these social networking apps, but a big part of their appeal is what they don’t have—friction.

Article:
Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Article:
How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Article:
V-Key redefines Mobile Cybersecurity

Learn how we’re providing secure software solutions to protect over 30 million users on the edge (on their mobile device) and in the cloud, without the need for a ‘steel fence’. And why we’ve been called ‘free insurance’ for protecting all your mobile transactions.

Article:
V-Key secures UOB Mighty

Slightly over a year into our partnership with UOB, we checked in with Dennis Koh, First Vice President of UOB. He shares with us how V-Key has worked with UOB to secure UOB Mighty; as well as upcoming plans for further enhancing the mobile security experience for UOB’s customers.