Article:

Building V-OS with HSM

Kok Yik-Siong, Roddy - Cryptography Architect

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code.  These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

Ensuring that this process is secure is paramount, otherwise it will be the very thing to undermine the security that we have painstakingly put in place.  We have deployed this process on a Hardware Security Module (HSM), to provides high quality random bits from a physical source that we need to guarantee unbiased keys.  V-Key builds our own custom firmware for the HSM, for processing V-OS keys, and executes this firmware within the secure confines of the HSM.

With this arrangement, even while running our proprietary security tools with the HSM, the cryptographic secrets and keys never have to leave the secure environs of the HSM memory, be it encrypting license files or wrapping generated keys.

 

Manufacturing Software

We liken the secure build process of the virtual secure element to the manufacturing process of a physical secure element.  We impose on ourselves strict requirements we would expect of a physical manufacturing process.  These include clear red/black separation, single step generation, and access control.

Our HSM codes consist of two main portions; the host executable code running in the host server, and the custom firmware running within the HSM.  We utilize emulator tools to develop and test our codes for both portions, using test values for debugging.  These are rebuilt and migrated to our non-production test HSM, where we can undertake the production process mirroring the production HSM server.  Rigorous testing can then take place in this setup, with fully randomized values, to generate firmware for quality assurance testing.

In production, we utilize an offline HSM server housed in a commercial data center that provides round the clock monitoring and biometric access controls for physical security.  With the required administrative controls, all accesses to this production HSM is tracked.

 

Red/Black Separation

The HSM inherently encourages good red/black separation, which is to ensure that plain data and secrets (red) do not exist in insecure environment (black) like the host machine, and are handled only in the secure (red) environment.  With custom algorithms for building our firmware, we need to find a way to handle these secrets within a HSM’s secure space, prompting us to implement our own custom HSM firmware.  In turn, the design of our key management is done with these in mind.

 

Single Step Generation 

The generation of a firmware involves setting up the required long-term keys, followed by generation of the required secrets and keys in the HSM.  These are then built with existing source libraries and packaged into binaries to be used by the mobile apps.  In addition, for different customers and use scenarios, the process needs to cater to the different configurations they may use and ensure they have a unique set of firmware keys.

This sophisticated process has been streamlined and handled by our single host executable, to make it seamless and straightforward for ourselves and our customers to generate the required firmware binaries.

 

Access Control

Software can be built almost everywhere, as long as a compatible OS is available and there is source code and toolchain access.  With access control imposed on the build process for production, we can maintain control over the creation and distribution of the manufactured virtual secure elements.

We utilize the password controls provided by HSM and OS platform, and implement a split password process, where various critical steps can only be undertaken when two parties with each half of the password are present.  Administrative controls then ensure that no single party will gain access to both halves of a password, even at different times.  These passwords when not in use, are stored securely, and require authorization from management before they can be retrieved for use.  Coupled with the administrative controls imposed by the data center hosting our offline production HSM, we are able to maintain a tight control over the access to our production process.

 

Security Consciousness

When V-Key first embarked on our first batch of production firmware, we made sure that we have a secure process put in place from the start, from getting a trusted data center for physical security to designing the workflow to ensure that security is not compromised for the sake of convenience.  We believe that this security consciousness is essential for building virtual secure elements that we ourselves can trust enough to use.

  

Other articles:
Article
Beyond OTPs: The Shift to Passwordless Authentication in Banking

The Bangko Sentral ng Pilipinas (BSP) is considering phasing out one-time passwords (OTPs) for digital banking transactions, citing the growing vulnerabilities of this method. BSP Deputy Governor Elmore Capule emphasized that the agency is exploring stronger security measures to make digital banking more resilient, with biometric authentication and other advanced technologies being evaluated as secure alternatives to OTPs.

Article
V-Key Continues to Expand in Australia to Strengthen Digital Identity and Authentication

V-Key strengthens its presence in Australia by participating in the FIDO Alliance events in Melbourne, reinforcing its commitment to digital identity and authentication. With discussions on passkeys, step-up authentication, and regulatory updates, V-Key highlighted how V-Key ID enhances security and trust. As digital transformation accelerates in Australia, V-Key continues to support enterprises in financial services, payment gateways, and government with innovative mobile security solutions. Expanding its local team, V-Key is dedicated to enabling seamless and secure digital interactions through advanced authentication technologies.

Article
Why Passwordless Authentication is the Future of Security

Managing passwords can be challenging. They can be difficult to remember, and often, people reuse them across multiple sites, which makes them a target for cybercriminals. In fact, according to the 2023 Verizon Data Breach Investigations Report (DBIR), over 50% of data breaches are linked to stolen or compromised credentials. This exposes sensitive data, whether it’s banking details, emails, or personal information, to potential risks. 

Article
Protect Your Business All Year with V-Key ID and FIDO2

Lunar New Year is a time for celebration for many people around the world, but it’s also a good opportunity for scammers who are always trying to entice victims to grab the next cheap online shopping deal. A common technique that scammers use is to lure a victim into installing a malware app that can then be used to phish user’s credentials, capture SMS OTPs, or even remotely control the phone to perform banking transactions. 

Article
V-Key’s 2024 Journey in Advancing Digital Security and Empowering Seamless Digital Experiences

As we reflect on 2024, V-Key is proud of the milestones we’ve achieved and the innovations we’ve introduced in the field of digital identity and mobile security. This year, we have remained steadfast in our mission to protect digital experiences and empower businesses with advanced solutions. From key industry events to groundbreaking technological advancements, we’ve continually strived to meet the evolving needs across various sectors.  

Article
5 Simple and Effective Ways to Secure Your Mobile App with V-OS App Shield

For businesses, especially those handling sensitive data or financial transactions, ensuring app security is no longer optional. The risk is real: attacks on mobile apps can lead to reputational damage, regulatory fines, and the loss of user trust.  

V-OS App Shield is a reliable solution designed to safeguard mobile applications. Beyond the basics of security, it offers a cost-effective approach that combines robust protection with ease of use. Here are 5 ways V-OS App Shield can enhance your mobile app security and deliver real-world benefits. 

Article
Securing Mobile Apps and Why It’s Critical for Businesses

Mobile devices continue to become indispensable, with the average smartphone user spending around 88% of their day interacting with apps. This surge in mobile usage highlights an escalating need for businesses to ensure their apps are secure, as the stakes of app security have never been higher. From retail businesses to e-commerce platforms, mobile apps handle sensitive user data and provide access to essential business systems. The consequences of a breach can be devastating, both for businesses and their users. 

Article
Introducing V-OS App Shield: Connect, Deploy and Protect your App in Minutes

Mobile applications are key to daily business operations, customer engagement, and overall functionality. According to Google, the average smartphone user interacting with nearly 10 apps daily and spending about 88% of their time on mobile, the need for strong mobile app protection has never been more pressing. Introducing V-OS App Shield, a revolutionary solution designed to secure your mobile apps fast and easy.

Article
V-Key partners with Bridge Alliance to build a Safer Digital Ecosystem

V-Key, renowned for its advanced security solutions has proudly joined Bridge Alliance as their technology Partner,  solidifying their commitment to innovation and excellence in mobile security. This partnership opens doors to explore new avenues for enhancing authentication experiences and mitigating cybersecurity risks.

Article
Making 2FA/MFA robust against smishing and related attacks

2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g., a biometric ID that is unique to you) [1].

However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any and all challenges presented by attackers.

Article
How do we determine the effectiveness of mobile apps’ security systems?

With the spate of remote working regime due to Coronavirus pandemic, the reliance and growth for video conferencing platform has been exponentially escalated. However, most mobile apps today are nowhere near as secure as we would like them to be.

Article
Is the detection of jailbroken/rooted phone sufficient against threats?

Functions that detect jailbroken/rooted devices are most commonly added to transactional mobile applications, serving as the most basic defense against threats. However, this is nothing but a drop in a bucket.

Article
Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

Article
V-OS Protection against CPU vulnerabilities

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities. Find out how the virtual secure element technology is protecting millions of mobile application users against such vulnerabilities.

Article
V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Article
Three steps to fight the Mobile Security status quo

Have financial institutions accepted a status quo that sacrifices user experience for increased security? With mobile digital identity quickly becoming central to an entire suite of online services, those who challenge the status quo will set themselves up to prosper and grow. Read more to find out three oft-ignored areas of research.

Article
Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Article
How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Article
Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Article
Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Article
Mobile Security that works for everyone

Safe, convenient and simple.

Article
The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.