Recommended Software
- An Office Suite (word processing, email, spreadsheet, etc.)
- Adobe Reader
- A Web Browser
Infor Hospitality Management Solution (HMS) is a hotel property management system built for the cloud with the flexibility, security, efficiency, and mobile capabilities to deliver a great guest experience. With HMS property management software, employees gain access to actionable information about. The HMS IT department will install and maintain an OMERO server for use by on-quad HMS researchers. This effort builds upon the successful use of the OMERO platform by the HMS LINCS project. Initial funding for this comes from the Tools and Technology Committee, HMS IT, and the Harvard Program in Therapeutic Science (HiTS). Core Director- Jay.
Administrative Software
Graphic Design Software
Research Software
HMS IT Supported Operating Systems
Important! If the computer is connected to scientific equipment and runs specialized software, please check with your local IT support team before upgrading.
Mac OS X
HMS IT fully supports the following macOS versions:
- 10.14
- 10.15
macOS 10.13 and older are no longer supported by Apple or HMS IT. HMS IT will provide best effort support for unsupported operating systems, however the general recommendation is to upgrade to a newer supported operating system whenever possible.
Use caution when upgrading
Each year, Apple releases a major new operating system in the fall. HMS IT strongly recommends that you do not upgrade right away. New operating systems generally have many new features that are incompatible with existing software applications.
HMS IT starts internal evaluation of new operating systems as early as possible, and generally recommends waiting to upgrade until we've completed that evaluation and Apple has released its first update, usually 10.xx.1.
If you would like guidance on upgrading to a newer version of macOS, please check with your local IT support team or contact the HMS IT Service Desk by emailing itservicedesk@hms.harvard.edu or calling 617-432-2000.
Windows 7
The Windows 7 operating system went end-of-life on January 14, 2020. This means Microsoft will no longer fix security flaws discovered in Windows 7. Continuing to use Windows 7 will expose you, and everyone you work, with to significantly increased risks. If any of the computers you use still have Windows 7, contact your local IT support team or the HMS IT Service Desk immediately to schedule your upgrade to Windows 10.
Windows 10
All new computers purchased from Dell now ship with Windows 10 preinstalled.
If you have a computer that you wish to upgrade to Windows 10, please contact your local IT support team or the HMS IT Service Desk. There are numerous considerations that must be taken into account prior to installing Windows 10. Your local IT support team can assist you by making recommendations, upgrading and providing ongoing support for Windows 10.
HMS and Harvard University is now supporting Windows 10 for common applications. If you use University Administrative Applications, please be sure to follow HUIT's computer standard guidelines (login required).
- Windows 10 Home Edition is not supported on the Harvard Medical School network due to lack of required security features.
- Windows 10 includes an automatic upgrade feature. If you are accessing any university administrative applications and are prompted to upgrade to Windows 10, please decline the upgrade.
A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessorchips.[1][2][3]
Design[edit]
HSMs may have features that provide tamper evidence such as visible signs of tampering or logging and alerting, or tamper resistance which makes tampering difficult without making the HSM inoperable, or tamper responsiveness such as deleting keys upon tamper detection.[4] Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing, or a combination of chips in a module that is protected by the tamper evident, tamper resistant, or tamper responsive packaging.
A vast majority of existing HSMs are designed mainly to manage secret keys. Many HSM systems have means to securely back up the keys they handle outside of the HSM. Keys may be backed up in wrapped form and stored on a computer disk or other media, or externally using a secure portable device like a smartcard or some other security token.[5]
HSMs are used for real time authorisation and authentication in critical infrastructure so are typically engineered to support standard high availabilty models including clustering, automated failover, and redundant field-replaceable components.
A few of the HSMs available in the market have the capability to execute specially developed modules within the HSM's secure enclosure. Such an ability is useful, for example, in cases where special algorithms or business logic has to be executed in a secured and controlled environment. The modules can be developed in native C language, .NET, Java, or other programming languages. Further, upcoming next-generation HSMs[6] can handle more complex tasks such as loading and running full operating systems and COTS software without requiring customization and reprogramming. Such unconventional designs overcome existing design and performance limitations of traditional HSMs. While providing the benefit of securing application-specific code, these execution engines protect the status of an HSM's FIPS or Common Criteria validation.
Security[edit]
Due to the critical role they play in securing applications and infrastructure, HSMs and/or the cryptographic modules are typically certified to internationally recognized standards such as Common Criteria or FIPS 140 to provide users with independent assurance that the design and implementation of the product and cryptographic algorithms are sound. The highest level of FIPS 140 security certification attainable is Security Level 4 (Overall). When used in financial payments applications, the security of an HSM is often validated against the HSM requirements defined by the Payment Card Industry Security Standards Council.[7]
Uses[edit]
A hardware security module can be employed in any application that uses digital keys. Typically the keys would be of high value - meaning there would be a significant, negative impact to the owner of the key if it were compromised.
The functions of an HSM are:
- onboard secure cryptographic key generation
- onboard secure cryptographic key storage, at least for the top level and most sensitive keys, which are often called master keys
- key management
- use of cryptographic and sensitive data material, for example, performing encryption or digital signature functions
- offloading application servers for complete asymmetric and symmetric cryptography.
HSMs are also deployed to manage transparent data encryption keys for databases and keys for storage devices such as disk or tape.
HSMs provide both logical and physical protection of these materials, including cryptographic keys, from disclosure, non-authorized use, and potential adversaries.[8]
HSMs support both symmetric and asymmetric (public-key) cryptography. For some applications, such as certificate authorities and digital signing, the cryptographic material is asymmetric key pairs (and certificates) used in public-key cryptography.[9] With other applications, such as data encryption or financial payment systems, the cryptographic material consists mainly of symmetric keys.
Some HSM systems are also hardware cryptographic accelerators. They usually cannot beat the performance of hardware-only solutions for symmetric key operations. However, with performance ranges from 1 to 10,000 1024-bit RSA signs per second, HSMs can provide significant CPU offload for asymmetric key operations. Since the National Institute of Standards and Technology (NIST) is recommending the use of 2,048 bit RSA keys from year 2010,[10] performance at longer key sizes is becoming increasingly important.To address this issue, most HSMs now support elliptic curve cryptography (ECC), which delivers stronger encryption with shorter key lengths.
PKI environment (CA HSMs)[edit]
In PKI environments, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle asymmetric key pairs. In these cases, there are some fundamental features a device must have, namely:
- Logical and physical high-level protection
- Multi-part user authorization schema (see Blakley-Shamir secret sharing)
- Full audit and log traces
- Secure key backup
On the other hand, device performance in a PKI environment is generally less important, in both online and offline operations, as Registration Authority procedures represent the performance bottleneck of the Infrastructure.
Card payment system HSMs (bank HSMs)[edit]
Specialized HSMs are used in the payment card industry. HSMs support both general-purpose functions and specialized functions required to process transactions and comply with industry standards. They normally do not feature a standard API.
Typical applications are transaction authorization and payment card personalization, requiring functions such as:
- verify that a user-entered PIN matches the reference PIN known to the card issuer
- verify credit/debit card transactions by checking card security codes or by performing host processing components of an EMV based transaction in conjunction with an ATM controller or POS terminal
- support a crypto-API with a smart card (such as an EMV)
- re-encrypt a PIN block to send it to another authorization host
- perform secure key management
- support a protocol of POS ATM network management
- support de facto standards of host-host key | data exchange API
- generate and print a 'PIN mailer'
- generate data for a magnetic stripe card (PVV, CVV)
- generate a card keyset and support the personalization process for smart cards
The major organizations that produce and maintain standards for HSMs on the banking market are the Payment Card Industry Security Standards Council, ANS X9, and ISO.
SSL connection establishment[edit]
Performance-critical applications that have to use HTTPS (SSL/TLS), can benefit from the use of an SSL Acceleration HSM by moving the RSA operations, which typically requires several large integer multiplications, from the host CPU to the HSM device. Typical HSM devices can perform about 1 to 10,000 1024-bit RSA operations/second.[11] Some performance at longer key sizes is becoming increasingly important. To address this issue, some HSMs [12] now support ECC. Specialized HSM devices can reach numbers as high as 20,000 operations per second.[13]
DNSSEC[edit]
An increasing number of registries use HSMs to store the key material that is used to sign large zonefiles. An open source tool for managing signing of DNS zone files using HSM is OpenDNSSEC.
On January 27, 2007 deployment of DNSSEC for the root zone officially started; it was undertaken by ICANN and Verisign, with support from the U.S. Department of Commerce.[14] Details of the root signature can be found on the Root DNSSEC's website.[15]
Cryptocurrency wallet[edit]
Cryptocurrency can be stored in a cryptocurrency wallet on a HSM.[16]
See also[edit]
Notes and references[edit]
- ^Ramakrishnan, Vignesh; Venugopal, Prasanth; Mukherjee, Tuhin (2015). Proceedings of the International Conference on Information Engineering, Management and Security 2015: ICIEMS 2015. Association of Scientists, Developers and Faculties (ASDF). p. 9. ISBN9788192974279.
- ^'Secure Sensitive Data with the BIG-IP Hardware Security Module'(PDF). F5 Networks. 2012. Retrieved 30 September 2019.
- ^Gregg, Michael (2014). CASP CompTIA Advanced Security Practitioner Study Guide: Exam CAS-002. John Wiley & Sons. p. 246. ISBN9781118930847.
- ^'Electronic Tamper Detection Smart Meter Reference Design'. freescale. Retrieved 26 May 2015.
- ^'Using Smartcard/Security Tokens'. mxc software. Retrieved 26 May 2015.
- ^'World's First Tamper-Proof Server and General Purpose Secure HSM'. Private Machines. Retrieved 7 March 2019.
- ^'Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards'. www.pcisecuritystandards.org. Retrieved 2018-05-01.
- ^'Support for Hardware Security Modules'. paloalto. Archived from the original on 26 May 2015. Retrieved 26 May 2015.
- ^'Application and Transaction Security / HSM'. Provision. Retrieved 26 May 2015.
- ^'Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths'. NIST. January 2011. Retrieved March 29, 2011.
- ^F. Demaertelaere. 'Hardware Security Modules'(PDF). Atos Worldline. Archived from the original(PDF) on 6 September 2015. Retrieved 26 May 2015.
- ^'Barco Silex FPGA Design Speeds Transactions In Atos Worldline Hardware Security Module'. Barco-Silex. January 2013. Retrieved April 8, 2013.
- ^'SafeNet Network HSM - Formerly Luna SA Network-Attached HSM'. Gemalto. Retrieved 2017-09-21.
- ^'ICANN Begins Public DNSSEC Test Plan for the Root Zone'. www.circleid.com. Retrieved 2015-08-17.
- ^Root DNSSEC
- ^'Gemalto and Ledger Join Forces to Provide Security Infrastructure for Cryptocurrency Based Activities'. gemalto.com. Retrieved 2020-04-20.
External links[edit]
Hms Format
Wikimedia Commons has media related to Hardware security modules. |