Hardening HSMs for Banking-Grade Crypto Wallets

February 7, 2025 Yanac

We’ve been using hardware security modules (HSMs) as part of a custody solution used by banks for the safekeeping of cryptocurrency and other tokenized assets, often managing billions of dollars in value.
However, solely relying on built-in security mechanisms of an HSM, even when FIPS 140-3 certified, isn’t enough for this use case. In this talk, we’ll first describe an HSM’s feature set, architecture, security guarantees, and inherent limitations. Then we’ll present tricks and techniques we developed to considerably enhance the security of a crypto wallet. These include measures for attack surface reduction, secure configuration enforcement, request filtering, custom policies, as well as replay protection and state management with minimal statefulness.

By:
Jean-Philippe Aumasson | CSO, Taurus
Chervine Majeri | Engineer, Taurus

Full Abstract and Presentation Materials Available:
https://www.blackhat.com/us-24/briefings/schedule/#hardening-hsms-for-banking-grade-crypto-wallets-38836Black HatRead More