Towards a scalable secure element cluster: a recommendation on hardware configuration


Hardware protected storage of key material and secure processing of cryptographic operations are required in data centers as well as IoT applications in the field. Currently, the available hardware satisfies this demand only poorly. Small-scale applications use a smart card or secure element to satisfy their needs. Large-scale enterprise deployments make use of specially designed Hardware Security Modules. These two options provide only a minimal choice and offer no solution for demands between those configurations. The possibilities are either too weak or too large-scaled. Therefore, the existing solutions are unsuitable for medium-sized use cases. This paper describes a new, scalable approach for storing key material securely and performing cryptographic operations during changing demands. The solution introduces a device based on clustered secure elements to provide configuration options for performance, longevity, load distribution, partitioning, and costs. After describing the overall cluster architecture, the thesis presents two prototype builds with their complete hardware and software stack. All cluster functionality of the prototypes is encapsulated in a newly developed PKCS #11 library, providing far better compatibility with software solutions than existing secure element grids. The properties of the prototypes are studied in detail to improve the final cluster design. Based on performance and durability analyses of the prototype, the thesis introduces a scaling scheme for determining the optimal cluster configuration for given load requirements.