Securosys Authorization App - iOS & Android

The Securosys Authorization Apps makes it easy to protect keys with multi-authorization policies. Stakeholders can be notified of pending approval tasks, review them, and approve them.

The Authorization App works with Securosys Hardware Security Modules (HSMs), both CloudHSM and on-premise Primus HSM. With its simple deployment process, the app can be rolled out to new approvers within minutes.

The Authorization App leverages a unique features of Primus HSMs: Smart Key Attributes (SKAs). SKAs make it possible to define customizable policies for authorizing key usage, including quorums, timelocks, and timeouts. With the N out of M quorum concept, the HSM enforces that private key operations are only executed after the required number of stakeholders approve the operation.

Use Cases

Any system that requires multiple people to approve an operation before it is executed can benefit from multi-authorization that is enforced inside the secure HSM environment. Practical examples are blockchain transactions, code signing, and PKI root key operations.

Architecture

The Authorization App integrates with the Securosys Transaction Security Broker (TSB). The TSB orchestrates the multi-authorization process. First, business applications request key usages from the TSB. The TSB then notifies the Authorization Apps of the registered approvers and collects their approvals. Once enough approvals are present, the TSB forwards the key usage request to the HSM.

Protecting Keys with Multi-Authorization

Multi-authorization relies on a public-private key pair to be issued to each approver and stored in their Authorization App. During creation of a key that should be protected with multi-authorization the SKA metadata is defined. This metadata specifies the policy under which the key can be used. This policy can list the quorum approvers, and identifies possible approvers via their public keys.

The workflow of protecting keys with multi-authorization looks as follows:

1. Generate approver keys: The Approver Manager generates private/public key pairs and certificates for each approver on the HSM through REST API calls.
2. Onboard the Authorization App: To set up the Authorization App, the approver's private key is loaded into the app. The Approver Manager provides a one-time onboarding code (OTC) and additional configuration details to complete the setup process.
3. Generate policy-protected keys: The business application generates an SKA-enabled key on the HSM, embedding the approver certificates into the key policy and specifying the quorum requirements.
4. Approve cryptographic requests: The business application starts a transaction using the SKA key. The SKA policy is checked, and approvers receive a prompt in the Authorization App to review it. The transaction is executed on the HSM only if all approval conditions set by the SKA policy are met.

This setup offers centralized management of approvers, seamless certificate issuance, an efficient onboarding process, and robust capabilities for backing up and restoring approver certificates. It provides security, scalability, and operational efficiency.

App Features

In the Authorization App, users can perform the following actions:

• Authorize key usage tasks such as:
  • Sign (blockchain transaction signing, document signing, certificate signing, Docker image signing)
  • Decrypt (unseal, Database decryption, Docker image decryption)
  • Unwrap key (secure key import, IoT device key unwrapping)
• Authorize key management tasks such as:
  • Block key (fraudulent transaction prevention, revocation)
  • Unblock key (restoring suspended operations)
  • Modify Key (key policy modification)

Target Audience

This documentation is intended for:

• Users of the Securosys Authorization App who need to approve key usages.
• Administrators managing a Securoys HSM and Transaction Security Broker.

Support Contact

If you encounter a problem while installing or configuring the Securosys Authorization App, please ensure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support.

For specific inquiries and inquiries on customizing the Securosys Authorization App to fit your business needs, please feel free to open a ticket on our support portal.

What's Next

• Read the quickstart guide to setup up the Authorization App.
• For more detailed step-by-step guides, visit the tutorial section:
  • 1. Authorization App
  • 2. Approver Management
  • 3. Create and Approve Requests
• Learn about the various Use Cases for the Securosys Authorization App.