Skip to main content

What is Securosys Authorization App

The Securosys Authorization App is a lightweight mobile application designed for scenarios where stakeholders need to authorize cryptographic operations, such as signing, decryption, and unsealing, and key modifications. The Authorization App works with CloudHSM or on-premises Primus HSM. With its quick and simple deployment process and the available integrations, the app can be rolled out to approvers within minutes, allowing for the smooth implementation of multi-authorization schemes.

The application leverages one of the unique features of Securosys Primus HSMs - Smart Key Attribute(SKA) keys - which allows for highly customizable policies for authorizing operations and transactions, as well as manage key blocking/unblocking and policy adjustments with ease. Policies can be set to require single-user, or multi-quorum approvals before a task request can be approved, implement security protocols that activate based on time-lock settings, and much more. Smart Key Attributes leverage the N out of M quorum concept, ensuring that operations are approved only after the required number of stakeholders provide their authorization.

The Securosys Authorization App supports a broad range of use cases and enables true Multi-Authorization within your Application landscape. These uscases include but are not limited to authorization of blockchain transactions, database decryption, code signing, PKI root key operations or enforcement of sole control for signature services in accordance with eIDAS (the European standard for electronic identification, authentication, and trust services), and much more.

Securosys_Authorization_App_Architecture

--> Update grafic, combination with elements from SFE's graphic.

The Authorization App integrates with the Securosys Transaction Security Broker (TSB), which facilitates communication via a REST API, orchestrates approval collection, and manages internal states. Furthermore, the TSB connects the Authorization App to the Securosys Primus HSM, whether on-premises or in CloudHSM, where Smart-Key-Attribute (SKA) enabled keys are securely managed and authrization policies enforced.

Multi-Authorization Setup

--> Role naming to be adapted: Approver / Approver Manager (not Administrator) / SKA-Key-Administrator ??? (tech User) --> Naming: confirm / reject, instead of approve / deny or authorize / block. TBD

The multi-authorization workflow relies on public/private key pairs and certificates issued for each Approver (users of the Authorization App). These approver certificates are then linked to key policies within the SKA (Smart-Key-Attribute) scheme during key creation.

To enable the use of the Authorization App, the following steps are required:

  1. Creation of Approver Key Pairs and Certificates: The Approver Manager generates private/public key pairs and certificates for each Approver on the HSM through REST API calls.
  2. Onboarding the Approver App: The Approver App is configured by loading the approver private key. A one-time onboarding PIN (OTP) and other configuration details are provided to the Approver by the Approver Manager to facilitate the onboarding.
  3. SKA-Key Generation: The business application generates an SKA-enabled key on the HSM, embedding the approver certificates into the key policy to meet the specified quorum requirements.
  4. Transaction Approval: The business application initiates a transaction using the SKA-key. Before executing the operation, the SKA policy is verified, and Approvers are prompted via the Authorization App to approve or reject the request. The transaction is performed on the HSM only when the approval conditions in the SKA policy are satisfied.

This setup meets the needs of enterprises by offering centralized management of Approvers, seamless certificate issuance, an efficient onboarding process, and robust capabilities for backing up and restoring approver certificates, ensuring security, scalability, and operational efficiency for organizations.

Capabilities

The Authorization App enables users to approve or reject SKA-key tasks at both the key usage level for cryptographic operations and key management activities

  • Authorization of cryptographic operation key usage taks:

    • Sign
    • Decrypt
    • Unwrap (unseal)

  • Autorization of key management tasks:

    • Block key
    • Unblock key
    • Modify Key

The SKA feature inherently allows for the definition of individual policies and approver quorums, tailored to key usage, blocking, unblocking, and policy modifications. See Smart Key Attributes for more granular information.

Target Audience

This document is intended for the users of the Securosys Authorization App as well as Administrators familiar with Securosys Hardware Security Modules and Transaction Security Broker.

Support Contact

If you encounter a problem while installing or configuring the Securosys Authorization App, please ensure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support.

For specific inquiries and inquiries on customizing the Securosys Authorization App to fit your business needs, please feel free to open a ticket on our Securosys Support Portal.

What's Next (to be reviewed)

For a smooth start with the Securosys Authorization App:

  • Consult the Quickstart chapter for a comprehensive task listing.
  • See the various Use Cases for the Securosys Authorization App.
  • For detailed instructions and step by step guide, read and follow the Installation chapter.
  • For more granularity and step by step guide on various features, visit Tutorial section.
  • See information about new and old Concepts introduced and used in this document.