Thales HSMs Secure Hitachi’s Finger Vein Biometrics
How Thales is Helping to Secure a BioPKI Solution that Facilitates electronic Signatures of Documents in the Banking Sector
The Challenge: Securing a Ground-Breaking Authentication technology in a Highly Regulated Industry
As a global leader in the development of technology for consumers, business and governments, Hitachi saw the opportunity for its Finger Vein biometric authentication system to revolutionize digital signatures in the banking sector.
Using the blood vessel pattern inside the finger to authenticate a person’s identity, Finger Vein technology offers a precise, efficient and advanced form of biometric authentication. When applied to the banking industry, Hitachi’s technology would allow banks to authenticate users in less than one second by comparing a real-time scan of a finger with the customer’s Finger Vein profile stored in a database. Using Finger Vein technology would reduce a bank’s use of paper documents, minimizing costs related to printing, scanning, indexing, transport, archiving and shredding of paper documents.
The key to the success of this authentication technology in the banking sector would be the security of its biometric digital signatures, or BioPKI, an alternative to the traditional model of digital signature. Finger Vein BioPKI is a mix of biometrics and PKI and requires the use of Finger Vein authentication to manage the access to the user’s private key which is stored securely in the bank’s back office system. Hitachi knew that for Finger Vein technology to gain wide acceptance within the banking community, it would need a highly secure solution to protect the authentication process and any associated stored data.
Key Benefits of Using Thales HSMs
- Automate risk-prone administrative tasks, guarantee key recovery, and eliminate costly manually-intensive backup processes
- Enable secure execution of custom security-critical application code within the tamper-resistant hardware boundary
- Support high volume, enterprise transactions with accelerated transaction rates
- Simplify scaling as security needs expand with flexible architecture
- Reduce the cost of traveling to data centers with a Remote Administration feature
- Establish strong separation of duties through robust administration policies including role-based multifactor authentication and quorum-based authorization
The Solution: Role of Thales HSMs
Hitachi chose Thales nShield Connect Hardware Security Modules for use in its BioPKI deployment in the Central Eastern Europe (CEE) market. Access to private keys for the Finger Vein authentication is protected by a certified Thales HSM, a highly secure and tamper-resistant device located in the back office of the bank, where it is responsible for the creation of the digital signature and for protecting secret keys. Thales’ unique CodeSafe capability is used to execute custom signature creation code inside the certified security boundary of the HSM.
The implementation of this innovative biometric solution for customer authentication in bank branches in Poland was the first in Europe, and based on experience gained during the practical implementation of projects in the financial sector in Poland, Hitachi now recommends its BioPKI customers to use Thales HSMs. The Thales hardware has been successfully used to implement biometric digital signatures in Banks such as BZ WBK (pilot project in branches) and Getin Noble Bank (branches and VTMs).
Hitachi’s solution is well matched to the requirements of the applicable laws in Poland. Meeting the expectations of auditors and regulators was possible thanks to, among other things, the use of Thales HSMs for storing and protecting the private keys.
About the Solution
Thales nShield HSMs provide a tamper-resistant environment for secure cryptographic processing and key management. nShield HSMs are certified and meet established and emerging security standards for cryptographic systems while staying highly efficient. nShield HSMs isolate and protect cryptographic operations and keys for organizations’ most critical applications. nShield HSMs perform encryption, digital signing, and key management for an extensive range of applications including public key infrastructures (PKIs), SSL/TLS, and code signing. nShield HSMs are high-assurance alternatives to software-based cryptography – supporting all leading algorithms and featuring world-class ECC performance.
CodeSafe is a unique capability of Thales HSMs which enables developers to execute applications within the certified security boundary of the HSM, protecting them from threats such as insider attacks, malware, and Trojans that they would be vulnerable to on typical server platforms.