Utimaco · Aachen, Germany · © 2020 utimaco.com Page 1
Creating Trust in the Digital Society
Is it Time to Upgrade your Ax160?
Manish UpasaniProduct Manager - Atalla
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 2
TECHNOLOGY
REGULATIONSCUSTOMERBEHAVIOR
Market Trends
Digital Disruption: Perfect storm within the payment ecosystem
“U.S. financial institutions cyber security market is the largest and fastest growing
in the private sector;Its cumulative 2016-2020 market size is forecasted to exceed $68 Billion.”
FinTech
Mobile Payments
Virtual Banks
Anytime, anywhere banking
IOT
Blockchain
More choices, less constraints
Access to third-party servicesEasy Apps
PSD2SOX
GDPRPCI
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 3
Within the Banking Industry
Significant Challenges
Adopting New Technologies
Competing Against New Entrants
Protecting Against New Security Threats
Staying Compliant as Mandates Grow and Change
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 4
2020
A History Steeped in Innovation
Atalla Founded
1973
U T I M A C O A T A L L A1987 1997
2000 2006 2017 2018
1975 1996 1998 2002 2010 2015 2017
Tandem Atalla Acquisition
Compaq Atalla Acquisition
HP Atalla Acquisition
Ax150
AT1000 Utimaco Atalla Unite!
Reveal Atalla Box
Atalla PayMaster & Atalla A4000
First TDES HSM Compaq’s TrustMaster &
Ax000
Ax100
Ax160
HPE Atalla Company Split Micro Focus Atalla Acquisition
Back in the Game! Ambitious Road
Map. New product releases every
quarter.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 5
About us
50+ years in IT and 35+ years in IT-SecurityPrivate company
Founded 1964
280+ highly skilled experts58 Mio € Revenue FY 18/19
Worldwide customer and partner network in more than 90 countries
Utimaco is an international provider of » cyber security & compliance solutions «
with headquarters in Aachen, Germany & Campbell, California
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 6
We protect
People & IDs Transactions
InvestmentsData & Ideas
People and digital identities against terrorism and cyber crime
Data in motion, IoT devices & financial transactions against theft and sabotage – in the cloud and on premise
Digital economy and digital transformation processes against theft, abuse and manipulation
With proven, future-proof technology, products and solutions that meet regulation & compliance standards
Information SecurityEncryption-based, high-security solutions
Hardware Security Modules
Telecom SolutionsCompliance solutions fortelecommunicationproviders
Key Management
Enterprise Data Protection
Lawful Interception Mediation System
Data Retention Suite
Lawful InterceptionTest Suite
Cyber Security &
Compliance Solutions
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 7
Key Use Cases
PCI PTS HSMEnsures logical and physical security to protect cardholder data
FIPS 140-2 Level 3Set of standards that define encryption algorithms and physical security
TR-31 Key BlockKey Blocks protects the secrecy and integrity of encrypted keys
Payment Processing StandardsMasterCard, Visa,American Express, Union Pay, Discover, Rupay, EuroPay
Meeting Standards and Compliance
Banking transactions in 34 countries around the world are secured with an Utimaco Atalla AT1000!
Introducing Utimaco Atalla Payment Solutions
A FIPS 140-2 Level 3 & PCI PTS v3 certified payment Hardware Security Module (HSM) used to protect sensitive data and associated keys for non-cash retail payment
transactions, cardholder authentication, and cryptographic keys by payment service providers, acquirers, processors, issuers, and payment networks across the globe.
Key Verticals: Financial Services, Retail, Payment Processors
Credit, Debit/ATM cards: Acquirer, Issuer, Merchants
Key Injection: ATM/POS/Terminals
Tokenization, IoT, Card Personalization
E-Wallets, Online and Mobile Payments
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 8
ENHANCED SECURITY │ Built using the Atalla Key Block (AKB), the AT1000 offers AES Master Key support and meets the TR-31 requirements for key lifecycle management.
COMPLIANCE DRIVEN │ FIPS 140-2 Level 3 and PCI PTS v3 certified in both controlled and uncontrolled environments. One of the highest security and compliance levels in the industry.
EASY MIGRATION │ Backward compatible and offered in both Variant and AKB modes allowing you to easily replace outdated key block & variant-based HSMs over to the AT1000.
TRUE REMOTE MANAGEMENT │ Compliant, remote management lets you control HSMs from multiple locations, as well as monitor audit logging using remote syslog and SNMP alerts.
HIGH PERFORMING & CLOUD READY │ Leverage up to 10,000 TPS throughout 10 partitions – separate environments; utilize HSM in multiple ways.
Key Advantages
01
02
03
04
05
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 9
Which regulations drive the HSM
Compliance Driven - Atalla AT1000 Certifications
FIPS 140-2 Level 3Atalla AT1000 is certified –Certificate # 3059
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3059
PCI PTS HSM 3.0Atalla AT1000 is certified –Certificate 4-80041
Hardware Part #: HW-AT-HSM-V1, Firmware #: 8.22
https://www.pcisecuritystandards.org/popups/pts_device.php?appnum=4-70041
pci-pin compliant
P2PEValidation, can be achieved using Atalla HSMs
https://www.microfocus.com/media/analystpaper/hardware_security_module_leadership_atalla_hsm_analysis.pdf
Point to Point Encryption
SP800-90A Rev. 1Modern Random Number Generator
https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final
Track record of leading, defining and shaping standardization and regulations and these are the ones that AT1000 adheres to today.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 10
PCI PTS
Background
Protect the integrity of the key including the order of the key parts for algorithms that require multiple key parts, for example TDEA.
Associate the type/purpose of key to ensure that the key isn’t used for any other designated purpose, for example as a key-encrypting-key or as a PIN-encrypting key.
In order for cryptographic keys to provide reliable security, two areas must be addressed:
2014 A new precedent was set by PCI to improve security of keys with the implementation of key blocks.
Also known as key bundling, this greatly improves the security of symmetric keys that are shared among payment participants to protect PINs and other sensitive data.
2017 This requirement was modified to ensure its achievability –
Implementation is to be done in three phases. The first phase deadline was June 2019. Ax160 is only PCI PTS v1certified and therefore out of compliance.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 11
Header MACk1
Header MACEncryptedKeyk2
Header MACEncryptedKeyk3
EncryptedKey
▪ A Key block is a means of using one or more blocks to bind key parts to additional information about the resulting key.
▪ Key bundling is the use of key blocks as it applies to Triple Data Encryption Algorithm (TDA) keys, also known as Triple DES. A key bundle is clear text, not encrypted and not protected from modification. When it’s bundled or wrapped into a key block, cryptographic operations are performed to provide both confidentiality and integrity protection and key cannot be manipulated.
Key Bundling
What are Key Blocks?
Triple DES / TDEA Encryption
Prevents attacking a TDEA key asa pair of single DES keys. The order of key parts is critical to the strength of the resulting TDEA encryption.
Ordered set of key parts, each is a single DEA key.
Provide a way to validate theintegrity of the header and key
Provide a way to control the key’s usage (encrypt, decrypt, both)
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 12
Keys we share for translation (send and receive or verify / decrypt) need to be in Key block TR-31 format.
2021 Stage 2 –Network Key Exchange
EncryptedKey
E.KEK (WK) TR-31
All locally stored keys must be managed in Key block format.
2019 Local Key Storage
MFK
KeyDatabase
E.MFK (KEK)
E.MFK (KATM)
Stage 1 – Internal Key Storage / Usage
EncryptedKey
All keys must be in Key block format.
2023 Stage 3 – POS /ATM Key Management
E.KEK (KATM) TR-34
KEY ATM ENCRYPTING
PIN PAD (KEK)
E.ATM (PIN)
EncryptedKey
Header
MAC
Header
MAC
What do I need to do to prepare?
Header
MAC
Note, while Ax160 does support key blocks, it is not PCI PTS v3 certified and therefore out of compliance.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 13
Buy AT1000, complete with out-of-the-box commands 80
Highest performing HSM on the market at 10,000 TPS
Experience upgrades in real time
If you need more throughput, simply upgrade TCPs on the fly
80
280
1,080
10,000
NO more having to decide between hardware models!
Only use what you need, when you need it!
Now 10x fasterthan before!
More flexibility, greater partitioning power!
In-Field Upgradeable Performance
280
1,080
10,000
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 14
Licensing Controls
AT1000
Ax160Comparison
A8160
A9160
A10160
PerformanceLicensing
Host Connection Licensing
DomainLicensing
80 TPS 1 Host(Default license)
2 Domains(Default license)
280 TPS 8 Hosts(License)
5 Domains(license)
1,080 TPS 64 Hosts(License)
10 Domains(license)
10,000 TPS 128 Hosts(License)
1,500 – 9,500 TPS
Extended performance
in increments of 500 TPS, up to
10,000 TPS!
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 15
Configure commands, define parameters, calculate cryptograms, and inject cryptographic keys.
NEW! Secure Configuration Assistant – Windows
Even More SecureDelivered on FIPS 140-2 level 3 platform and conforms to best security practices, keeping it secure against corruption and potential malware injections. Supports identity-based authentication, encrypted communication and protected cryptographic key component storage.
True Remote ManagementNot offered by any other HSM on the market - Loading MFKs and lower-level keys does not need to be done at the same time at the same location. Key custodians can be geographically dispersed.
Capacity & Incident MonitoringRobust audit log, reporting and alerts while syncing its time with a trusted NTP server.
User-friendly Design Say goodbye to traditional tablets. Now delivered on a USB form factor, the SCA-W, implements the well-regarded SCA-3 onto a user-friendly application form that runs on your own company managed Microsoft Windows computer.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 16
Partitioning Capabilities of the AT1000
Moving to Multi Domains: We’re Ready When You Are!
1 Partition = 1 Master File Key (MFK)Separate environments, different TCP ports
PIN translationsKey generationKey injection
ACIFIS
Diebold
Security Admin 1Security Admin 2 Consolidate multiple payment applications
onto one HSM.
Enable multi domains that run independent of each other and support multiple use cases at the same time.
Isolate access, security policies and separate administrative access per partition.
1. Begin to adopt partitioning capabilities.
2. Leverage within the cloud.3. Emerge as a cryptography service provider
to your internal customers providing an HSMaaS model.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 17
Legacy Ax160 vs. Next Generation AT1000
PCI PTS HSM V1 & FIPS 140-2 L3 certifiedCERTIFICATIONS
PCI PTS HSM V3 & FIPS 140-2 L3 certified
TDES Key Support (predominately) ALGORITHMS
TDES, AES Keys, 4096-bit RSA keys
2UFORM FACTOR
1U
Mandatory battery replacement necessaryPOWER SUPPLY
Lifetime battery pack; no battery replacement required
No field replaceable componentsREPLACEABILITY
Field replaceable power supply
2 NIC (2nd via License)NETWORK PORTS
4 NIC, NIC Bonding
Mandatory access requiredto the USB port DEPLOYMENT
Full remote management &front panel display
Lega
cy
Nex
t Gen
AT1000Ax160
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 18
Legacy Ax160 vs. Next Generation AT1000
Ax160
(SCA-3) Local administration(PCI HSM Mode); cable clutter
ADMINISTRATION
(SCA-W) Full remote administration after initial network settings; no cables
No SNMP supportMONITORING
SNMP support & syslog
Performance upgrade requires hardware exchange PERFORMANCE
UPGRADES
Field performance upgrade via license without hardware exchange
1,080 TPSPERFORMANCE
10,000 TPS
Separate license required for base or enhanced firmware; additional licenses
required for custom commands LICENSING
All commands included out-of-the-box (both base and enhanced)
Software upgrade 45-60 minutesUSB required for SW updates,
config files and log files SOFTWARE UPGRADES
Software upgrade 5 minutes2 HDDs for storage; USB optional for config files
AT1000
Lega
cy
Nex
t Gen
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 19
Supports NIC Bonding 4x1 Gbps ▪ No single point of failure▪ Traffic failovers▪ Separation of management network and production traffic
Dual Control ▪ Double-locking bezel with Medeco pick resistant locks
(unique locks with own pair of keys and rack mounted screws behind bezel).
▪ Dual Access enforced to complete a configuration change
Tamper evident labels▪ Serialized and PCI compliant delivery
Front Panel Display▪ Designed for lights out datacenters▪ Easy configuration
Enhanced battery life ▪ No in-field replacement required, voltage monitoring
Dual RAID1 Hard Disk Drives▪ Encrypted, cannot be used outside the HSM▪ Stores config.prm, software image file, logs, TLS certificates
Protection from side-channel attacks▪ Temperature sensors▪ Voltage/Current sensors▪ Humidity sensors▪ Active tamper zeroization
Fully redundant hardware▪ Power supplies▪ Hard drives▪ Network Interface Cards (NIC)
Policy controlled (M of N) backup of HSM configuration▪ HSM’s Security Association ▪ HSM’s Security Policy (commands)▪ HSM’s MFK (master key)▪ Time based (expiry date), usage based (# of restores)
Physical security & back up
Utimaco Atalla AT1000 Security Features
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 20
Let Us Help You Make the Transition
We continue to migrate customers over to the Utimaco Atalla AT1000!
Decide if AT1000 will fully replace legacy HSMs or operate in a mixed environment. The sooner you start the upgrade, the more flexibility you have for the implementation – adding a phased approach or testing environments.
Step 1
Next, we help you transfer MFK components. Some customers have the information readily accessible and can transfer manually. In other circumstances, we can perform a card-to-card migrationor create a new MFK.
Step 2
Finally, we generate a report outlining the cryptographic functionality enabled on existing Ax160 HSMs and map it to your new AT1000 HSMs.
Step 3
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 21
Utimaco’s vision to enable customer transitionto the hybrid cloud
uTrust Platform Solutions & Services
MOVE KEYS TO/FROM THE CLOUD
• Move Keys To/From On-Prem to the Cloud.
Transport Keys Across Public Clouds and
hybrid environments.
• Manage Keys: Create, Store, Rotate & Protect
RUN KEY MANAGEMENT & HSMs
• Secure Key Escrow & Exchange Services
• Operate HSM’s on behalf of the Customer
BUILD HSMaaS & KMS CLUSTERS
• Enable Private & Public Cloud Service
Providers to Build their own IaaS & PaaS
Cryptographic Services.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 22
Sneak peek: Atalla HSMs in Cloud
Managed A fully automated HSMaaS for
Payment HSMs
Production
Testing
True Cloud HSM
Utimaco to operate HSM’s on your behalf &
provide key lifecycle operations
Near-Cloud Payment HSM
Helping you to elevate Atalla HSMs to
the cloud.
You will control and operate HSM’s
First Version of Atalla Cloud
Product Launch: June 2020
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 23
Ask About Our Complimentary Solutions
From IOT to Enterprise Key Management, Utimaco can serve all your cyber security needs.
Secures sensitive identity keys and data used in blockchain-based distributed computing platforms.
Block-safe Q-safe
Support firmware and algorithm upgrades using CryptoScript. This accommodates for the evolving demands on encryption like PQC.
ESKM
Protects sensitive information, such as payment cardholder data with strong encryption key management.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 24
Creating Trust in the Digital Society
Thank you for your attention!Utimaco Inc.
900 East Hamilton Avenue Campbell, CA-95008United States of America Phone +1 (844) UTI-MACOhttps://[email protected]
Copyright © 2019 – Utimaco GmbHUtimaco® is a trademark of Utimaco GmbH. All other named Trademarks are Trademarks of the particular copyright holder. All rights reserved. Specifications are subject to change without notice.
Utimaco · Aachen, Germany · © 2020 utimaco.com Page 25
Private Routing
Infrastructure to
public clouds
Start Evaluating AT1000 today
Customer
Application
Publicly
Routable IP
Leverage AT1000 multi-tenancy capability to enable an HSMaaS testbed.
Connect your application directly to the AT1000 over trusted VPN, Internet or directly into the public cloud of your choice where your application resides.
1. Start testing AT1000 with one domain. Meet PCI compliance by separating test and live environments.
• Get 60 days unlimited access to an AT1000 to complete your app integration
2. Build your staging environment in our cloud
• Access additional HSM instances based on your configuration and transaction volumes.
• Beta test new features and functionality with Utimaco’s continuous releases
3. Explore how Utimaco can manage production HSM’s on your behalf.
• Leverage Utimaco’s dedicated Key Admin & Custodians to reduce your in-house key management.
• Maintain control of your keys while reducing the scope of your PCI compliance.
Your path to the AT1000
CALL TO ACTION:Submit a request to