nShield Hardware Security Module

Hardware approach to Security

Victor MituSecurity Consultant

E-mail: victor@provision.roPhone number: 0733.505.608

• Definition and Overview

• nCipher HSM Devices

• Features

• nToken

Summary

HSM is a dedicated hardware device• Protects Encryption and digital signing keys• Centralized key management• Accelerates cryptographic operations• Processing sensitive data on the trusted appliance

Adds hardware protection to critical applications such as• Public key infrastructures (PKIs) • Databases • Web and application servers

Definition and Overview

nCipher HSM Devices

nShield netHSM nShield Connect

Entry-Level Enterprise High-end

Features

Compatibility and Support

Using standard cryptographic interfaces it integrates with certSign certSAFE Microsoft Certificate Services (PKI) Entrust Authority Security Manager RSA Certificate Manager Oracle Database Microsoft SQL Server

Algorithms Public key algorithms: RSA, Diffie-Hellman, DSA, El-Gamal, KCDSA, ECDSA, ECDH Symmetric algorithms: AES, ARIA, Camellia, CAST, DES, RIPEMD160 HMAC, SEED,

SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,Triple DES

Application interfaces PKCS #11 Microsoft CryptoAPI / CNG Java JCE OpenSSL

• Physical – Temper resistant/Tamper-responsiveness

• The cryptographic components are validated to FIPS 140-2 level 3 Common Criteria EAL 4+ use in highly regulated environments RoHS compliance

• Highly secure Client-to-Server connections (nToken)

• Secure Remote Management

• Segregation of Duties

Features

Security Features

Tamper-resistant, fault tolerant security environment• Unique dual, hot-swap power supplies• Redundant, field-replaceable fansClustering• Providing High-Availability and Performance

Features

High Availability

• Signing speed 6,000 signing transactions per second (TPS) with RSA 1,024-bit keys Optimized to deliver up to 3,000 TPS when taking advantage of longer, more secure,

2,048-bit keys 500 TPS when 4,096-bit keys are needed

• Ability to use longer keys

• Ability to perform data encryption at high speed

• Protects up to 100 clients (application instances simultaneously )

Performance and Scalability

* Performance may vary depending on operating system, application, network topology, and other factors.

Features

Optional features • CipherTools - Developer Software to integrate with applications• CodeSafe - Process sensitive data in custom applications on the HSM• Database Security Option Pack - Manage keys for Microsoft SQL Server

encryption• payShield Cardholder Authentication for nShield - Add cardholder

authentication functionality to the HSM• Remote Operator - Remotely manage the HSM• Elliptic Curve (ECC) Activation - Activate elliptic curve cryptography on

the HSM

Features

nToken delivers Hardware HSM client authentication

• PCI strong authentication for nShield Connect

clients• PCI Express cards

nToken

nToken• Is a FIPS 140-2 level 2 module, with level 3 physical security• Designed to protect a single signing key used to identify a host• It also proves to a nCipher network attached HSM that the session was

initiated by a client running on that host • It connects to the host computer via a PCI bus and must be accessed by a

custom written application

Authentication key - when the nToken is enrolled it generates a DSA key pair used for signature generation

• The public half is exported in plain text and transferred to netHSM• The private half is encrypted under the module key and exported to an

nCipher format key blob which is stored on the local host computer

nToken

Firmware Integrity Key - all firmware is signed using a DSA key pair

Firmware Confidentiality Key – all firmware is encrypted using Triple DES to prevent casual recompilation

Services – the following services are provided by the nToken• Generate Key – AES or DSA by Admin• Wrap Key – AES + HMAC by Admin• Export – DSA public by Admin• Hash – SHA-1 by Admin• Unwrap Key – AES +HMAC by User• Sign – DSA private by User• Zero – DSA private by Admin/User • Show Status by Admin/User

nToken

Thank you!

Victor MituSecurity Consultant

E-mail: victor@provision.roPhone number: 0733.505.608