+ All Categories
Home > Documents > nShield Connect 6000

nShield Connect 6000

Date post: 26-Nov-2014
Upload: ivona-rustem
View: 253 times
Download: 9 times
Share this document with a friend
Embed Size (px)
Popular Tags:
of 14 /14
Page 1: nShield Connect 6000
Page 2: nShield Connect 6000

nShield Hardware Security Module

Hardware approach to Security

Victor MituSecurity Consultant

E-mail: [email protected] number: 0733.505.608

Page 3: nShield Connect 6000

• Definition and Overview

• nCipher HSM Devices

• Features

• nToken


Page 4: nShield Connect 6000

HSM is a dedicated hardware device• Protects Encryption and digital signing keys• Centralized key management• Accelerates cryptographic operations• Processing sensitive data on the trusted appliance

Adds hardware protection to critical applications such as• Public key infrastructures (PKIs) • Databases • Web and application servers

Definition and Overview

Page 5: nShield Connect 6000

nCipher HSM Devices

nShield netHSM nShield Connect

Entry-Level Enterprise High-end

Page 6: nShield Connect 6000


Compatibility and Support

Using standard cryptographic interfaces it integrates with certSign certSAFE Microsoft Certificate Services (PKI) Entrust Authority Security Manager RSA Certificate Manager Oracle Database Microsoft SQL Server

Algorithms Public key algorithms: RSA, Diffie-Hellman, DSA, El-Gamal, KCDSA, ECDSA, ECDH Symmetric algorithms: AES, ARIA, Camellia, CAST, DES, RIPEMD160 HMAC, SEED,

SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,Triple DES

Application interfaces PKCS #11 Microsoft CryptoAPI / CNG Java JCE OpenSSL

Page 7: nShield Connect 6000

• Physical – Temper resistant/Tamper-responsiveness

• The cryptographic components are validated to FIPS 140-2 level 3 Common Criteria EAL 4+ use in highly regulated environments RoHS compliance

• Highly secure Client-to-Server connections (nToken)

• Secure Remote Management

• Segregation of Duties


Security Features

Page 8: nShield Connect 6000

Tamper-resistant, fault tolerant security environment• Unique dual, hot-swap power supplies• Redundant, field-replaceable fansClustering• Providing High-Availability and Performance


High Availability

Page 9: nShield Connect 6000

• Signing speed 6,000 signing transactions per second (TPS) with RSA 1,024-bit keys Optimized to deliver up to 3,000 TPS when taking advantage of longer, more secure,

2,048-bit keys 500 TPS when 4,096-bit keys are needed

• Ability to use longer keys

• Ability to perform data encryption at high speed

• Protects up to 100 clients (application instances simultaneously )

Performance and Scalability

* Performance may vary depending on operating system, application, network topology, and other factors.


Page 10: nShield Connect 6000

Optional features • CipherTools - Developer Software to integrate with applications• CodeSafe - Process sensitive data in custom applications on the HSM• Database Security Option Pack - Manage keys for Microsoft SQL Server

encryption• payShield Cardholder Authentication for nShield - Add cardholder

authentication functionality to the HSM• Remote Operator - Remotely manage the HSM• Elliptic Curve (ECC) Activation - Activate elliptic curve cryptography on

the HSM


Page 11: nShield Connect 6000

nToken delivers Hardware HSM client authentication

• PCI strong authentication for nShield Connect

clients• PCI Express cards


Page 12: nShield Connect 6000

nToken• Is a FIPS 140-2 level 2 module, with level 3 physical security• Designed to protect a single signing key used to identify a host• It also proves to a nCipher network attached HSM that the session was

initiated by a client running on that host • It connects to the host computer via a PCI bus and must be accessed by a

custom written application

Authentication key - when the nToken is enrolled it generates a DSA key pair used for signature generation

• The public half is exported in plain text and transferred to netHSM• The private half is encrypted under the module key and exported to an

nCipher format key blob which is stored on the local host computer


Page 13: nShield Connect 6000

Firmware Integrity Key - all firmware is signed using a DSA key pair

Firmware Confidentiality Key – all firmware is encrypted using Triple DES to prevent casual recompilation

Services – the following services are provided by the nToken• Generate Key – AES or DSA by Admin• Wrap Key – AES + HMAC by Admin• Export – DSA public by Admin• Hash – SHA-1 by Admin• Unwrap Key – AES +HMAC by User• Sign – DSA private by User• Zero – DSA private by Admin/User • Show Status by Admin/User


Page 14: nShield Connect 6000

Thank you!

Victor MituSecurity Consultant

E-mail: [email protected] number: 0733.505.608