Scribd Logo
Upload

Welcome to Scribd!

  • Nshield Connect 6000

    Uploaded by

    Ivona Rustem
    230 views14 pages

    Original Title

    nShield Connect 6000

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    230 views14 pages

    Nshield Connect 6000

    Uploaded by

    Ivona Rustem

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 14

    nShield

    Hardware Security Module


    Hardware approach to Security

    Victor Mitu
    Security Consultant
    E-mail: victor@provision.ro
    Phone number: 0733.505.608
    Summary

    • Definition and Overview

    • nCipher HSM Devices

    • Features

    • nToken
    Definition and Overview

    HSM is a dedicated hardware device


    • Protects Encryption and digital signing keys
    • Centralized key management
    • Accelerates cryptographic operations
    • Processing sensitive data on the trusted appliance

    Adds hardware protection to critical applications such as


    • Public key infrastructures (PKIs)
    • Databases
    • Web and application servers
    nCipher HSM Devices

    nShield netHSM nShield Connect

    Entry-Level Enterprise High-end


    Features

    Compatibility and Support


    Using standard cryptographic interfaces it integrates with
     certSign certSAFE
     Microsoft Certificate Services (PKI)
     Entrust Authority Security Manager
     RSA Certificate Manager
     Oracle Database
     Microsoft SQL Server

    Algorithms
     Public key algorithms: RSA, Diffie-Hellman, DSA, El-Gamal, KCDSA, ECDSA, ECDH
     Symmetric algorithms: AES, ARIA, Camellia, CAST, DES, RIPEMD160 HMAC, SEED,
    SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,Triple DES

    Application interfaces
     PKCS #11
     Microsoft CryptoAPI / CNG
     Java JCE
     OpenSSL
    Features

    Security Features
    • Physical – Temper resistant/Tamper-responsiveness

    • The cryptographic components are validated to


     FIPS 140-2 level 3
     Common Criteria EAL 4+ use in highly regulated environments
     RoHS compliance

    • Highly secure Client-to-Server connections (nToken)

    • Secure Remote Management

    • Segregation of Duties
    Features

    High Availability

    Tamper-resistant, fault tolerant security environment


    • Unique dual, hot-swap power supplies
    • Redundant, field-replaceable fans
    Clustering
    • Providing High-Availability and Performance
    Features

    Performance and Scalability

    • Signing speed
     6,000 signing transactions per second (TPS) with RSA 1,024-bit keys
     Optimized to deliver up to 3,000 TPS when taking advantage of longer, more secure,
    2,048-bit keys
     500 TPS when 4,096-bit keys are needed

    • Ability to use longer keys

    • Ability to perform data encryption at high speed

    • Protects up to 100 clients (application instances simultaneously )

    * Performance may vary depending on operating system, application, network topology, and other factors.
    Features

    Optional features

    • CipherTools - Developer Software to integrate with applications


    • CodeSafe - Process sensitive data in custom applications on the HSM
    • Database Security Option Pack - Manage keys for Microsoft SQL Server
    encryption
    • payShield Cardholder Authentication for nShield - Add cardholder
    authentication functionality to the HSM
    • Remote Operator - Remotely manage the HSM
    • Elliptic Curve (ECC) Activation - Activate elliptic curve cryptography on the
    HSM
    nToken

    nToken delivers Hardware HSM client authentication

    • PCI
    strong authentication for nShield Connect
    clients
    • PCI Express cards
    nToken

    nToken
    • Is a FIPS 140-2 level 2 module, with level 3 physical security
    • Designed to protect a single signing key used to identify a host
    • It also proves to a nCipher network attached HSM that the session was
    initiated by a client running on that host
    • It connects to the host computer via a PCI bus and must be accessed by a
    custom written application

    Authentication key - when the nToken is enrolled it generates a DSA key pair
    used for signature generation
    • The public half is exported in plain text and transferred to netHSM
    • The private half is encrypted under the module key and exported to an
    nCipher format key blob which is stored on the local host computer
    nToken

    Firmware Integrity Key - all firmware is signed using a DSA key pair

    Firmware Confidentiality Key – all firmware is encrypted using Triple DES to


    prevent casual recompilation

    Services – the following services are provided by the nToken


    • Generate Key – AES or DSA by Admin
    • Wrap Key – AES + HMAC by Admin
    • Export – DSA public by Admin
    • Hash – SHA-1 by Admin
    • Unwrap Key – AES +HMAC by User
    • Sign – DSA private by User
    • Zero – DSA private by Admin/User
    • Show Status by Admin/User
    Thank you!

    Victor Mitu
    Security Consultant
    E-mail: victor@provision.ro
    Phone number: 0733.505.608

    You might also like