Вы находитесь на странице: 1из 20

Protect Server HSM

Product Overview

SafeNet Confidential and Proprietary

Agenda
What is an HSM?
Protect Server - Product Description
Questions and Answers

SafeNet Confidential and Proprietary

What is an HSM?

SafeNet Confidential and Proprietary

Why use an HSM?


HSMs are used to store vital data objects (e.g. cryptographic keys) in
a secure environment in a separate physical device
Securely generate and protect sensitive encryption keys in hardware
Symmetric Keys
Asymmetric Keys

Protect sensitive applications deployed in un-trusted or hostile


environments
Accelerate cryptographic operations
Encryption; Decryption; Signing; Time Stamping; Hashing

SafeNet Confidential and Proprietary

Hardware Security Modules Features


HSMs device can be a PCI card or a network attached
HSM (appliance)
Can be analogous to a safe
Purpose Isolate Keys from Application/Data
Provide main 2 Functions: Crypto storage and high
performance processing (Application Acceleration)
Certified hardware FIPS/CC

SafeNet Confidential and Proprietary

Hardware Security Modules Features


Strong 2-factor role-based authentication for administrator
access
Auditing and Reporting
Wide range of SDKs/Toolkits for flexible integration is
provided
Load Balancing/High Availability
Secure backup and restore

SafeNet Confidential and Proprietary

Hardware Security Modules Integration


HSMs always integrated with application on same server or
network attached
Application communicates with keys stored in HSM usually via a
client. The keys are always stored by default in the hardware HSM.
HSM Usage:
PKI Key storage for CAs signing of Digital Certificates
EFT Retail and Banking (PIN processing for Credit/Debit Cards at
ATMs or Point of Sale, Smart Card issuance). PCI DSS requirements
Customised Applications document signing, time stamping,
ePassport projects, DNSSEC

SafeNet Confidential and Proprietary

Protect Server

SafeNet Confidential and Proprietary

ProtectServer
General Purpose or Developer HSM
Very Flexible no Cryptographic limitations
Commonly used for applications such as:
Document Signing, TimeStamping, ID Cards, ePassports
Can run non-Standard Applications & Specialist
Applications (Customised Code)
Normally used by customers with development skills
(possibly using Professional Services)

SafeNet Confidential and Proprietary

ProtectServer HSM Product Range

ProtectServer Gold
(PCI-X)

ProtectServer Internal-Express
(PCI express x4)

ProtectServer External
Network-Attached
SafeNet Confidential and Proprietary

10

Protect Server HSMs


Protect Server Gold/Protect Server Internal-Express
General purpose PCI/Express HSM for:
PKCS#11 apps
Microsoft apps
Java apps
Executing secure PKCS#11 app (C Code) - with FM
EFT - with FM
3 performance modes: 25, 220 or 600 signing/second
(RSA1024)
Protect Server External
Protect Server (Gold) in Network-attached chassis
3 performance modes: 25, 220 or 600 signing/second
(RSA1024)

SafeNet Confidential and Proprietary

11

Protect Server About Inside


Cost effective, FIPS validated, flexible general purpose
HSM
Support for custom applications
Hardware emulation
Functionality Module support
GUI tools for basic key management
Rich Application Support (PKI, Card Issuing, ...)
Flexible Security Model provided by set of toolkits
(This will not always appeal to some customers who want
the more rigid security of the Luna)

SafeNet Confidential and Proprietary

12

Protect Server About Inside


Smartcard backup for cryptographic objects
(Convenient, not as secure as the Luna Backup device)
Relatively low-cost
Integrated with most applications that utilize the
PKCS#11, Java or Microsoft CSP APIs.

SafeNet Confidential and Proprietary

13

Protect Server Features


4MB Secure Memory for crypto objects. Separate Flash
memory (2MB limit) reserved for Functionality Module
(FM) Code
WLD Work Load Distribution (multiple HSMs working
together no automatic replication)
Serial connections for:
SmartCard Readers for Backup/Restore (orderable)
PIN Pads for direct input of Key Components
(orderable)
Other devices (e.g. Printers for direct printing of PIN
mailers)
SafeNet Confidential and Proprietary

14

Protect Server Features


The HSM includes high-speed DES and RSA hardware
acceleration as well as generic security processing.
Secure key storage is included in form of persistent,
tamper resistant CMOS storage.
True random number generation

SafeNet Confidential and Proprietary

15

Protect Server API support


Support for Windows, Linux, Solaris, IBM/HP UNIX
API / Standard Crypto Interfaces

ToolKit Name

PKCS#11 (Cryptoki)

ProtectToolkit C (PTKC)

Microsoft CAPI/CNG

ProtectToolkit M (PTKM)

Java JCA/JCE

ProtectToolkit J

(PTKJ)

Java Cryptographic Architecture /


Cryptographic Extension

Functionality Modules (FM):


Build and Load Custom App on HSM

ProtectProcessing Toolkit

FM capabilities on Protect Server are used by customers with strong development


skills (possibly using Professional Services)
More on Protect Processing Toolkit:
Software Development Kit (SDK) for Functional Module development
Host Development Kit (HDK) for Host Messaging interface to the FM
OpenSSL engine and ProtectToolkit EFT
SafeNet Confidential and Proprietary

16

ProtectServer HSM Application Categories


Electronic Funds Transfer
Retail/Consumer-initiated transactions
ATM
EFT/PoS
Internet banking
Phone banking
Mobile (phone) banking
Interbank / Wholesale Banking
Clearing & Settlement Systems (national)
SWIFT (International)

SafeNet Confidential and Proprietary

17

ProtectServer HSM Application Categories


General purpose Cryptographic Operations
Card Management Systems
Data Prep / Card Personalization
Branch Networks
B2C and B2B eCommerce
PKI / Certification Authorities
Web Servers SSL acceleration
Web Servers Internet Shopping
Payment Gateways
Customer Database Protection Credit Card Numbers

SafeNet Confidential and Proprietary

18

ProtectServer HSM Application Categories


General purpose Cryptographic Operations
Miscellaneous
Time Stamping / Notary Services
Electronic Toll Systems
Lottery / Gambling / Gaming Systems
PayTV / DRM / Digital Content Distribution
API-based

SafeNet Confidential and Proprietary

19

Thank You!

SafeNet Confidential and Proprietary