Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASI ASI -HSM Lightning our Black Box Roberto Gallo CEO KRYPTUS.

Similar presentations

Presentation on theme: "ASI ASI -HSM Lightning our Black Box Roberto Gallo CEO KRYPTUS."— Presentation transcript:

1 ASI ASI -HSM Lightning our Black Box Roberto Gallo CEO KRYPTUS

2 Presentation Agenda ASI: Partners and Projects Historical Motivations Project Objectives Device Development Status Device Architecture Device Features Future Work and Plans Questions

3 ASI: Partners and Projects ASI stands for Advanced Security Initiative Group is formed by three Brazilian members: – KRYPTUS – Private R&D information security company – UFSC – Santa Catarina Federal University – RNP – National Education and Research Network ASI mission is to enable mass use of PKIs in the following markets: – Academia – Brazilian Government

4 RNP National Education and Research Network - RNP Operates the Brazilian academic backbone –Also used by other federal organizations Maintains its own links to US Associated to the Ministry of Science and Technology Promotes the development and testing of advanced networking applications Cooperative efforts with other South American Nations

5 LabSEC/UFSC Computer Security Lab at Santa Catarina Federal University Excellence center for R&D on Information Security 5 professors, 20 grad and undergrads students Current projects include: –Brazilian Government PKI –HSM: Temporal Authority, Net HSM, Safe Code Execution, Time Sync, etc Main partners include Brazilian Government and Brazilian Universities

6 KRYPTUS Private owned R&D company – Spin-off from LSC-IC-UNICAMP – Established in 2003 Mission: Enable customers information protection through custom technology Main markets and customers: – Government: Intelligence, Defense… – Academia: R&D institutions, Universities – Corporations

7 History and Motivations In 2003, PKI was identified as a key technology by a pool of Brazilian universities –UFSC, UNICAMP, and UFMG submited the ICP- EDU project proposal to RNP for PKI R&D RNP, as a Brazilian academic technology supporter, approved and funded ICP-EDU. Although successful, perception was that HSM prices were impeditive for academic use

8 History and Motivations (II) That pool then proposed the development of an HSM to RNP, and RNP granted it To develop a CA-capable full featured HSM –Full support to key management and lifecycle –Logical sys: FIPS level 3 compatible –Physical sys: should be FIPS level 2/3 –Device should be an Ethernet appliance Device should be priced at most as a high-end desktop PC (~ $2.500)

9 History and Motivations (III) All life-cycle and key management software would be developed by HSM custom hardware, if any, would be developed under a contract based on the pool specifications That specification would allow for further R&D that commercial devices would not enable But there were only about $20K for that…

10 History and Motivations (IV) KRYPTUS accepted the challenge, based on a joint venture basis In 2005, the work began on the HSM hardware development –By May 2006, first version was ready for testing… but with many issues Heating, low MTBF, low uptime… hard times –Device suffered a deep architecture change All problems solved, but one more year of development

11 ASI-HSM Development Status All systems are fully functional –Hardware, Firmware, and Software Devices in operation as CAs in about 10 sites –Under the RNP ICP-EDU initiative (+6 in March) Present work: –Unified documentation for certification –Improving manufacturing process (too slow) –Housing and interface beautify

12 ASI-HSM Architecture Composed by two main Units under crypto perimeter: – UG – Management and Crypto Unit – US – Security Unit UG hardware runs the key lifecycle management software (KFMS, aka OpenHSM) and crypto – Hardware based on ULP x86 processor – OS based on striped down FreeBSD – KFMS specification is OPEN and presented in many congresses and workshops

13 Open HSM

14 ASI-HSM Architecture (II) US handles security features: –Monitors about 40 different sensors –Based on read values, warns or detect attacks –On invasion detection, zeroes all wrapping keys In addition US: –Has up to 4 high quality TRNGs –Maintains an ultra stable RTC (2ppm stability) –Logs every odd physical condition

15 ASI-HSM Architecture (III) Sensors depends on customer needs, but default: – Voltage and power supply quality monitors – Temperature sensors – Light sensors – Invasion sensors based on complex impedance Physical Protection based on: – Multi-layer heavy duty resins – EMI cage – Externally tamper evident box and labels

16 HSM Current Model

17 ASI-HSM Features Full key lifecycle and management system –CA enabled KLMS specification is open and published in many workshops (NIST IDTrust 2008) Open backup format –On hardware change, no key change – certificate reissuing is easy and cheaper – What if your vendor goes bankrupt? With ASI no problem

18 ASI-HSM Features (II) Two main software components OpenSSL compatible engine (FIPS and standard versions), for crypto operations Mngt. interface, for operation, adm, and audit –Key lifecycle (generation, backup, revocation) –Complete auditing trace (preserved on backup) –Enable key usage (by time, by # uses) –Java client or C library X509v3 Compatible

19 ASI-HSM Features and Models Feature/ModelASI-EDUASI-PROASI-Enterprise OpenSSL interface Linux, FreeBSD*NIX, FreeBSD*NIX, FreeBSD, Win Support Doc, community+ + phone Setup On-site Warranty 3 months, up to 20 days replacement 1 year, 5 day replacement 2 years, 24 hour replacement RTC deviation 10 ppm, 2 ppm opt2 ppm2 ppm max ICP-Brasil compatible Yes FIPS level 3 Compatible, not certified RSA key sizes 512 to 8192 bits 512 to 8182 bits RSA1024 performance 33 signs/second 50 signs/second

20 Pricing and Availability Availability: –Production on demand –About 45 days lead time Pricing on your country? Call us

21 Future Work and Plans Certificate for ICP-Brasil (Brazilian Gov PKI) –If enough selling volume, FIPS 140 Performance enhancement –Target is +100 RSA1024 signs/second Reduce production costs (human, material) Integrate subsystems trough a full custom ASIC PKCS#11 interface and CAPI provider

22 Thank you! Questions?

23 Other KRYPTUS Products CompactHSM Intended for payment systems PKCS#11 enabled (RSA, DES/TDES, AES, MD5, SHAs) High quality RTC (2 ppm), TRNG KeyGuardian Crypto Token PKCS#11 enabled (RSA, DES/TDES, AES, MD5, SHAs) TRNG RSA key sizes from 512 to 4096 bits

24 Other Relevant Information ASI-HSM is made only from off the shelf components With appropriated procedures, user applications can run in inside the device –Up to 7GB SSD –Up to 128 MB RAM Connectivity –1 or 2 USB ports –1 RS232 port –100Mbps Ethernet

Download ppt "ASI ASI -HSM Lightning our Black Box Roberto Gallo CEO KRYPTUS."

Similar presentations

Ads by Google