Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASI-HSM Lightning our Black Box

Similar presentations

Presentation on theme: "ASI-HSM Lightning our Black Box"— Presentation transcript:

1 ASI-HSM Lightning our Black Box
Roberto Gallo CEO KRYPTUS

2 Presentation Agenda ASI: Partners and Projects Historical Motivations
Project Objectives Device Development Status Device Architecture Device Features Future Work and Plans Questions

3 ASI: Partners and Projects
ASI stands for Advanced Security Initiative Group is formed by three Brazilian members: KRYPTUS – Private R&D information security company UFSC – Santa Catarina Federal University RNP – National Education and Research Network ASI mission is to enable mass use of PKIs in the following markets: Academia Brazilian Government

4 RNP National Education and Research Network - RNP
Operates the Brazilian academic backbone Also used by other federal organizations Maintains its own links to US Associated to the Ministry of Science and Technology Promotes the development and testing of advanced networking applications Cooperative efforts with other South American Nations

5 LabSEC/UFSC Computer Security Lab at Santa Catarina Federal University
Excellence center for R&D on Information Security 5 professors, 20 grad and undergrads students Current projects include: Brazilian Government PKI HSM: Temporal Authority, Net HSM, Safe Code Execution, Time Sync, etc Main partners include Brazilian Government and Brazilian Universities

6 KRYPTUS Private owned R&D company Spin-off from LSC-IC-UNICAMP
Established in 2003 Mission: Enable customer’s information protection through custom technology Main markets and customers: Government: Intelligence, Defense… Academia: R&D institutions, Universities Corporations

7 History and Motivations
In 2003, PKI was identified as a key technology by a pool of Brazilian universities UFSC, UNICAMP, and UFMG submited the ICP-EDU project proposal to RNP for PKI R&D RNP, as a Brazilian academic technology supporter, approved and funded ICP-EDU. Although successful, perception was that HSM prices were impeditive for academic use

8 History and Motivations (II)
That pool then proposed the development of an HSM to RNP, and RNP granted it To develop a CA-capable full featured HSM Full support to key management and lifecycle Logical sys: FIPS level 3 compatible Physical sys: should be FIPS level 2/3 Device should be an Ethernet appliance Device should be priced at most as a high-end desktop PC (~ $2.500)

9 History and Motivations (III)
All life-cycle and key management software would be developed by HSM custom hardware, if any, would be developed under a contract based on the pool specifications That specification would allow for further R&D that commercial devices would not enable But there were only about $20K for that…

10 History and Motivations (IV)
KRYPTUS accepted the challenge, based on a joint venture basis In 2005, the work began on the HSM hardware development By May 2006, first version was ready for testing… but with many issues Heating, low MTBF, low uptime… hard times Device suffered a deep architecture change All problems solved, but one more year of development

11 ASI-HSM Development Status
All systems are fully functional Hardware, Firmware, and Software Devices in operation as CAs in about 10 sites Under the RNP ICP-EDU initiative (+6 in March) Present work: Unified documentation for certification Improving manufacturing process (too slow) Housing and interface beautify

12 ASI-HSM Architecture Composed by two main Units under crypto perimeter: UG – Management and Crypto Unit US – Security Unit UG hardware runs the key lifecycle management software (KFMS, aka OpenHSM) and crypto Hardware based on ULP x86 processor OS based on striped down FreeBSD KFMS specification is OPEN and presented in many congresses and workshops

13 Open HSM

14 ASI-HSM Architecture (II)
US handles security features: Monitors about 40 different sensors Based on read values, warns or detect attacks On invasion detection, zeroes all wrapping keys In addition US: Has up to 4 high quality TRNGs Maintains an ultra stable RTC (2ppm stability) Logs every odd physical condition

15 ASI-HSM Architecture (III)
Sensors depends on customer needs, but default: Voltage and power supply quality monitors Temperature sensors Light sensors Invasion sensors based on complex impedance Physical Protection based on: Multi-layer heavy duty resins EMI cage Externally tamper evident box and labels

16 HSM Current Model

17 ASI-HSM Features Full key lifecycle and management system CA enabled
KLMS specification is open and published in many workshops (NIST IDTrust 2008) Open backup format On hardware change, no key change – certificate reissuing is easy and cheaper What if your vendor goes bankrupt? With ASI no problem

18 ASI-HSM Features (II) Two main software components
OpenSSL compatible engine (FIPS and standard versions), for crypto operations Mngt. interface, for operation, adm, and audit Key lifecycle (generation, backup, revocation) Complete auditing trace (preserved on backup) Enable key usage (by time, by # uses) Java client or C library X509v3 Compatible

19 ASI-HSM Features and Models
Feature/Model ASI-EDU ASI-PRO ASI-Enterprise OpenSSL interface Linux, FreeBSD *NIX, FreeBSD *NIX, FreeBSD, Win Support Doc, community + + phone Setup On-site Warranty 3 months, up to 20 days replacement 1 year, 5 day replacement 2 years, 24 hour replacement RTC deviation 10 ppm, 2 ppm opt 2 ppm 2 ppm max ICP-Brasil compatible Yes FIPS level 3 Compatible, not certified RSA key sizes 512 to 8192 bits 512 to 8182 bits RSA1024 performance 33 signs/second 50 signs/second

20 Pricing and Availability
Production on demand About 45 days lead time Pricing on your country? Call us

21 Future Work and Plans Certificate for ICP-Brasil (Brazilian Gov PKI)
If enough selling volume, FIPS 140 Performance enhancement Target is +100 RSA1024 signs/second Reduce production costs (human, material) Integrate subsystems trough a full custom ASIC PKCS#11 interface and CAPI provider

22 Thank you! Questions?

23 Other KRYPTUS Products
CompactHSM Intended for payment systems PKCS#11 enabled (RSA, DES/TDES, AES, MD5, SHAs) High quality RTC (2 ppm), TRNG KeyGuardian Crypto Token TRNG RSA key sizes from 512 to 4096 bits

24 Other Relevant Information
ASI-HSM is made only from off the shelf components With appropriated procedures, user applications can run in inside the device Up to 7GB SSD Up to 128 MB RAM Connectivity 1 or 2 USB ports 1 RS232 port 100Mbps Ethernet

Download ppt "ASI-HSM Lightning our Black Box"

Similar presentations

Ads by Google