Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HSM Overview for Grid Computing Dave Madden, Business Development Safenet Inc.

Similar presentations

Presentation on theme: "1 HSM Overview for Grid Computing Dave Madden, Business Development Safenet Inc."— Presentation transcript:

1 1 HSM Overview for Grid Computing Dave Madden, Business Development Safenet Inc.

2 2 The Foundation of Information Security Encryption experts with 25 year history of HARDWARE security protection for: Communications Intellectual Property Rights Data and Identities Global Company with Local Service Headquartered in Maryland, USA Regional headquarters in Camberley, UK Hong Kong 30 + offices located in more than 20 counties Encryption technology heritage 43 patents issued, 31 patents pending Majority of the leading security vendors embed SafeNets technology in their offerings Fastest Growing Networking Company – Not necessarily supported by SafeNet

3 3 PKI Overview What is a Digital ID? What is a PKI? What is an HSM? How are these used?

4 4 An asymmetric key pair assigned to a particular individual Implemented using a digital certificate Contains information about you…name etc. plus your public key Certificate is digitally signed by a trusted source Its like issuing a digital passport Therefore the keys are important to protect – not the locks! John Smith Certified & Signed by: How do you use your digital identity? Use your private key digitally sign documents Others verify your signature with the public key on your certificate Private Key Public Key What is a Digital Identity? CA

5 5 A Public Key Infrastructure (PKI) is a system to deploy and manage digital identities Issue digital identities Revoke digital identities Publish public keys via directories John Smith Certified by: John Smith Certified by: John Smith Certified by: John Smith What is a PKI? CA

6 6 What is a Hardware Security Module (HSM)? Security: A device to keep private keys close to your chest Performance: Accelerate encryption operations to eliminate bottlenecks Audit: Provides a clear audit trail for all key materials: SAS70 / SOX / PCI / HIPPA / HSPD12 etc. PCMCIA/PCI Rack mount appliance Mid-security High-security Smart Card/USB Client security Wide range of Security, Performance, Scalability & Price

7 7 How are Digital IDs, PKI and HSMs Used? B2B Signed RFPs System Access Back-end Systems & Databases Certificate Issuance Subordinate CAs Root Certificate Authority Sub-CA certificates Suppliers, Partners, Contractors Customers, Employees Internet Salomon Smith Barney concluded over 80% of Fortune 500 using PKI used SafeNet HSMs to protect their root key

8 8 Types of HSMs Embedded HSMs Network HSMs Application Security Modules

9 9 Embedded HSMs FIPS level 2 or 3 Acceleration from 10s to 1000s signatures/sec * Standard APIs PKCS#11, CAPI, OpenSSL, JCE/JCA PCMCIA removable cartridge PCI permanently installed * asymmetric encryptions/second using the industry standard 1024 bit RSA algorithm

10 10 Network HSMs Same cryptographic functionality as embedded HSMs HSM can be shared by multiple application servers over the network Keys are stored and managed centrally Reduced hardware and operations costs PKCS#11 MS-CAPI OpenSSL Java JCE/JCA Standard I/F Network HSM

11 11 Application Security Modules Protects encryption keys with onboard HSM Also protects the application code that uses the keys Programmable custom interfaces e.g. HTML, XML Create sealed transaction appliances that integrate application code with cryptographic operations More secure and easier to deploy Application code HTML XML Other… Programmable I/F

12 12 What is a High Assurance HSM? Keys Always in Hardware True Trusted Path Authentication Premium Certifications

13 13 SafeNet Advantage: 3 Layers of HW Security 1 3DES Key Encryption Multi-Person Two-Factor Access Control Tamper Resistant Hardware Software cannot meet audit requirements for protecting vital corporate root keys Creation Storage Hardware- Secured Key Lifecycle Distribution Usage Destruction

14 14 Luna Advantage: Multi-Person Authenticated Access 2-Factor Authentication Password 2-Factor Authentication + Password Multi-person Authentication + +

15 15 PC Keyboard is not a Trusted Path BeforeAfter Keyboard sniffer costs about $100 Installs in about 10 seconds Is electronically undetectable Records 65,000 keystrokes

16 16 HSM Certifications NIST FIPS Certificates, see: 1/1401vend.htm 1/1401vend.htm Certificates include: 8, 29, 38, 39, 56, 57, 58, 168, 173, 214, 215, 216, 217, 218, 220, 270, 375, 436 Domus is our certification laboratory for FIPS certifications Common Criteria EAL 4+ Certificate, see: or u=9&orderindex=1&showcatagories=-33 u=9&orderindex=1&showcatagories=-33 Electronic Warfare Associates (EWA) Canada was the certification body for Common Criteria Digital Signature Law Validation

17 17 How are HSMs Used for PKI? Protect Root keys Issue Keys to Sub CAs, Servers and Users Sign transactions Offload crypto operations A few real world examples…

18 18 HSMs: High-Availability and Disaster Recovery OperationalDisaster Recovery Online Hot Standby Physical Backup Online Hot Standby Physical Backup PKI CA

19 19 Securing Banking Transactions Applications Directory Certificate Authority Key Management SSL Acceleration FIPS certified SafeNet HSM Small Banks Access Control via 2 or 3 factor Financial Transaction Infrastructure Payments & Cash Mgt Treasury & Derivatives Trade services Pre-Settlement/trade Clearing services Custody services SafeNet HSM Large Banks

20 20 Example - Manufacturing with PKI- IP Phones Manufacturing CA Luna HSM IP Phone The IP phone requests a certificate from the manufacturing certificate authority. (1) The certificate authority generates a new certificate that the Luna HSM signs with the root key. (2) The certificate is sent to the IP phone. (3) The IP phone now has a unique digital identity that is stamped into the phone by Ciscos. (4) Revised 5/9/2007SafeNet, Inc. Company Confidential4 of 5 HSM SSK

21 21 Toolkits smart card SSM Write your own applications and load them directly onto the device secure sensitive code or place applications in untrusted environments Early-stage development all in Software Windows, Solaris, Linux, HP UX, AIX, Solaris Networked to single or multiple PKCS#11, Java, CAPI, OpenSSL, Custom, XML WSDL, Payments APIs 3 rd Party or Customer Developed Host Application

22 22 What to look for in an HSM? Certified by Standards Bodies Performance Level of security Auditability Ease of integration Ease of management Flexibility in use Scalability (multiple partitions) High Availability & Disaster Recovery Keys in always in hardware

23 23 Best Practices for Hardware Security Modules 10. FIPS & Common Criteria validation 5. PKI authenticated software 9. Independent Audit 4. Hardware-secured digital signing 8. Enforced operational roles 3. Hardware-secured key backup 7. Host independent 2- factor authentication 2. Hardware-secured key storage 6. Controlled physical access 1. Hardware-secured key generation

24 24 SafeNet – Strongest HSM Offering Global and Stable organization: 25 years in security Broadest HSM product Suite from USB to Network Attached Best Toolkit offering featuring: Well documented APIs: OpenSSL, XML, PKCS#11, Java, CAPI A Software Emulation HSM for development PPO and Java environments to host and secure code as well as Keys Global F1000 trust SafeNet HSM to: Secure their 3 rd Party Applications Develop on for their own security applications Deploy in house and in untrusted environments

25 25 Contact Details Dave Madden, Business Development Safenet Inc

Download ppt "1 HSM Overview for Grid Computing Dave Madden, Business Development Safenet Inc."

Similar presentations

Ads by Google