ASI-HSM Lightning our Black Box

Slides:



Advertisements
Similar presentations
1 © 2004 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID The spoken words remain IP and Video Telephony Recording from TC & C Anthony.
Advertisements

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Govern the Flow of Data: Moving from Chaos to Control
PaperCut MF Reseller Resource Material An Introduction to PaperCut MF.
MLAN Maguire Local Area Network Version 2.0, May 1998.
Mobile Devices in the DoD
UWF Computing Hardware Standards ITS Annual Recommendations for
Experience with an IT Asset Management System
PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM
1 Jack-PC Security Rev A Important!! Under NDA - Chip PC Proprietary and Confidential Information *CDC02264*
Ljubomir Ivaniš CPU d.o.o.
ICS 434 Advanced Database Systems
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Introduction to Computer Administration Introduction.
4/6/ :35 AM © 2004 Microsoft Corporation. All rights reserved.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF
LeadManager™- Internet Marketing Lead Management Solution May, 2009.
Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
1 Chapter 11: Data Centre Administration Objectives Data Centre Structure Data Centre Structure Data Centre Administration Data Centre Administration Data.
(c) 2003, SOHOware, Inc. Proprietary and Confidential Your OEM Partner for Intel XScale based Networking Appliances Targeting Small and Medium Business.
POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.
Embedded System Lab. What is an embedded systems? An embedded system is a computer system designed for specific control functions within a larger system,
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
SafeNet Luna XML Hardware Security Module
Larry Wagner Sr. Director of Engineering
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
RNP's ICP-EDU Projects PKI software and hardware for the Brazilian research community Ricardo Felipe Custódio - UFSC Ricardo Dahab - UNICAMP Jeroen van.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Data Encryption Overview South Seas Corporation Jared Owensby.
Certificate and Key Storage Tokens and Software
Firewall Auditing Sean K. Lowder CISSP / MCSE / CCNA
SharePoint Portal Server 2003 JAMES WEIMHOLT WEIDER HAO JUAN TURCIOS BILL HUERTA BRANDON BROWN JAMES WEIMHOLT INTRODUCTION OVERVIEW IMPLEMENTATION CASE.
EToken TMS 5.0 CA June 09. eToken TMS 5.0 Agenda  The challenge: Authenticator life-cycle management  eToken TMS (Token Management System)  eToken.
Israel Securities Authority MAGNA – Electronic filing Natan Herscovitz, CIO December 2004.
Network Security Professor Professor Dr. Adeel Akram.
Customer Sales Presentation Stoneware webNetwork Powered by ThinkServer.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
Information Systems Security Computer System Life Cycle Security.
Trusted Computing Platform Alliance
CHIEF EXECUTIVE OFFICER KoolSpan, The Trust Company.
Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004.
Module 7: Fundamentals of Administering Windows Server 2008.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Redundant IOC with ATCA(HPI) support Utilizing modern hardware for better availability Artem Kazakov, KEK/SOKENDAI.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
2014 Redefining the Data Center: White-Box Networking Jennifer Casella October 9, 2014 #GHC
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
SMART HOME Capstone project introduction Capstone project _Star team. Dec-12 1.
Chapter 2 Operating Systems
The Device Networking Company
Security and Encryption
11/8/2018 8:19 PM HW-98P Windows 8 kernel debugging: New protocols and certification requirements Tanya Radeva Program Manager Microsoft Corporation Joe.
Objective Understand the concepts of modern operating systems by investigating the most popular operating system in the current and future market Provide.
Chapter 2: The Linux System Part 1
What is iSCSI and why is it a major selling point for NAS?
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
Delivering great hardware solutions for Windows
Objective Understand the concepts of modern operating systems by investigating the most popular operating system in the current and future market Provide.
Presentation transcript:

ASI-HSM Lightning our Black Box Roberto Gallo <gallo@kryptus.com> CEO KRYPTUS

Presentation Agenda ASI: Partners and Projects Historical Motivations Project Objectives Device Development Status Device Architecture Device Features Future Work and Plans Questions

ASI: Partners and Projects ASI stands for Advanced Security Initiative Group is formed by three Brazilian members: KRYPTUS – Private R&D information security company UFSC – Santa Catarina Federal University RNP – National Education and Research Network ASI mission is to enable mass use of PKIs in the following markets: Academia Brazilian Government

RNP National Education and Research Network - RNP Operates the Brazilian academic backbone Also used by other federal organizations Maintains its own links to US Associated to the Ministry of Science and Technology Promotes the development and testing of advanced networking applications Cooperative efforts with other South American Nations

LabSEC/UFSC Computer Security Lab at Santa Catarina Federal University Excellence center for R&D on Information Security 5 professors, 20 grad and undergrads students Current projects include: Brazilian Government PKI HSM: Temporal Authority, Net HSM, Safe Code Execution, Time Sync, etc Main partners include Brazilian Government and Brazilian Universities

KRYPTUS Private owned R&D company Spin-off from LSC-IC-UNICAMP Established in 2003 Mission: Enable customer’s information protection through custom technology Main markets and customers: Government: Intelligence, Defense… Academia: R&D institutions, Universities Corporations

History and Motivations In 2003, PKI was identified as a key technology by a pool of Brazilian universities UFSC, UNICAMP, and UFMG submited the ICP-EDU project proposal to RNP for PKI R&D RNP, as a Brazilian academic technology supporter, approved and funded ICP-EDU. Although successful, perception was that HSM prices were impeditive for academic use

History and Motivations (II) That pool then proposed the development of an HSM to RNP, and RNP granted it To develop a CA-capable full featured HSM Full support to key management and lifecycle Logical sys: FIPS 140-2 level 3 compatible Physical sys: should be FIPS 140-2 level 2/3 Device should be an Ethernet appliance Device should be priced at most as a high-end desktop PC (~ $2.500)

History and Motivations (III) All life-cycle and key management software would be developed by LabSEC@UFSC HSM custom hardware, if any, would be developed under a contract based on the pool specifications That specification would allow for further R&D that commercial devices would not enable But there were only about $20K for that…

History and Motivations (IV) KRYPTUS accepted the challenge, based on a joint venture basis In 2005, the work began on the HSM hardware development By May 2006, first version was ready for testing… but with many issues Heating, low MTBF, low uptime… hard times Device suffered a deep architecture change All problems solved, but one more year of development

ASI-HSM Development Status All systems are fully functional Hardware, Firmware, and Software Devices in operation as CAs in about 10 sites Under the RNP ICP-EDU initiative (+6 in March) Present work: Unified documentation for certification Improving manufacturing process (too slow) Housing and interface beautify

ASI-HSM Architecture Composed by two main Units under crypto perimeter: UG – Management and Crypto Unit US – Security Unit UG hardware runs the key lifecycle management software (KFMS, aka OpenHSM) and crypto Hardware based on ULP x86 processor OS based on striped down FreeBSD KFMS specification is OPEN and presented in many congresses and workshops

Open HSM

ASI-HSM Architecture (II) US handles security features: Monitors about 40 different sensors Based on read values, warns or detect attacks On invasion detection, zeroes all wrapping keys In addition US: Has up to 4 high quality TRNGs Maintains an ultra stable RTC (2ppm stability) Logs every odd physical condition

ASI-HSM Architecture (III) Sensors depends on customer needs, but default: Voltage and power supply quality monitors Temperature sensors Light sensors Invasion sensors based on complex impedance Physical Protection based on: Multi-layer heavy duty resins EMI cage Externally tamper evident box and labels

HSM Current Model

ASI-HSM Features Full key lifecycle and management system CA enabled KLMS specification is open and published in many workshops (NIST IDTrust 2008) Open backup format On hardware change, no key change – certificate reissuing is easy and cheaper What if your vendor goes bankrupt? With ASI no problem

ASI-HSM Features (II) Two main software components OpenSSL compatible engine (FIPS and standard versions), for crypto operations Mngt. interface, for operation, adm, and audit Key lifecycle (generation, backup, revocation) Complete auditing trace (preserved on backup) Enable key usage (by time, by # uses) Java client or C library X509v3 Compatible

ASI-HSM Features and Models Feature/Model ASI-EDU ASI-PRO ASI-Enterprise OpenSSL interface Linux, FreeBSD *NIX, FreeBSD *NIX, FreeBSD, Win Support Doc, community + e-mail + phone Setup On-site Warranty 3 months, up to 20 days replacement 1 year, 5 day replacement 2 years, 24 hour replacement RTC deviation 10 ppm, 2 ppm opt 2 ppm 2 ppm max ICP-Brasil compatible Yes FIPS 140-2 level 3 Compatible, not certified RSA key sizes 512 to 8192 bits 512 to 8182 bits RSA1024 performance 33 signs/second 50 signs/second

Pricing and Availability Production on demand About 45 days lead time Pricing on your country? Call us

Future Work and Plans Certificate for ICP-Brasil (Brazilian Gov PKI) If enough selling volume, FIPS 140 Performance enhancement Target is +100 RSA1024 signs/second Reduce production costs (human, material) Integrate subsystems trough a full custom ASIC PKCS#11 interface and CAPI provider

Thank you! Questions?

Other KRYPTUS Products CompactHSM Intended for payment systems PKCS#11 enabled (RSA, DES/TDES, AES, MD5, SHAs) High quality RTC (2 ppm), TRNG KeyGuardian Crypto Token TRNG RSA key sizes from 512 to 4096 bits

Other Relevant Information ASI-HSM is made only from off the shelf components With appropriated procedures, user applications can run in inside the device Up to 7GB SSD Up to 128 MB RAM Connectivity 1 or 2 USB ports 1 RS232 port 100Mbps Ethernet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.