ASI-HSM Lightning our Black Box Roberto Gallo <gallo@kryptus.com> CEO KRYPTUS
Presentation Agenda ASI: Partners and Projects Historical Motivations Project Objectives Device Development Status Device Architecture Device Features Future Work and Plans Questions
ASI: Partners and Projects ASI stands for Advanced Security Initiative Group is formed by three Brazilian members: KRYPTUS – Private R&D information security company UFSC – Santa Catarina Federal University RNP – National Education and Research Network ASI mission is to enable mass use of PKIs in the following markets: Academia Brazilian Government
RNP National Education and Research Network - RNP Operates the Brazilian academic backbone Also used by other federal organizations Maintains its own links to US Associated to the Ministry of Science and Technology Promotes the development and testing of advanced networking applications Cooperative efforts with other South American Nations
LabSEC/UFSC Computer Security Lab at Santa Catarina Federal University Excellence center for R&D on Information Security 5 professors, 20 grad and undergrads students Current projects include: Brazilian Government PKI HSM: Temporal Authority, Net HSM, Safe Code Execution, Time Sync, etc Main partners include Brazilian Government and Brazilian Universities
KRYPTUS Private owned R&D company Spin-off from LSC-IC-UNICAMP Established in 2003 Mission: Enable customer’s information protection through custom technology Main markets and customers: Government: Intelligence, Defense… Academia: R&D institutions, Universities Corporations
History and Motivations In 2003, PKI was identified as a key technology by a pool of Brazilian universities UFSC, UNICAMP, and UFMG submited the ICP-EDU project proposal to RNP for PKI R&D RNP, as a Brazilian academic technology supporter, approved and funded ICP-EDU. Although successful, perception was that HSM prices were impeditive for academic use
History and Motivations (II) That pool then proposed the development of an HSM to RNP, and RNP granted it To develop a CA-capable full featured HSM Full support to key management and lifecycle Logical sys: FIPS 140-2 level 3 compatible Physical sys: should be FIPS 140-2 level 2/3 Device should be an Ethernet appliance Device should be priced at most as a high-end desktop PC (~ $2.500)
History and Motivations (III) All life-cycle and key management software would be developed by LabSEC@UFSC HSM custom hardware, if any, would be developed under a contract based on the pool specifications That specification would allow for further R&D that commercial devices would not enable But there were only about $20K for that…
History and Motivations (IV) KRYPTUS accepted the challenge, based on a joint venture basis In 2005, the work began on the HSM hardware development By May 2006, first version was ready for testing… but with many issues Heating, low MTBF, low uptime… hard times Device suffered a deep architecture change All problems solved, but one more year of development
ASI-HSM Development Status All systems are fully functional Hardware, Firmware, and Software Devices in operation as CAs in about 10 sites Under the RNP ICP-EDU initiative (+6 in March) Present work: Unified documentation for certification Improving manufacturing process (too slow) Housing and interface beautify
ASI-HSM Architecture Composed by two main Units under crypto perimeter: UG – Management and Crypto Unit US – Security Unit UG hardware runs the key lifecycle management software (KFMS, aka OpenHSM) and crypto Hardware based on ULP x86 processor OS based on striped down FreeBSD KFMS specification is OPEN and presented in many congresses and workshops
Open HSM
ASI-HSM Architecture (II) US handles security features: Monitors about 40 different sensors Based on read values, warns or detect attacks On invasion detection, zeroes all wrapping keys In addition US: Has up to 4 high quality TRNGs Maintains an ultra stable RTC (2ppm stability) Logs every odd physical condition
ASI-HSM Architecture (III) Sensors depends on customer needs, but default: Voltage and power supply quality monitors Temperature sensors Light sensors Invasion sensors based on complex impedance Physical Protection based on: Multi-layer heavy duty resins EMI cage Externally tamper evident box and labels
HSM Current Model
ASI-HSM Features Full key lifecycle and management system CA enabled KLMS specification is open and published in many workshops (NIST IDTrust 2008) Open backup format On hardware change, no key change – certificate reissuing is easy and cheaper What if your vendor goes bankrupt? With ASI no problem
ASI-HSM Features (II) Two main software components OpenSSL compatible engine (FIPS and standard versions), for crypto operations Mngt. interface, for operation, adm, and audit Key lifecycle (generation, backup, revocation) Complete auditing trace (preserved on backup) Enable key usage (by time, by # uses) Java client or C library X509v3 Compatible
ASI-HSM Features and Models Feature/Model ASI-EDU ASI-PRO ASI-Enterprise OpenSSL interface Linux, FreeBSD *NIX, FreeBSD *NIX, FreeBSD, Win Support Doc, community + e-mail + phone Setup On-site Warranty 3 months, up to 20 days replacement 1 year, 5 day replacement 2 years, 24 hour replacement RTC deviation 10 ppm, 2 ppm opt 2 ppm 2 ppm max ICP-Brasil compatible Yes FIPS 140-2 level 3 Compatible, not certified RSA key sizes 512 to 8192 bits 512 to 8182 bits RSA1024 performance 33 signs/second 50 signs/second
Pricing and Availability Production on demand About 45 days lead time Pricing on your country? Call us
Future Work and Plans Certificate for ICP-Brasil (Brazilian Gov PKI) If enough selling volume, FIPS 140 Performance enhancement Target is +100 RSA1024 signs/second Reduce production costs (human, material) Integrate subsystems trough a full custom ASIC PKCS#11 interface and CAPI provider
Thank you! Questions?
Other KRYPTUS Products CompactHSM Intended for payment systems PKCS#11 enabled (RSA, DES/TDES, AES, MD5, SHAs) High quality RTC (2 ppm), TRNG KeyGuardian Crypto Token TRNG RSA key sizes from 512 to 4096 bits
Other Relevant Information ASI-HSM is made only from off the shelf components With appropriated procedures, user applications can run in inside the device Up to 7GB SSD Up to 128 MB RAM Connectivity 1 or 2 USB ports 1 RS232 port 100Mbps Ethernet