HSM Overview for Grid Computing Dave Madden, Business Development Safenet Inc. 1
The Foundation of Information Security § Encryption experts with 25 year history of HARDWARE security protection for: § Communications § Intellectual Property Rights § Data and Identities § Global Company with Local Service § Headquartered in Maryland, USA § Regional headquarters in § § Camberley, UK § Hong Kong 30 + offices located in more than 20 counties § Encryption technology heritage § 43 patents issued, 31 patents pending § Majority of the leading security vendors embed § Safe. Net’s technology in their offerings Fastest Growing Networking Company – 2005 2 1. Not necessarily supported by Safe. Net
PKI Overview § What is a Digital ID? § What is a PKI? § What is an HSM? § How are these used? 3
What is a Digital Identity? § An asymmetric key pair assigned to a particular individual § Implemented using a digital certificate § Contains information about you…name etc. plus your public key § Certificate is digitally signed by a trusted source § It’s like issuing a digital passport § Therefore the keys are important to protect – not the locks! Private Key Public John Smith Key Certified & Signed by: John Smith § How do you use your digital identity? CA § Use your private key digitally sign documents § Others verify your signature with the public key on your certificate 4
What is a PKI? § A Public Key Infrastructure (PKI) is a system to deploy and manage digital identities § Issue digital identities § Revoke digital identities § Publish public keys via directories John Smith Certified by: CA 5
What is a Hardware Security Module (HSM)? § Security: A device to keep private keys “close to your chest” § Performance: Accelerate encryption operations to eliminate bottlenecks § Audit: Provides a clear audit trail for all key materials: SAS 70 / SOX / PCI / HIPPA / HSPD 12 etc. Wide range of Security, Performance, Scalability & Price Smart Card/USB Client security PCMCIA/PCI Mid-security Rack mount appliance High-security 6
How are Digital IDs, PKI and HSMs Used? Suppliers, Partners, Contractors Signed RFPs Customers, Employees Salomon Smith Barney concluded over 80% of Fortune 500 using PKI used Safe. Net HSMs to protect their root key B 2 B Internet Back-end Systems & Databases System Access Root Certificate Authority Certificate Issuance Subordinate CAs Sub-CA certificates 7
Types of HSMs § Embedded HSMs § Network HSMs § Application Security Modules 8
Embedded HSMs PCI PCMCIA • permanently installed • removable cartridge § FIPS level 2 or 3 § Acceleration from 10’s to 1000’s § Standard APIs signatures/sec* § PKCS#11, CAPI, Open. SSL, JCE/JCA * asymmetric encryptions/second using the industry standard 1024 bit RSA algorithm 9
Network HSMs Standard I/F • • PKCS#11 MS-CAPI Open. SSL Java JCE/JCA Network HSM § Same cryptographic functionality as embedded HSMs § HSM can be shared by multiple application servers over the network § Keys are stored and managed centrally § Reduced hardware and operations costs 10
Application Security Modules Application code Programmable I/F • • • HTML XML Other… § Protects encryption keys with onboard HSM § Also protects the application code that uses the § § keys Programmable custom interfaces e. g. HTML, XML Create sealed transaction appliances that integrate application code with cryptographic operations § More secure and easier to deploy 11
What is a High Assurance HSM? § Keys Always in Hardware § True Trusted Path Authentication § Premium Certifications 12
Safe. Net Advantage: 3 Layers of HW Security Tamper Resistant Hardware Creation 2 Multi-Person Two-Factor Access Control 3 1 Destruction 1 Hardware. Secured Key Lifecycle Usage Storage Distribution 3 DES Key Encryption Software cannot meet audit requirements for protecting vital corporate root keys 13
Luna Advantage: Multi-Person Authenticated Access 2 -Factor Authentication Password + + Multi-person Authentication Password + 14
PC Keyboard is not a Trusted Path Before After http: //www. chicagospies. com/products/keykatch. shtml § § Keyboard sniffer costs about $100 Installs in about 10 seconds Is electronically undetectable Records 65, 000 keystrokes 15
HSM Certifications § NIST FIPS Certificates, see: http: //csrc. nist. gov/cryptval/1401 vend. htm § Certificates include: 8, 29, 38, 39, 56, 57, 58, 168, 173, 214, 215, 216, 217, 218, 220, 270, 375, 436 § Domus is our certification laboratory for FIPS certifications § Common Criteria EAL 4+ Certificate, see: § http: //niap. nist. gov/cc-scheme/vpl_type. html or http: //www. commoncriteriaportal. org/public/expert/index. php? men u=9&orderindex=1&showcatagories=-33 § Electronic Warfare Associates (EWA) Canada was the certification body for Common Criteria § Digital Signature Law Validation 16
How are HSMs Used for PKI? § § § Protect Root keys Issue Keys to Sub CAs, Servers and Users Sign transactions Offload crypto operations A few real world examples… 17
HSMs: High-Availability and Disaster Recovery Operational Disaster Recovery PKI CA Online Hot Standby Physical Backup 18
Securing Banking Transactions Large Banks Safe. Net HSM Small Banks Applications Financial Transaction Infrastructure Payments & Cash Mgt Treasury & Derivatives Trade services Pre-Settlement/trade Clearing services Custody services Certificate Authority Access Control via 2 or 3 factor Safe. Net HSM Key Management SSL Acceleration FIPS certified Applications Directory 19
Example - Manufacturing with PKI- IP Phones IP Phone 4 1 3 2 Luna HSM Manufacturing CA The IP phone requests a certificate from the manufacturing certificate authority. (1) The certificate authority generates a new certificate that the Luna HSM signs with the root key. (2) The certificate is sent to the IP phone. (3) The IP phone now has a unique digital identity that is stamped into the phone by Cisco’s. (4) 20
Toolkits 3 rd Party or Customer Developed Host Application PKCS#11, Java, CAPI, Open. SSL, Custom, XML WSDL, Payments API’s Windows, Solaris, Linux, HP UX, AIX, Solaris Networked to single or multiple SSM smart card Write your own applications and load them directly onto the device secure sensitive code or place applications in untrusted environments Early-stage development all in Software 21
What to look for in an HSM? § § § § § Certified by Standards Bodies Performance Level of security Auditability Ease of integration Ease of management Flexibility in use Scalability (multiple partitions) High Availability & Disaster Recovery Keys in always in hardware 22
Best Practices for Hardware Security Modules 1. Hardware-secured key generation ü ü ü 2. Hardware-secured key storage 3. Hardware-secured key backup ü ü Hardware-secured digital signing ü PKI authenticated software 4. 5. 6. Controlled physical access 7. Host independent 2 factor authentication 8. Enforced operational roles ü 9. Independent Audit ü 10. FIPS 140 -1 & Common Criteria validation 23
Safe. Net – Strongest HSM Offering § Global and Stable organization: 25 years in security § Broadest HSM product Suite from USB to Network Attached § Best Toolkit offering featuring: § Well documented API’s: Open. SSL, XML, PKCS#11, Java, CAPI § A Software Emulation “HSM” for development § PPO and Java environments to host and secure code as well as § Keys Global F 1000 trust Safe. Net HSM to: § Secure their 3 rd Party Applications § Develop on for their own security applications § Deploy in house and in untrusted environments 24
Contact Details § Dave Madden, § Business Development § Safenet Inc. § 613 -221 -5016 § dmadden@safenet-inc. com § www. safenet-inc. com 25
Скачать презентацию HSM Overview for Grid Computing Dave Madden Business
3a31dda56017add99e52ea2ed087b810.ppt