HSM Overview for Grid Computing
Dave Madden,
Business Development
Safenet Inc.
1
The Foundation of Information Security
 Encryption experts with 25 year history of
HARDWARE security protection for:
 Communications
 Intellectual Property Rights
 Data and Identities
 Global Company with Local Service
 Headquartered in Maryland, USA
 Regional headquarters in

 Camberley, UK
 Hong Kong
30 + offices located in more than 20
counties
 Encryption technology heritage
 43 patents issued, 31 patents pending
 Majority of the leading security vendors embed
SafeNet’s technology in their offerings
 Fastest Growing Networking Company – 2005 2
1. Not necessarily supported by SafeNet
PKI Overview
 What is a Digital ID?
 What is a PKI?
 What is an HSM?
 How are these used?
3
What is a Digital Identity?
 An asymmetric key pair assigned to a particular individual
 Implemented using a digital certificate
 Contains information about you…name etc. plus your public key
 Certificate is digitally signed by a trusted source
 It’s like issuing a digital passport
 Therefore the keys are important to protect – not the locks!
Private
Key
Public John Smith
Key
Certified & Signed by:
John Smith
 How do you use your digital identity?
CA
 Use your private key digitally sign documents
 Others verify your signature with the public key on your certificate
4
What is a PKI?
 A Public Key Infrastructure (PKI) is a system to
deploy and manage digital identities
 Issue digital identities
 Revoke digital identities
 Publish public keys via directories
John Smith
John Smith
John Smith
John Smith
Certified by:
Certified by:
Certified by:
CA
5
What is a Hardware Security Module (HSM)?
 Security: A device to keep private keys “close to your chest”
 Performance: Accelerate encryption operations to eliminate bottlenecks
 Audit: Provides a clear audit trail for all key materials: SAS70 / SOX / PCI /
HIPPA / HSPD12 etc.
Wide range of Security, Performance, Scalability & Price
Smart Card/USB
Client security
PCMCIA/PCI
Mid-security
Rack mount appliance
High-security
6
How are Digital IDs, PKI and HSMs Used?
Suppliers,
Partners,
Contractors
Signed RFPs
Customers,
Employees
Salomon Smith Barney concluded over
80% of Fortune 500 using PKI used
SafeNet HSMs to protect their root key
B2B
Internet
Back-end
Systems &
Databases
System Access
Root Certificate Authority
Certificate Issuance
Subordinate CAs
Sub-CA
certificates
7
Types of HSMs
 Embedded HSMs
 Network HSMs
 Application Security Modules
8
Embedded HSMs
PCI
• permanently installed
PCMCIA
• removable cartridge
 FIPS level 2 or 3
 Acceleration from 10’s to 1000’s
 Standard APIs
signatures/sec*
 PKCS#11, CAPI, OpenSSL, JCE/JCA
* asymmetric encryptions/second using the industry standard 1024 bit RSA algorithm
9
Network HSMs
•
•
•
•
PKCS#11
MS-CAPI
OpenSSL
Java JCE/JCA
Network HSM
 Same cryptographic functionality as embedded
HSMs
 HSM can be shared by multiple application servers
over the network
 Keys are stored and managed centrally
 Reduced hardware and operations costs
10
Application Security Modules
Application
code
•
•
•
HTML
XML
Other…
 Protects encryption keys with onboard HSM
 Also protects the application code that uses the
keys
 Programmable custom interfaces e.g. HTML, XML
 Create sealed transaction appliances that integrate
application code with cryptographic operations

More secure and easier to deploy
11
What is a High Assurance HSM?
 Keys Always in Hardware
 True Trusted Path Authentication
 Premium Certifications
12
SafeNet Advantage: 3 Layers of HW Security
Tamper Resistant
Hardware
Creation
2
Multi-Person
Two-Factor
Access
Control
1
Destruction
3
1
HardwareSecured
Key
Lifecycle
Usage
Storage
Distribution
3DES Key
Encryption
Software cannot meet audit requirements for
protecting vital corporate root keys
13
Luna Advantage:
Multi-Person Authenticated Access
2-Factor
Authentication
2-Factor
Authentication
Password
+
+
Multi-person
Authentication
Password
+
14
PC Keyboard is not a Trusted Path
Before
After
http://www.chicagospies.com/products/keykatch.shtml




Keyboard sniffer costs about $100
Installs in about 10 seconds
Is electronically undetectable
Records 65,000 keystrokes
15
HSM Certifications
 NIST FIPS Certificates, see: http://csrc.nist.gov/cryptval/1401/1401vend.htm
 Certificates include: 8, 29, 38, 39, 56, 57, 58, 168, 173, 214, 215,
216, 217, 218, 220, 270, 375, 436
 Domus is our certification laboratory for FIPS certifications
 Common Criteria EAL 4+ Certificate, see:
 http://niap.nist.gov/cc-scheme/vpl/vpl_type.html or
http://www.commoncriteriaportal.org/public/expert/index.php?men
u=9&orderindex=1&showcatagories=-33
 Electronic Warfare Associates (EWA) Canada was the certification
body for Common Criteria
 Digital Signature Law Validation
16
How are HSMs Used for PKI?





Protect Root keys
Issue Keys to Sub CAs, Servers and Users
Sign transactions
Offload crypto operations
A few real world examples…
17
HSMs: High-Availability and Disaster Recovery
Operational
Disaster Recovery
PKI CA
PKI CA
Online
Online
Hot Standby
Physical Backup
Hot Standby
Physical Backup
18
Securing Banking Transactions
Large
Banks
SafeNet HSM
SafeNet HSM
Small
Banks
Applications
Financial
Transaction
Infrastructure
Payments & Cash Mgt
Treasury & Derivatives
Trade services
Pre-Settlement/trade
Clearing services
Custody services
Certificate
Authority
Access Control
via 2 or 3 factor
SafeNet HSM
Key Management
SSL Acceleration
FIPS certified
Applications
Directory
19
Example - Manufacturing with PKI- IP Phones
IP Phone
4
1
3
2
Luna HSM
Manufacturing CA
The IP phone requests a certificate from the manufacturing certificate authority. (1) The certificate authority
generates a new certificate that the Luna HSM signs with the root key. (2) The certificate is sent to the IP
phone. (3) The IP phone now has a unique digital identity that is stamped into the phone by Cisco’s. (4)
20
Toolkits
3rd Party or Customer Developed Host Application
PKCS#11, Java, CAPI, OpenSSL, Custom, XML WSDL, Payments API’s
Windows, Solaris, Linux, HP UX, AIX, Solaris
Networked to
single or multiple
SSM
smart card
Write your own applications and load them directly
onto the device
secure sensitive code or place applications in untrusted environments
Early-stage
development all in
Software 21
What to look for in an HSM?










Certified by Standards Bodies
Performance
Level of security
Auditability
Ease of integration
Ease of management
Flexibility in use
Scalability (multiple partitions)
High Availability & Disaster Recovery
Keys in always in hardware
22
Best Practices for Hardware Security Modules
1.
Hardware-secured key
generation



2.
Hardware-secured key
storage
3.
Hardware-secured key
backup




4.
Hardware-secured digital
signing

5.
PKI authenticated software
6.
Controlled physical
access
7.
Host independent 2factor authentication
8.
Enforced operational
roles

9.
Independent Audit

10.
FIPS 140-1 & Common
Criteria validation
23
SafeNet – Strongest HSM Offering
 Global and Stable organization: 25 years in security
 Broadest HSM product Suite from USB to Network Attached
 Best Toolkit offering featuring:
 Well documented API’s: OpenSSL, XML, PKCS#11, Java, CAPI
 A Software Emulation “HSM” for development
 PPO and Java environments to host and secure code as well as
Keys
 Global F1000 trust SafeNet HSM to:
 Secure their 3rd Party Applications
 Develop on for their own security applications
 Deploy in house and in untrusted environments
24
Contact Details
 Dave Madden,
 Business Development
 Safenet Inc.
 613-221-5016
 dmadden@safenet-inc.com
 www.safenet-inc.com
25