Post on 27-Mar-2015
1
HSM Overview for Grid ComputingHSM Overview for Grid Computing
Dave Madden, Business Development
Safenet Inc.
2
The Foundation of Information SecurityThe Foundation of Information Security Encryption experts with 25 year history of
HARDWARE security protection for: Communications Intellectual Property Rights Data and Identities
Global Company with Local Service Headquartered in Maryland, USA Regional headquarters in
Camberley, UK Hong Kong
30 + offices located in more than 20 counties
Encryption technology heritage 43 patents issued, 31 patents pending Majority of the leading security vendors embed
SafeNet’s technology in their offerings Fastest Growing Networking Company – 2005
1. Not necessarily supported by SafeNet
3
PKI OverviewPKI Overview
What is a Digital ID?
What is a PKI?
What is an HSM?
How are these used?
4
An asymmetric key pair assigned to a particular individual Implemented using a digital certificate Contains information about you…name etc. plus your public key Certificate is digitally signed by a trusted source It’s like issuing a digital passport Therefore the keys are important to protect – not the locks!
John Smith
John Smith
Certified & Signed by:
How do you use your digital identity? Use your private key digitally sign documents Others verify your signature with the public key on your certificate
PrivateKey
PublicKey
What is a Digital Identity?What is a Digital Identity?
CA
5
A Public Key Infrastructure (PKI) is a system to deploy and manage digital identities
Issue digital identities Revoke digital identities Publish public keys via directories
John Smith
Certified by:
John Smith
Certified by:
John Smith
Certified by:
John Smith
What is a PKI?What is a PKI?
CA
6
What is a Hardware Security Module (HSM)?What is a Hardware Security Module (HSM)?
Security: A device to keep private keys “close to your chest”
Performance: Accelerate encryption operations to eliminate bottlenecks
Audit: Provides a clear audit trail for all key materials: SAS70 / SOX / PCI / HIPPA / HSPD12 etc.
PCMCIA/PCI Rack mount appliance
Mid-security High-securitySmart Card/USB
Client security
Wide range of Security, Performance, Scalability & Price
7
How are Digital IDs, PKI and HSMs Used?How are Digital IDs, PKI and HSMs Used?
B2BSigned RFPs
System Access
Back-end
Systems &
Databases
Certificate Issuance
Subordinate CAs
Root Certificate Authority
Sub-CA certificates
Suppliers,
Partners,
Contractors
Customers,
Employees
Internet
Salomon Smith Barney concluded over
80% of Fortune 500 using PKI used
SafeNet HSMs to protect their root key
8
Types of HSMsTypes of HSMs
Embedded HSMs
Network HSMs
Application Security Modules
9
Embedded HSMsEmbedded HSMs
FIPS level 2 or 3 Acceleration from 10’s to 1000’s
signatures/sec* Standard APIs
PKCS#11, CAPI, OpenSSL, JCE/JCA
PCMCIA
• removable cartridge
PCI
• permanently installed
* asymmetric encryptions/second using the industry standard 1024 bit RSA algorithm
10
Network HSMsNetwork HSMs
Same cryptographic functionality as embedded HSMs
HSM can be shared by multiple application servers over the network
Keys are stored and managed centrally Reduced hardware and operations costs
• PKCS#11• MS-CAPI• OpenSSL• Java JCE/JCA
Standard I/F
Network HSM
11
Application Security ModulesApplication Security Modules
Protects encryption keys with onboard HSM Also protects the application code that uses the keys Programmable custom interfaces e.g. HTML, XML Create sealed transaction appliances that integrate application code with
cryptographic operations More secure and easier to deploy
Applicationcode
• HTML• XML• Other…
Programmable I/F
12
What is a High Assurance HSM?What is a High Assurance HSM?
Keys Always in Hardware True Trusted Path Authentication Premium Certifications
13
SafeNet Advantage: 3 Layers of HW SecuritySafeNet Advantage: 3 Layers of HW Security
1
3DES Key Encryption
Multi-PersonTwo-Factor
Access Control
Tamper Resistant Hardware
Software cannot meet audit requirements for protecting vital corporate root keys
1
3
2
Creation
StorageHardware-Secured
Key Lifecycle
DistributionUsage
Destruction
14
Luna Advantage:Luna Advantage:Multi-Person Authenticated AccessMulti-Person Authenticated Access
2-FactorAuthentication
Password
2-FactorAuthentication
+Password
Multi-personAuthentication
++
15
PC Keyboard is not a Trusted PathPC Keyboard is not a Trusted Path
Before After
Keyboard sniffer costs about $100 Installs in about 10 seconds Is electronically undetectable Records 65,000 keystrokes
http://www.chicagospies.com/products/keykatch.shtml
16
HSM CertificationsHSM Certifications
NIST FIPS Certificates, see: http://csrc.nist.gov/cryptval/140-1/1401vend.htm Certificates include: 8, 29, 38, 39, 56, 57, 58, 168, 173, 214, 215,
216, 217, 218, 220, 270, 375, 436 Domus is our certification laboratory for FIPS certifications
Common Criteria EAL 4+ Certificate, see:
http://niap.nist.gov/cc-scheme/vpl/vpl_type.html or http://www.commoncriteriaportal.org/public/expert/index.php?menu=9&orderindex=1&showcatagories=-33
Electronic Warfare Associates (EWA) Canada was the certification body for Common Criteria
Digital Signature Law Validation
17
How are HSMs Used for PKI?How are HSMs Used for PKI?
Protect Root keys Issue Keys to Sub CAs, Servers and Users Sign transactions Offload crypto operations A few real world examples…
18
HSMs: HSMs: High-Availability and Disaster RecoveryHigh-Availability and Disaster Recovery
Operational Disaster Recovery
OnlineHot Standby
Physical Backup
OnlineHot Standby
Physical Backup
PKI CA PKI CA
19
Securing Banking TransactionsSecuring Banking Transactions
Applications
Applications
Directory
Certificate Authority
Key Management SSL AccelerationFIPS certified
SafeNet HSM
SafeNet HSM
SmallBanks
Access Control
via 2 or 3 factor
Financial Transaction Infrastructure
Payments & Cash Mgt
Treasury & Derivatives
Trade services
Pre-Settlement/trade
Clearing services
Custody services
SafeNet HSM
Large Banks
20
Example - Manufacturing with PKI- IP PhonesExample - Manufacturing with PKI- IP Phones
Manufacturing CA
Luna HSM
1
2
3
4
IP Phone
The IP phone requests a certificate from the manufacturing certificate authority. (1) The certificate authority generates a new certificate that the Luna HSM signs with the root key. (2) The certificate is sent to the IP phone. (3) The IP phone now has a unique digital identity that is stamped into the phone by Cisco’s. (4)
21
ToolkitsToolkits
smart card
SSM
Write your own applications and load them directly onto the device
secure sensitive code or place applications in untrusted environments
Early-stage development all in
Software
Windows, Solaris, Linux, HP UX, AIX, Solaris
Networked to single or multiple
PKCS#11, Java, CAPI, OpenSSL, Custom, XML WSDL, Payments API’s
3rd Party or Customer Developed Host Application
22
What to look for in an HSM?What to look for in an HSM?
Certified by Standards Bodies Performance Level of security Auditability Ease of integration Ease of management Flexibility in use Scalability (multiple partitions) High Availability & Disaster Recovery Keys in always in hardware
23
Best PracticesBest Practices for Hardware Security Modules for Hardware Security Modules
10. FIPS 140-1 & Common Criteria validation5. PKI authenticated software
9. Independent Audit 4. Hardware-secured digitalsigning
8. Enforced operational roles
3. Hardware-secured keybackup
7. Host independent 2-factor authentication
2. Hardware-secured keystorage
6. Controlled physical access1. Hardware-secured key generation
24
SafeNet – Strongest HSM OfferingSafeNet – Strongest HSM Offering
Global and Stable organization: 25 years in security Broadest HSM product Suite from USB to Network Attached Best Toolkit offering featuring:
Well documented API’s: OpenSSL, XML, PKCS#11, Java, CAPI A Software Emulation “HSM” for development PPO and Java environments to host and secure code as well as
Keys Global F1000 trust SafeNet HSM to:
Secure their 3rd Party Applications Develop on for their own security applications Deploy in house and in untrusted environments
25
Contact DetailsContact Details
Dave Madden, Business Development Safenet Inc.
613-221-5016 dmadden@safenet-inc.com www.safenet-inc.com