Post on 03-Jul-2018
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 1
Utimaco HSMsProduct PortfolioNovember 2017
Dieter Bong, Head of Product Management
Christian Bollich, Director of Payment Program
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 2
Installations1.000+
Fastest growing
Employees170+70% in R&D, Support and Production
~ € 40 MillionRevenue
Aachen, GermanyHeadquarters
Utimaco: Facts and Figures
independent
HSM vendor
worldwide
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 3
2001 German Land Registry Office 2008
Conditional Access for PayTV
Utimaco: 25 years of experience in IoT security
Foundation Utimaco 1983
1st Gen HSM KryptoServer1991
TimeStampfor Lotteries1999
2nd Gen HSM CryptoServerSeries (Incl. Sensor Foil)2002
Market Leader in Telecommunications 2006
HSM Software Simulator2007
eID
„Deutschland“ HSM2010
ImmigrationControl2012
6th Gen HSM 2016
1993ZKA Approval
1997 1st Automotive Application 2004
Road Pricing
2006 HSM Software Development Kit
2011 SmartGrid
2013Payment EFT POS for large Food Retailer
2014Industrial IoT with leading Semiconductor
Office in USA2013
US Electric Car Maker2015
Office inSingapore
2008–2013Sophos
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 4
Challenges
CyberSecurity
?
Compliance
Regulations and market-specific security requirements
mandate confidentiality of data
GDPR, HIPAA, …: personally identifiable information (PII)
PCI DSS: cardholder data
Confidentiality is achieved by encrypting the data
Data encryption keys must be securely generated,
stored and used
Access to encryption keys must be restricted
to dedicated personnel
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 5
Connected World
Identification and authentication of connected devices in large infrastructures
Smart Metering, V2x communication, Internet of Things (IoT), …
Each device requires a unique ID and key material
Challenges
CyberSecurity
HSMs are the Root of Trust
for many industries
and the IOT
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 6
Utimaco HSMs – The Root of Trust
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 7
CryptoServer Hardware Security Modules
Product Portfolio
PCIe
plug-in card
Network
attached
(T)DES, AES, RSA, (EC)DSA, (EC)DH, SHA, …
FIPS 140-2 Level 3,
Common Criteria EAL4+
acc. Protection Profile EN 419221-5 *
Physical
Interface
Cryptographic
Support
Certifications
(* in progress)
CryptoServer
Se-Series 12/52/500/1500
FIPS 140-2 L3 w/ Phys. Security L4,
CC Evaluation w/ Attack Potential “High”,
“DK” Approval, PCI-HSM
PCIe
plug-in card
Network
attached
CryptoServer
CSe-Series 10/100
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 8
Product Portfolio - Product Packages
Product Portfolio
PKCS#11, JCE, MS CSP/CNG/SQL EKM, CXISecurityServer
CryptoServer
Se-Series 12/52/500/1500
CryptoServer
CSe-Series 10/100
TimestampServerRFC 3161,
CTS API
RFC 3161,
CTS API
Development Kit for CryptoServer Firmware DevelopmentCryptoServer
SDK
PaymentServer EFTPOS
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 9
PKCS#11, JCE, MS CSP/CNG/SQLEKM, CXI
Internal and external key storage
Internal key storage fulfills most stringent compliance requirements
External key storage provides
Virtually unlimited storage capacity
Easy setup HSM cluster
HSM cluster for high-availability or load-balancing
Virtually unlimited number of slots
Great performance
Great Functionality, Capacity and Scalability
Utimaco SecurityServer
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 10
Multitude of authentication mechanisms
Username/password
Keyfile
Smartcard
2 factor authentication
4 eyes principle and M of N authentication
Configurable role-based access control
Granular definition of required permissions
Interface hardening
Extremely Powerful and Flexible Access Control Mechanisms
SecurityServer
Fulfil any security policy
from straightforward to most-demanding
Something
you have.
Something
you know.
HSM
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 11
Fully functional software simulator for Windows and Linux
HSM administration, user authentication, key management, cryptography, etc.
Ideal for
Product evaluation
Dry-run before setup of production HSM
Integration testing
Training
Free HSM simulator
SecurityServer
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 12
Easy and fast setup
HSM is up and running in a few minutes
Remote Management
Powerful command-line administration tools
Scriptable
Easy-to-use graphical administration tools
Unmatched Ease of Use
SecurityServer
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 13
Fixed-price policy w/o hidden costs
No license fees for additional connections, clients, partitions
No expensive PIN entry devices for remote management
Low price for additional authentication token
Smartcards and PIN Pad
Performance upgrade @ minimal service fee
Upgrade from Se12 / Se500 / CSe10 to Se52 / Se1500 / CSe100
Best price/performance ratio
Ease of use
Lowest TCO
SecurityServer
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 14
Standardized cryptographic APIs support many cryptographic algorithms and mechanisms …
PKCS#11, JCE, Microsoft CSP/CNG
… but do not
Cover all algorithms and mechanisms used worldwide
(Secret) Government algorithms
Key derivation mechanisms only used for payment transactions in selected countries
Immediately incorporate new algorithms as they get designed and standardized
Post Quantum Cryptography
Support complex protocols or sequences of functions as atomic operations
Key derivation and PIN calculation for card personalization
Challenges
CryptoServer SDK
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 15
Utimaco‘s CryptoServer SDK is the most powerful and flexible development kit that enables you to
Define and implement custom functionality with optimized application interfaces
Develop custom code that runs inside the secure boundary of any Utimaco HSM
Extend PKCS#11 functionality by Vendor Defined Mechanisms
The Solution
CryptoServer SDK
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 16
Full control of HSM functionality
Modular firmware concept allowing for a virtually unlimited number of firmware modules
C / C++ programming language
Complete Utimaco base firmware re-usable
Support for common development tools
Microsoft Visual Studio
gcc
HSM simulator for testing and debugging
Sample firmware modules and host applications
Most Powerful SDK for HSM Firmware Development
CryptoServer SDK
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 17
Extension of PKCS#11 provider by non-standardized mechanisms
Key derivation for Global Platform Secure Channel Protocol '03' (SCP03)
Local government algorithms
Localized product versions
Card personalization with common functionality but localized key derivation functions
Replacement of multiple standardized mechanisms by single atomic operation
Avoids intermediate results outside HSM
Increases performance
Replacement of standardized mechanism by customized variant
RSA key generation with custom prime number generation
Plug-in for PKCS#11 Vendor Defined Mechanisms Use Cases
CryptoServer SDK
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 18
A Timestamp proves that
Specific data / document existed at a certain point in time, and has not been modified since
An event occured at some point in time
Utimaco‘s TimestampServer
Safeguards and uses the TimestampServer signing key inside the secure boundary of an HSM
Synchronizes its internal time with a reference NTP server
Integrates with any application implementing the RFC 3161 time stamp protocol
E.g. Adobe Acrobat
Reliable Timestamps
TimestampServer
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 19
Payment cards and transaction security have a long history
Well established protocols and understood use-cases for HSM
Still growing globally in double digits
Incumbent and Traditional Market
The Payment Landscape
Number of Worldwide Non-Cash Transactions (Billion), by Region, 2011-15
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 20
Emerging Market
The Payment Landscape
Almost done in Germany
The rest of the world
will follow
Payment sector is the first
to move into blockchain technology
Within the next 3 years implementation of
Payment authorization
Clearing and settlement
We will we see first productive
implementations soon.
Driven by Customer expectation for more
convenience using banking applications
In-App payments
Venture Capital
PSD2 will have an impact
Irrevocable – Potential to replace cash
and checks
In the UK today 5% of all non-cash
Payments are done via Fast Payment
Service
SEPA Instant Payments starts
November 2017
Introduction of AES FinTech
Blockchain Immediate or Instant Payments
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 21
Cards moving to contactless
Contactless penetration in
Canada > 40%
Australia > 85%
Europe between 20-50%
USA < 5%
New protocols to be implemented
VISA qVSDC
MasterCard M/Chip Fast
Emerging Market
The Payment Landscape
Adoption rate of contactless cards worldwide
Source: https://www.nfcworld.com/2015/02/06/334018/contactless-payment-card-shipments-grow-35-percent/
> 40% > 85% 20 –50%
< 5%
Canada Australia Europe USA
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 22
PSD2 – Payment Services Directive 2
Europe will become a fully interoperable, digital market
Huge impact on Payment Service Provider and FinTechs
Will have global reach and shape other international standards
PCI – Payment Card Industy
PCI HSM gains more attraction as FIPS 140-2 disallows widely used algorithms like DES, SHA1 and Xor for key derivations.
Defines audit schemes like PCI DSS, PCI P2PE which mandates the use of HSMs
eIDAS
National schemes
DK (Germany)
CB (France)
By Governments and Industry Initiatives
Regulated Payment Market
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 23
Comprehensive offering
Supporting our customers every step of the way
Integration
Support
Certification
Assistance
+
HSM SDK
++ +Tiered
Maintenance
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 24
Hardware Security Module
A robust and flexible hardware platform
Robust, proven Hardware platform
Hardware Security Modules are designed and manufactured in Germany
LAN Appliance assembled in Germany and the US
FIPS 140-2 certified HSM, Level 3 Overall / up to Level 4 for Physical Security
PCI PTS HSM v2 certified
Single platform: Applications run on all HSM architectures
Extended product lifecycle, typically 7+ years
Hard- and firmware architecture design allows for maximum performance when executing custom algorithms
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 25
Software Development Kit
Making it easy to develop your own custom firmware
Software backward compatibility over 10+ years
Multiple options for developing custom firmware
C based Programming SDK
Lua based Scripting language
Software simulator for convenient debugging and testing
Multiple firmware applications can coexist on a single HSM
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 26
Integration support
Dedicated support capability for custom firmware development
Assistance to migration from legacy / competitive HW platforms
CryptoServer SDK training / CryptoScript SDK training
Not for resale Hardware HSM evaluation units
Free evaluation support
Multiple Professional Services options
Remote integration support
Outsource your custom firmware development to Utimaco
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 27
Assistance to certification
Accompanying our customers throughout the certification process
Utimaco works with leading evaluation labs across the world
Penumbra – FIPS
Brightsight – Common Criteria
SRC – PCI and eIDAS
We manage the entire certification process on your behalf
Full Project Management
Leveraging our existing certifications to fast track certification of our customers’ own firmware (“Delta” certification)
3 out of 5 devices in the market that are usable in uncontrolled environments for PCI HSM are based on the CryptoServer CSe
Documentation and implementation support
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 28
Tiered Maintenance
Choice of Maintenance & Support options
Per Unit cost
Fixed annual fee
Multi year maintenance discount available
Premium maintenance and support with advanced replacement for RMA
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 29
HSM, SDK, CryptoScript, integration process, certification process
Easy to work with
Flexible: One technology platform for GP and Payment and Customized firmware
Open to project way of working, experienced Professional Services team
We have a complete offering to support the change of your business
Enable, innovate, support
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 30
Public Payment Program – source code ships with the CryptoServer SDK
The basis for your payment business logic running inside a HSM
Many functions for transaction security and authorization, key management implemented
PCI HSM certified version
TR31 support
Based on the CSe series
Certified for uncontrolled environments
Product Offerings
Utimaco Offering: Payment Program
Utimaco HSM Business Unit · Aachen, Germany · © 2017 - November 2017 hsm.utimaco.com Page 31
Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Tel +49 241 1696 200
Fax +49 241 1696 199
Email hsm@utimaco.com
Utimaco Inc.
Suite 150
910 E Hamilton Ave
Campbell, CA 95008
United States of America
Tel +1 844 884 6226
Email hsm@utimaco.com
Thanks for your attention