1

HSM Overview for Grid ComputingHSM Overview for Grid Computing

Dave Madden, Business Development

Safenet Inc.

2

The Foundation of Information SecurityThe Foundation of Information Security Encryption experts with 25 year history of

HARDWARE security protection for: Communications Intellectual Property Rights Data and Identities

Global Company with Local Service Headquartered in Maryland, USA Regional headquarters in

Camberley, UK Hong Kong

30 + offices located in more than 20 counties

Encryption technology heritage 43 patents issued, 31 patents pending Majority of the leading security vendors embed

SafeNet’s technology in their offerings Fastest Growing Networking Company – 2005

1. Not necessarily supported by SafeNet

3

PKI OverviewPKI Overview

What is a Digital ID?

What is a PKI?

What is an HSM?

How are these used?

4

An asymmetric key pair assigned to a particular individual Implemented using a digital certificate Contains information about you…name etc. plus your public key Certificate is digitally signed by a trusted source It’s like issuing a digital passport Therefore the keys are important to protect – not the locks!

John Smith

John Smith

Certified & Signed by:

How do you use your digital identity? Use your private key digitally sign documents Others verify your signature with the public key on your certificate

PrivateKey

PublicKey

What is a Digital Identity?What is a Digital Identity?

CA

5

A Public Key Infrastructure (PKI) is a system to deploy and manage digital identities

Issue digital identities Revoke digital identities Publish public keys via directories

John Smith

Certified by:

John Smith

Certified by:

John Smith

Certified by:

John Smith

What is a PKI?What is a PKI?

CA

6

What is a Hardware Security Module (HSM)?What is a Hardware Security Module (HSM)?

Security: A device to keep private keys “close to your chest”

Performance: Accelerate encryption operations to eliminate bottlenecks

Audit: Provides a clear audit trail for all key materials: SAS70 / SOX / PCI / HIPPA / HSPD12 etc.

PCMCIA/PCI Rack mount appliance

Mid-security High-securitySmart Card/USB

Client security

Wide range of Security, Performance, Scalability & Price

7

How are Digital IDs, PKI and HSMs Used?How are Digital IDs, PKI and HSMs Used?

B2BSigned RFPs

System Access

Back-end

Systems &

Databases

Certificate Issuance

Subordinate CAs

Root Certificate Authority

Sub-CA certificates

Suppliers,

Partners,

Contractors

Customers,

Employees

Internet

Salomon Smith Barney concluded over

80% of Fortune 500 using PKI used

SafeNet HSMs to protect their root key

8

Types of HSMsTypes of HSMs

Embedded HSMs

Network HSMs

Application Security Modules

9

Embedded HSMsEmbedded HSMs

FIPS level 2 or 3 Acceleration from 10’s to 1000’s

signatures/sec* Standard APIs

PKCS#11, CAPI, OpenSSL, JCE/JCA

PCMCIA

• removable cartridge

PCI

• permanently installed

* asymmetric encryptions/second using the industry standard 1024 bit RSA algorithm

10

Network HSMsNetwork HSMs

Same cryptographic functionality as embedded HSMs

HSM can be shared by multiple application servers over the network

Keys are stored and managed centrally Reduced hardware and operations costs

• PKCS#11• MS-CAPI• OpenSSL• Java JCE/JCA

Standard I/F

Network HSM

11

Application Security ModulesApplication Security Modules

Protects encryption keys with onboard HSM Also protects the application code that uses the keys Programmable custom interfaces e.g. HTML, XML Create sealed transaction appliances that integrate application code with

cryptographic operations More secure and easier to deploy

Applicationcode

• HTML• XML• Other…

Programmable I/F

12

What is a High Assurance HSM?What is a High Assurance HSM?

Keys Always in Hardware True Trusted Path Authentication Premium Certifications

13

SafeNet Advantage: 3 Layers of HW SecuritySafeNet Advantage: 3 Layers of HW Security

1

3DES Key Encryption

Multi-PersonTwo-Factor

Access Control

Tamper Resistant Hardware

Software cannot meet audit requirements for protecting vital corporate root keys

1

3

2

Creation

StorageHardware-Secured

Key Lifecycle

DistributionUsage

Destruction

14

Luna Advantage:Luna Advantage:Multi-Person Authenticated AccessMulti-Person Authenticated Access

2-FactorAuthentication

Password

2-FactorAuthentication

+Password

Multi-personAuthentication

++

15

PC Keyboard is not a Trusted PathPC Keyboard is not a Trusted Path

Before After

Keyboard sniffer costs about $100 Installs in about 10 seconds Is electronically undetectable Records 65,000 keystrokes

http://www.chicagospies.com/products/keykatch.shtml

16

HSM CertificationsHSM Certifications

NIST FIPS Certificates, see: http://csrc.nist.gov/cryptval/140-1/1401vend.htm Certificates include: 8, 29, 38, 39, 56, 57, 58, 168, 173, 214, 215,

216, 217, 218, 220, 270, 375, 436 Domus is our certification laboratory for FIPS certifications

Common Criteria EAL 4+ Certificate, see:

http://niap.nist.gov/cc-scheme/vpl/vpl_type.html or http://www.commoncriteriaportal.org/public/expert/index.php?menu=9&orderindex=1&showcatagories=-33

Electronic Warfare Associates (EWA) Canada was the certification body for Common Criteria

Digital Signature Law Validation

17

How are HSMs Used for PKI?How are HSMs Used for PKI?

Protect Root keys Issue Keys to Sub CAs, Servers and Users Sign transactions Offload crypto operations A few real world examples…

18

HSMs: HSMs: High-Availability and Disaster RecoveryHigh-Availability and Disaster Recovery

Operational Disaster Recovery

OnlineHot Standby

Physical Backup

OnlineHot Standby

Physical Backup

PKI CA PKI CA

19

Securing Banking TransactionsSecuring Banking Transactions

Applications

Applications

Directory

Certificate Authority

Key Management SSL AccelerationFIPS certified

SafeNet HSM

SafeNet HSM

SmallBanks

Access Control

via 2 or 3 factor

Financial Transaction Infrastructure

Payments & Cash Mgt

Treasury & Derivatives

Trade services

Pre-Settlement/trade

Clearing services

Custody services

SafeNet HSM

Large Banks

20

Example - Manufacturing with PKI- IP PhonesExample - Manufacturing with PKI- IP Phones

Manufacturing CA

Luna HSM

1

2

3

4

IP Phone

The IP phone requests a certificate from the manufacturing certificate authority. (1) The certificate authority generates a new certificate that the Luna HSM signs with the root key. (2) The certificate is sent to the IP phone. (3) The IP phone now has a unique digital identity that is stamped into the phone by Cisco’s. (4)

21

ToolkitsToolkits

smart card

SSM

Write your own applications and load them directly onto the device

secure sensitive code or place applications in untrusted environments

Early-stage development all in

Software

Windows, Solaris, Linux, HP UX, AIX, Solaris

Networked to single or multiple

PKCS#11, Java, CAPI, OpenSSL, Custom, XML WSDL, Payments API’s

3rd Party or Customer Developed Host Application

22

What to look for in an HSM?What to look for in an HSM?

Certified by Standards Bodies Performance Level of security Auditability Ease of integration Ease of management Flexibility in use Scalability (multiple partitions) High Availability & Disaster Recovery Keys in always in hardware

23

Best PracticesBest Practices for Hardware Security Modules for Hardware Security Modules

10. FIPS 140-1 & Common Criteria validation5. PKI authenticated software

9. Independent Audit 4. Hardware-secured digitalsigning

8. Enforced operational roles

3. Hardware-secured keybackup

7. Host independent 2-factor authentication

2. Hardware-secured keystorage

6. Controlled physical access1. Hardware-secured key generation

24

SafeNet – Strongest HSM OfferingSafeNet – Strongest HSM Offering

Global and Stable organization: 25 years in security Broadest HSM product Suite from USB to Network Attached Best Toolkit offering featuring:

Well documented API’s: OpenSSL, XML, PKCS#11, Java, CAPI A Software Emulation “HSM” for development PPO and Java environments to host and secure code as well as

Keys Global F1000 trust SafeNet HSM to:

Secure their 3rd Party Applications Develop on for their own security applications Deploy in house and in untrusted environments

25

Contact DetailsContact Details

Dave Madden, Business Development Safenet Inc.

613-221-5016 dmadden@safenet-inc.com www.safenet-inc.com