 |
|
|
nCipher provides a range of hardware-based security products designed to provide performance acceleration for secure operations � such as SSL connections and digital signature verification � and secure storage and management of critical keys. The latest versions also provide a secure code execution capability within the hardware module itself. The product range includes: nFast - a hardware accelerator that increases the performance of secure SSL Web servers to allow up to two thousand customers per second to be served at a fraction of the cost of adding new server hardware with equivalent speed. A single nFast device can enable Web servers to achieve sustained throughput of up to 400 SSL connections per second. nForce - designed for secure e-commerce servers and other PKI-enabled applications, nForce is a hardware security module that provides secure and scalable key management facilities combined with the same transaction acceleration capabilities found in nFast. Available as a PCI card or self-contained SCSI unit, the SCSI version has been validated to the Federal Information Processing Standard (FIPS) 140-1 Level 2, a benchmark that is frequently applied to secure systems. nShield � available only as a self-contained tamper resistant hardware security module (not as a PCI card), nShield has been validated to the FIPS 140-1 Level 3. Combining secure key management, transaction acceleration, and tamper resistant physical hardening, nShield delivers high security, speed and scalability in a single package. nShield is well suited to a variety of security infrastructure applications, such as certificate authorities, online certificate validation servers and custom applications. Each product is provided as three versions � designated 150, 300 or 400 � the designations indicating the number of sustained RSA 1024 bit signatures per second the unit is capable of supporting.� The product put forward for testing by NSS was the nShield 300. The nShield is provided as a self-contained SCSI device, which can be mounted internally to the host server or attached externally when mounted in its own cabinet. The nShield itself sports only a status LED and smart card slot on the front panel, and when provided as an external module the rear panel houses two SCSI connectors, ID selector, initialisation button and power switch. In order to be validated to FIPS 140-1 Level 3, nShield has to demonstrate a high degree of tamper protection. Holographic seals on the product's external casing allow administrators to detect if any attempt has been made to physically tamper with the device, and the internal circuitry is encased in a special epoxy-based security potting to guard against a physical attack on the electronic components. If any attempt is made to break through the potting, the contents of the device are destroyed. With nShield, it is possible to create, store, back up, restore and remove application keys in secure hardware and impose strict controls over the management of these keys using two-factor authentication based on smart cards and pass phrases. The use of a device such as nShield ensures that private cryptographic keys are stored in dedicated hardware while in use and encrypted with triple-DES when idle. Private keys never leave the module unencrypted and are therefore never exposed to the outside world.
Installation is pretty straightforward, especially if you already have a SCSI adapter installed in the host PC (see Appendix A for a list of hardware and software supported). All that is required is to connect the SCSI and power cables and switch on, following which the support software can be installed (apart from on Windows 2000 platforms, where the software should be installed prior to the hardware being connected). Control of the nShield and its key management options is available via a number of command line utilities or a simple, graphical user interface known as KeySafe. KeySafe allows companies to securely create, store, import, back-up, restore or remove application keys through an easy-to-use graphical interface, delivering complete life-cycle key management. KeySafe provides a framework for managing multiple dispersed devices and allows responsibility to be delegated and shared between teams of administrators. This flexibility helps organisations develop security policies that can be easily policed and successfully sustained. All nCipher key management software uses the nCipher Security World paradigm to provide a secure environment with both application independence and platform independence (security worlds can easily be moved intact between different host platforms) for all module and key management operations. The security world provides a framework that permits any number of nCipher's hardware security modules, smart card sets and keys to be brought together and managed as part of a single system. In addition, a security world provides the basis for implementing a security policy. This allows an organisation to define a set of rules and internal controls that specify how responsibility and authority is shared and delegated across a potentially large team of security administrators and system operators, often in different locations.
A security world consists of:
These elements are linked by the security world key, which is unique to each World. Distributing the keys over different storage media means that a security world can recover from the loss of any one element. It also increases the difficulties faced by an attacker, who needs to obtain all of the elements before gaining any information. The nCipher Security World framework enables administrators to manage unlimited numbers of keys across multiple HSM's that may be distributed on multiple servers. Cards, keys, and even modules can be added or removed at any time, providing a very scalable solution - administrators can simply install the number of modules required to meet current needs, and then add more as requirements grow. As a result of sophisticated load balancing, all nCipher products scale linearly. When multiple hardware modules are installed on a single server, for example, it is possible to undertake up to 2000 RSA signatures per second. The security world architecture also provides fault tolerance in a multiple-HSM implementation. If a device becomes unavailable while in service for any reason, built-in �fail over� capability simply passes all of the processing activities to the next nCipher module. With KeySafe the administrator can create, store, import, back up, restore or remove application keys in hardware and, for added security, protect them using sets of smart cards. By keeping private keys in secure hardware while in use and encrypting them with Triple-DES when idle, the nShield protects keys against compromise from unwanted �key finding� attacks. For added security, those same keys can be protected by multiple (pass phrase enabled) smartcards thus supporting �split responsibility� for key activation. This technique (known as �k of n� secret sharing) can be integrated with an organisation�s existing security policy. For example, responsibility for approving private key use can be spread across three people, requiring any two to insert their smart cards to activate the key. The security world has been designed to ensure that keys remain secure throughout their life cycle. Because the security world uses multiple interlocking keys, each key is always protected by another key, even during recovery operations.
The security world uses smart cards for two different purposes. One set of cards, called the Administrator Card Set, is used to control access to recovery functions. All security world data is stored on the host in encrypted format, along with recovery data for the security world key. The latter is protected by the keys on the Administrator Card Set, thus allowing backup and recovery operations to be carried out by holders of those cards (usually such operations will require multiple cards to be present from the set). The Administrator Card Set can also be used (along with the encrypted security world data) to replace any module in a security world. The remaining cards are divided into sets, called Operator Card Sets, that are used to control access to application keys. The smart cards used as Operator Cards employ the security world key to perform a challenge response protocol with the module. This means that Operator Cards can only be used by a module belonging to the same security world. Each user can access the keys protected by the security world and the keys protected by their Operator Card Set. They cannot access keys protected by other Operator Card Sets. The security world itself has no knowledge of how the keys under its control will ultimately be used. The security world only controls the protection for a specific key, and it is the external application that determines how the key will be used. Each key can only belong to one application (and will only ever be used by that application), but any number of keys can be created in a security world for any number of applications. At present, the following applications are supported:
In addition, the nCipher Software Developer Kit (SDK) provides e-commerce application developers with the means for their applications to make use of nCipher hardware security modules. These capabilities are provided through industry standard application programming interfaces (APIs), including:
Application keys can be protected by the �master� security world key or by Operator Card Sets, and the choice comes down to the level of protection that is required, balanced against availability. By protecting an application key with the security world key, it ensures that the application will be available to all users in a particular security world at all times. No pass phrase is required to access the application key, and this ensures that the application remains available even following a power cycle or reset of the host computer. When protecting an application using an Operator Card Set, you are restricting access to the application key to a specific user or group of users (when �k of n� secret sharing is employed). The appropriate number of cards must thus be present when the key is first accessed, and the correct pass phrase must be entered (if one has been set). Whilst offering a higher level of protection, this mode of operation is clearly unsuitable for applications such as Web servers, where the application must be constantly available, even following a power cycle. Normally, keys protected by a card set require that the card (or the last card loaded in the case of multiple card sets) is present in the nShield module. As a security measure, as soon as the card is removed, the keys are automatically removed from the module. This can be inconvenient on occasion (only one user can load keys at any one time in a single module, for example), so card sets can be designated as �persistent�, meaning that the keys remain active in the module even after the smart card has been removed. Keys protected by a persistent card are automatically removed from the module either when the application that loaded the Operator Card Set closes the connection to the module, or after a specified time limit. An application can also choose to remove these keys. All of these capabilities are managed through KeySafe�s intuitive graphical interface, which � whilst not adhering to the �standard� Windows conventions - is still very easy to get to grips with.
The opening screen provides a dual-pane view, with five menu buttons in the left hand pane: Introduction, Keys, Cards, Modules and Exit. If KeySafe is started with one or more modules in a pre-initialisation or initialisation state (set using the rear-panel button on the external module), KeySafe automatically selects the Modules option, from where the security world can be initialised, and modules added to or removed from it. If no modules are in this state, the options in this menu are disabled. Using the remaining menu options in KeySafe, the administrator can:
Recovery data is protected by the cryptographic keys on the Administrator Card Set, whereas working data is protected by the cryptographic keys on the Operator Card and/or on the module. For example, working keys on Operator Card Sets are duplicated and protected by recovery keys. Failed or mislaid operator cards can thus be replaced � and the original working keys recovered - using the Administrator Card Set in conjunction with KeySafe.
Most operations are covered by �wizards� which walk you through the options page by page. For example, when generating keys, you are first prompted for the application, and then for the key parameters such as key type (AES, RSA, DSA, DH, DES, Triple-DES, CAST, SHA-1, El Gamal, MD2, MD5, HMAC, RIPEMD-160), key size, how the key is to be protected (smart card or module), whether or not to allow key recovery, and the key name. Finally, the administrator is prompted to insert the Operator Card Set that will be used to protect this key. Application keys can also be imported from an outside source, if required. Although it is not difficult to perform most of these operations from the command line, KeySafe certainly makes managing security worlds, keys and card sets that much more straightforward. The nCipher nShield Hardware Security Module has three main applications in its current incarnation. Secure Web servers can quickly become bogged down with encryption tasks when they have to support hundreds of SSL (Secure Socket Layer) connections per second. Take a look at what happens when a user attempts to connect to a secure Web server using SSL:
Cryptographic tasks such as encryption and decryption of the session keys can be offloaded to the nCipher HSM, thus relieving the host server of processor-intensive activities and thus improving performance and scalability. Without Hardware Security Modules like nShield, the root keys of Certification Authorities must be kept on the CA machine itself. Even with the best protection in the world, there is always the chance that the private keys could be compromised.� At the end of the day, the trust that can be placed on a digital certificate depends on the secrecy of the private key, and the trust that can be placed on the reliability of a validation response depends on the secrecy of the private signing key. The HSM is an essential part of any serious PKI solution, and nShield provides both crypto acceleration and secure key management. The security world paradigm provides full role-based access control of keys, with multi party authentication (�K of N�). This provides high security private key protection that increases confidence in the legitimacy of digital signatures and certificates The nShield also brings scalability and fault tolerance to the PKI, providing the capability to manage thousands of keys, automatic fail over with multiple HSM�s, key sharing between multiple HSM�s, and key sharing between geographic locations. Accelerated digital signing and OCSP validation removes bottlenecks in high-throughput transaction and validation servers A brand new use for the Hardware Security Module is as a secure space in which to execute security-sensitive code, and even to store security-sensitive data such as user names, passwords and credit card numbers. The nCipher Secure Execution Engine (SEE) provides a trusted processing environment to execute sensitive business logic and protect private data using an HSM �strongbox�. It thus becomes the perfect place to store critical data - such as credit card information - whilst exposed on the DMZ. With a Java-based development environment, applications can be written such that the portion of the program that deals with private keys and sensitive data is moved out of the host server and into the HSM. The administrator then authorises the use of private keys by signing the application code that is trusted. The security-sensitive data is thus still held initially on the DMZ, but is now in a secure �strongbox� rather than at risk on the host server. In normal applications, the HSM will protect the keys in its care, but at the same time it is forced to do whatever a well-behaved and trusted application tells it to. In theory, therefore, attacks could be engineered between the security-sensitive code running in the host server and the security module. By moving all the security-sensitive code into the HSM, there is no way that an attacker can insert code between the application and the HSM in order to intercept key information. Some real world applications would include the infamous �WAP gap� which causes security problems in the wireless world, and document signing or trusted time stamps in the PKI world.
For example, secure protocols such as WTLS may be used between browser and the WAP gateway, but then a protocol conversion has to be made on the gateway before a secure SSL (or proprietary) connection can be made to transfer the data to back-end systems inside the firewall. This means that sensitive customer data � credit card details for example, can reside on a public-facing server or gateway for a period of time � however short � while the protocol bridging takes place. By performing the protocol bridging operation within the HSM on the WAP gateway machine, sensitive customer data is never exposed in the clear on the public side of the retailer�s network. Secure authentication of on-line access can also be performed within the nCipher HSM, thus ensuring that user name and password combinations are never exposed in the clear on the public-facing network. It is hard to see how there can be any justification for not considering the use of a Hardware Security Module (HSM) when implementing a PKI system. Whilst the performance and scalability enhancements of the cryptographic acceleration capabilities can be ignored in low-volume implementations, the security enhancements cannot. Any PKI lives and dies by the security of its Certification Authority Root Signing Key. If the Root Key is compromised in any way, then none of the certificates issued by the CA can be trusted. Nor it is prudent to add the HSM later in the life of the CA, since without an audited root key generation ceremony that can demonstrate the absolute security of the root key, the integrity of the CA can be subsequently called into question. The HSM is thus one piece of equipment � like the CA computer and the PKI software itself - that must be factored into the equation of any PKI from the outset. The nCipher nShield provides the highest levels of physical security � validated to FIPS 140-1 Level 3 � and, with the KeySafe software, offers extremely flexible key management capabilities enabling smart card authenticated administration of customised security policies. The security world paradigm provides for not only a simplified management interface, but also enhanced performance and fault tolerance through the ability to add extra modules as and when required. Individual modules can support up to 300 signatures per second, and performance scales in a linear manner with the addition of each module, providing transparent load balancing and automatic fail over.
Finally, the new Secure Execution Engine is a unique (at the time of writing) and exciting feature that can extend the security perimeter to include security-sensitive code by moving it into the HSM itself, where it has direct access to the keys for which it has been authorised. There is also the opportunity to bring user-specific data into the HSM too, allowing on-line retailers for the first time to store user names, passwords and credit card details securely on a DMZ until they are ready to be processed b back-end servers inside the protection of the corporate firewall. This feature alone opens up a whole new area for the HSM, extending its usefulness outside the realms of hardware protection of cryptographic keys and acceleration of cryptographic functions. Whilst we consider such a device to be essential in any PKI implementation, it will quickly become equally essential in any on-line retailing operation where secure execution of code and storage of customer data is required outside the protection of the retailer�s private network. UK,
Europe & International United States Click here to return to the PKI Index Section
|
 |
Send mail to webmaster
with questions or�
|
