PrivyLink Cryptographic Key Server *

Similar documents
PrivyLink Internet Application Security Environment *

IBM Crypto Server Management General Information Manual

Complying with PCI Data Security

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Secure web transactions system

Advanced Authentication

Overview. SSL Cryptography Overview CHAPTER 1

Secure Data Exchange Solution

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Hardware Security Modules for Protecting Embedded Systems

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

SafeNet DataSecure vs. Native Oracle Encryption

IoT Security Platform

Neutralus Certification Practices Statement

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Executive Summary and Purpose

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

BANKING SECURITY and COMPLIANCE

How To Encrypt Data On A Network With Cisco Storage Media Encryption (Sme) For Disk And Tape (Smine)

White Paper. Enhancing Website Security with Algorithm Agility

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Content Teaching Academy at James Madison University

SkyRecon Cryptographic Module (SCM)

E-commerce Revision. Typical e-business Architecture. Routing and Addressing. E-Commerce Web Sites. Infrastructure- Packets, Routing and Addressing

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

SSL ACCELERATION DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Secure Network Communications FIPS Non Proprietary Security Policy

BYOD Guidance: BlackBerry Secure Work Space

Securing Data on Microsoft SQL Server 2012

How To Protect A Web Application From Attack From A Trusted Environment

Case Study for Layer 3 Authentication and Encryption

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Evaluate the Usability of Security Audits in Electronic Commerce

Secure SSL, Fast SSL

Certification Report

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

Certification Report

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

MS-55096: Securing Data on Microsoft SQL Server 2012

MXMedia CipherStream. Preliminary Assessment. Copyright 2012 Farncombe 1.0. Author: T F

PRIME IDENTITY MANAGEMENT CORE

Embedded Java & Secure Element for high security in IoT systems

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

SECURITY IN ELECTRONIC COMMERCE - SOLUTION MULTIPLE-CHOICE QUESTIONS

CALIFORNIA SOFTWARE LABS

Lecture VII : Public Key Infrastructure (PKI)

PCI Solution for Retail: Addressing Compliance and Security Best Practices

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

M-Shield mobile security technology

How To Understand And Understand The Security Of A Key Infrastructure

BMC s Security Strategy for ITSM in the SaaS Environment

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Security Requirements for Wireless Networking

Managed Portable Security Devices

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

BroadSAFE Enhanced IP Phone Networks

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

Certification Report

TELECOMMUNICATION NETWORKS

Overcoming Security Challenges to Virtualize Internet-facing Applications

A Rackspace White Paper Spring 2010

Chapter 23. Database Security. Security Issues. Database Security

DRAFT Standard Statement Encryption

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Citrix MetaFrame XP Security Standards and Deployment Scenarios

SecureD Technical Overview

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Thoughts on PCI DSS 3.0. September, 2014

Projectplace: A Secure Project Collaboration Solution

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Using BroadSAFE TM Technology 07/18/05

SecureDoc Disk Encryption Cryptographic Engine

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Managing BitLocker Encryption

Enhancing Organizational Security Through the Use of Virtual Smart Cards

SSL VPN vs. IPSec VPN

Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices

Table of Contents. Introduction. Audience. At Course Completion

Security Considerations for DirectAccess Deployments. Whitepaper

Payment Transactions Security & Enforcement

128-Bit Versus 256-Bit AES Encryption

ipad in Business Security

Transcription:

WHITE PAPER PrivyLink Cryptographic Key * Tamper Resistant Protection of Key Information Assets for Preserving and Delivering End-to-End Trust and Values in e-businesses September 2003 E-commerce technology is today leading a paradigm shift, enabling companies to capture additional revenue, improve customer service, lower sales and customer acquisition costs, improve time to market, enhance distribution, and streamline communications among employees, customers and business partners. Data security on a public network, such as the Internet and the Wireless Internet needs to be more stringent and sophisticated than those that has been used for the private network. However, the strength of all cryptographic algorithms is based on the secrecy of the keys. Anyone holding the keys will have complete access and knowledge to the secret protected. Traditionally, cryptographic server-side secrets are stored within the web server or application server, either in clear or scrambled. As it is well known that the web server is the most often attacked component in the entire network. It is also known that a big percentage of the frauds are done from within, i.e. by the employees or associates of the organisation. This makes software-based solutions vulnerable, increasing the risks of businesses in such any undertaking relating to the electronic world. With hardware-based approach, all cryptographic processing takes place within the safety of a physically secure environment. This hardware encasement safeguards all cryptographic algorithms and keys against unauthorised access, disclosure, alteration, duplication, and substitution. A hardware-based cryptographic solution assures the high confidence and security that Internet commerce requires. Software-based security products * The information contained in this document represents the current view of PrivyLink International Ltd, and is correct as of the date of publication. This document is for information purposes only. PrivyLink International Ltd makes no warranties, express or implied, in this document. Information in this document is subject to change without notice, and does not represent a commitment on the part of PrivyLink International Ltd. PrivyLink International Ltd cannot guarantee the accuracy of any information presented after the date of publication. 1 of 10

Overview decrypt sensitive data in unsecured memory, displaying both keys and algorithms in readable form, which makes the data vulnerable to cyberpirate attacks. PrivyLink's Cryptographic Key adds hardware-based security functionality to Internet, Intranet, Extranet, and enterprise infrastructure applications. PrivyLink technology embedded in hardware safeguards sensitive private key information with strong physical and logical security, and offloads computationally intensive public key operations from the server. These products work with your application to eliminate the significant bottlenecks and risks associated with software security processing. This white paper provides an overview on the Cryptographic Key, describing the architectural design, the features available and the scalability of the Key. Cryptographic Key Architecture The design of the Key (KS) adopts the approach of multi-segment architecture for handling key service operations and administration. All service operation calls are initiated from one segment and all administration calls are initiated from another segment. This creates a natural separation of in-band (production) and out-of-band (administrative) traffics. With such a separation, administrators can continue to perform administration of the key server even though the production segment might be congested with production traffics. Client Trusted Network Internet Security Network Key Key Figure 1: Overview of the Key architecture With the multi-segment key server architecture, the KS is connected to the server host via a trusted network segment so that security management can be greatly simplified. In contrast to the traditional approach of serial connection between the server and the KS, the use of a trusted network segment simplifies maintenance and enhances scalability and performance of the key management system. While the role of the KS is to provide a secure environment for cryptographic operations needed by server hosts, the administration of keying information is controlled by the Key Administrator (KSA) module. KSA is connected to KS securely via another trusted segment 2 of 10

dedicated for security administration. With the multi-segment approach for key server administration, more than one key servers can be managed by KSA; hence allowing transparent installation of back-up or concurrent key servers to serve a cluster of hosts. Cryptographic Key Applications This section briefly illustrates the deployment of the Cryptographic Key in some typical application environment. Banking and e-banking In the banking environment, the Cryptographic Key can be used to generate the Personal Identification Number (PIN) necessary for customer identification for ATM. It supports PIN Authentication and PIN Change meant for Electronic Banking and other banking applications too. Credit Card and Smart Card Production The Cryptographic Key is suitable for use for card production. It provides the secure means of generating cryptographic card values, as well as securely generating PINs and PIN mailers. The cryptographic values required for Smart Cards can also be generated by the Key for loading into the cards. 3 of 10

Certification Authority Client Browser CKS Internet Web Payment Gateway BANK Merchant CKS CKS CKS Figure 2: The Cryptographic Key in a typical electronic commerce environment Figure 2 illustrates the roles of the Cryptographic Key in a typical electronic commerce environment. Public Key Management for Electronic Commerce The Cryptographic Key brings the most advanced security and the fastest processing speed to Certificate Authority (CA) applications for trusted third parties and CA solution providers. The Cryptographic Key reduces server bottlenecks by functioning as a cryptographic coprocessor for key generation, certificate generation, certificate and signature verification, signing, and hashing. It physically and logically isolates cryptographic operations from the server system applications, ensuring the integrity of data, keys, and algorithms. Secure Electronic Transaction (SET) The Cryptographic Key is the superior solution for Internet credit card transactions, offering the fastest processing available, strong security and a direct bridge to the bank payment network. It easily isolates private customer information intended solely for the bank from information intended solely for the merchant, to meet the demanding requirements of the Secure Electronic Transaction (SET) protocol. Features and Benefits The Cryptographic Key is a tamper-resistant cryptographic device designed and developed to meet key requirements for providing host-side cryptography and managing server-side secret keys used for online transaction. While the standard functions available in the Key satisfy the needs of most clients, the Cryptographic Key can also be 4 of 10

customized to meet unique requirements. The following highlights some of the Key features: FIPS PUB 140-1 Compliant The Cryptographic Key is built according to the FIPS PUB 140-1 standards. The tamper resistant features ensure that all secrets stored within this hardware security box are safe and secure. The Cryptographic Key can provide higher level of security much needed by organization for their mission-critical operations. Built-in RSA Public Key Support The Cryptographic Key built-in RSA Public Key Support enables any host system to perform Public Key Cryptography and the Key- Select option enable you to select RSA key lengths from 512bits up to 2048bits. This feature allows the Cryptographic Key to cater to different key lengths and different functions. In addition, it protects your technology investment as the industry increases key length requirements to keep up with increased threats. Flexible Key Management The Cryptographic Key supports Flexible Key Management to meet diverse application s security requirements. In practice, the security offered by any application is only as good as the key management designed for it. The Cryptographic Key offers a variety of strong key management schemes such as Master/Session Key Management, Derived Key Management and Public Key Management. 5 of 10

The Cryptographic Key supports the generation and management of PIN used in most ATMs and Credit Card too. Secure Key Storage The Cryptographic Key maintains a table of cryptographic keys in its main memory and all keys stored within are encrypted by a master key. The master key in return, is stored in a PIN-protected smart card under the custodian of the security administrator. Any sign of illegal access will render the key table useless and the keys non-retrievable. Key Escrow The Cryptographic Key supports Key Escrow. This feature enables organization to perform key recovery, in the event of disaster, if required. Key The Cryptographic Key provides several administrative capabilities that allow different level of security to be installed for administrating of the Key. It also provides capabilities for tailoring the administrative interface to the unique needs of each environment and for accommodating future upgrades to the Key. Key Module The Cryptographic Key administration is done via the Key (KSA) Module over a trusted and dedicated security administration channel. Communication between the Key and the KSA are based on proprietary protocols and requires some form of physical authentication to be carried out before and during the administration session. Any attempts to probe the Key without the proper authority will activate the security mechanism in-placed and render the information stored useless. The build-in enhanced authentication mechanism ensures that only authenticated administrator can perform the respective administration functions. The available functions can be categorize under the followings areas:! Administrative Services.! Operation Services.! Account Management.! Shutdown Services. The following diagram shows the KSA Interface for Administering the Key Operation Policy under the Administrative Services. 6 of 10

TrustField Cryptographic Key Figure 3: A look at the User Interface for the Key Module Role-based The default administration mode is Role-based. In the Role-based authenticated mode, any administration commands before execution requires the super user and the administrator keys to be in the correct position for the commands to be properly administered. With the right key inserted in the right position, the Key will recognize that the key holder is the authorized administrator and thus allowing the administrative commands to be carried out. ID-based The Cryptographic Key also supports ID-based administration. In the ID-based authenticated mode, any administration commands before execution will requires the operators to enter their user identity and PIN for each administrative requests beside having the required keys in-placed. This two-factor based authentication mechanism enforces higher level of protection to satisfy organization s needs for higher security. The ID-based authentication policy is compliant to FIPS PUB 140-1 level 4 standards. Privileged Commands The administration instructions are grouped into non-privileged and privileged commands. Non-Privilege commands are available to both the operators and super user and whereas the Privilege commands are available only to the super user. This hierarchy of privilege enables different levels of administration to be granted over a distributed system 7 of 10

and ensures that only the designated person can have access to the Key. This also enhanced the manageability of the Key. Scalability The multi-segment architecture enhances the scalability of the Cryptographic Key by allowing flexible configuration of key servers to server hosts. One such configuration can be one server host connected to multiple key servers as shown in Figure 4. Another configuration can be multiple server hosts connected to a trusted network segment to share one key server as shown in Figure 5. Trusted Network Key 1 Security Client Key 2 Key Administrati : : Internet Key n Figure 4: One connected to multiple Key s Alternatively, there can be multiple hosts connected to multiple key servers as shown Figure 6. Trusted Network Security Client Key Key Internet 8 of 10

Figure 5: Multiple s connected to one Key Client Trusted Network Key 1 Key 2 Security Key : : Internet Key n Figure 6: Multiple s connected to multiple Key s Scalability Scalability refers to how easily the Cryptographic Key can be administered. From the above figures, only one unit of the Key module is required for all possible deployment of the Cryptographic Key Multiple-s-to-Multiple-Key s, Single--to-Multiple-Key s and Multiple-s-to- Single-Key s. Highlight on New Releases The followings highlight some of the features that will be made available in the new release of the Cryptographic Key. Summary Hardware Crypto Card The latest version of the Cryptographic Key featured a dedicated hardware crypto card that enhances the performance of all cryptographic operations, including all Public Key Cryptography supported such as digital signature, signature verification and others, e.g. RSA Key generation. In order for organizations to compete effectively in today s business environment it is essential that they increase their use of networks, such as Internet, Intranet and Extranet. However, the increasing use of networks brings with it-increased vulnerability to network break-ins. Traditional software based security solutions protects the systems to a large degree, but hackers still manage to penetrate. Once compromised whether internal or external the break-ins can be costly. The Cryptographic Key is a Secure Key Management that can greatly improve the security and manageability of the cryptographic functions for host-side components. With the use of the Cryptographic Key, organizations can continue to expand their use of networks 9 of 10

and better manage their risk, reducing the cost and development effort necessary to secure their electronic exposure and their investment in technology, thus maintaining their competitive edge. About PrivyLink Founded in 1997, PrivyLink is a response to strong industrial demands for high assurance delivery channel for electronic transactions, especially in the government and financial sectors. PrivyLink offers a comprehensive suite of software and hardware solutions to address end-to-end e-security of today and tomorrow s businesses in the e-commerce, e-business, and e- Marketplace arenas. Copyright 2003. PrivyLink International Ltd. All Rights Reserved. 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information