Fundamentals of Hardware
Security Modules
Mark Yakabuski
Product Manager, HSM
René Bastien
Product Manager, Payment Products
Clara Wicke
Product Marketing Manager, HSM
Agenda
 Definition of an HSM
 Product overview & general applications
 Market drivers/trends
 Going to market/ Why we win
 Product overview (individual)
 Competitive matrix
 Payment products
 Marketing tools and Q2 outlook
What is a Hardware Security Module
(HSM)?
 A device to keep Business critical crypto keys at the
highest level of security
 Accelerate Crypto operations to eliminate bottlenecks
 Provides a clear audit trail for all key materials, crypto
operations
 We have a wide range of HSM options
 Varying performance, storage capacity, and Form Factors,
authentication models
 Wide range of SDKs/Toolkits for flexible integration
HSM Technology
Breadth of Hardware Security Offerings
Luna PCI
Luna SA / SP
Performance
Luna XML
Protect Host
EFT
Protect Server
PCM, CA4
Offline Key
Archive
Customizable,
Economical
Payments,
EMV/EFT
SOA, Web
Services
Networked,
Scaleable
Fastest
Market Overview
Typical HSM Applications
1. PKI Certificate
Authority
2A. Code Signing
2B. Secure Manu. /
Device Issuance
1B. Time Stamp
2C. Smart Card,
Passport & License
Issuance
3. Client Systems
with Disc Enc &
2F Auth
6. Database
Encryption
10. Financial
Transactions:
EFT, Payments
Clearing & PIN Mgt
Financial
Networks
5. Certificate
Validation
HSM’s are the Tire!...Find
the cars that need high
4.
Authentication
security
Tires!
& VPN
Access Control
Database
Documents
Internet
9. SSL & XML
Webservers
7. Secure EMAIL
& Document
Rights Mgt / Signing
8. Gaming
consoles
General Purpose Market Trends

ECC Brainpool/E-passport projects

ECC interest, Suite B (NSA standard http://en.wikipedia.org/wiki/NSA_Suite_B)

Key Management

PKI…real growth of 3rd gen PKI apps

Large HSM deployments
•Hand/Hand with customized
Combining COTS
solutions, and Customized development efforts.
solutions.

Web Services/Service
oriented early,
architectures
•In account
help

our
great
MS CertServ •Leverage
continuing to gain
install
base

PCI-express

Paper to digital processing

PCI-DSS standard
architect
SE’s
SWIFT/UBS/SIC…
The BIG DEALS.
Ideal Customers – how to find them
•An HSM is nothing without a Host Application (a car).
•Off the Shelf or Custom?
Solution Seekers
Developers

Are purchasing/have purchased some
application from a 3rd party


Our HSM has either been
recommended or referred as one of a
number of supporting HSMs
Are developing their own application
for sell, cost or competitive reasons

Developers are either internal users or
OEMs

Customers will select an HSM based
on

Customer will select their HSM partner
based on:

3rd party recommendation

Responsiveness & Support



Apps Eng team, SE capabilities
global presence and capability

technology & toolkits
level of integration

Responsiveness & Support

global presence and capability,
stability

price
Integrations
 price team in India
• Building Integration guides
Examples
Solution Seekers
Developers

…any size organizations – with small to
medium sized deployments

…large organizations – with large future
plans

Always because of a Partner Integration


SafeNets most valuable partners
Select SafeNet because of the quality of
products/tools, our global presence and
our relationship management

Examples

Entrust & Verisign

Microsoft

Card Personalization

Payments Apps providers

SWIFT, NCR, Cisco, Cavium, SIC

From Contact to Contract ~ 3 to 12
months

From Contact to Contract ~ 3 months


Revenue from the deal is mostly complete
at that point
Revenue follows 3 to 6 months after
Contract

Revenue is then ongoing based on the
nature of the end solution

but the partnership continues to
deliver
Action: Continue enhanced
focus on partners – and
developing those
relationships
Action: Focus on enhancing
toolkit & product offerings,
material and positioning and training Sales &
Roadmap
2008 HSM Value Add



Early 2008

Luna Sx

Luna SA maturity

Luna XML

Brainpool support (PSG, SA)

DOCK II (I know…finally!)
Mid 2008

PCI Express support on Luna platform

Luna XML v2

Luna Sx v2
Late 2008, early 2009

Luna “PKI Bundle”

Luna SA maturity continued

Remote PED

PCI Express support on PS platform
Easy setup/management
Enterprise Grade Features
Easy deployment, First
XML HSM in Market
ePassports
Initiative
PCI Express Support
Luna SA
Result:
SA 4.2(Nov 2007):
• NTLS redesign (connection limit increase, 800)
• Over 4000 ops/sec
• CNG support
• Enhanced SNMP
•Fuller Platform support (including Solaris X86 support)
Luna SA 4.3(march 31/08)
•Brain pool Support
•HP Itanium OS support
Luna SA 4.4(Q4/08)
•HA Overhaul
•Remote PED
•PKI Bundle
•A mature Enterprise
Grade Appliance
•Robust Feature Set
•The required certifications
Remote PED Administration (part of Luna SA 4.4 release, Q4/08)
Will offer full PED functionality at Remote Admin work station.
•Centralized control
•No PED required at Data Centers
New Orange
PED key for
Remote Admin
1.
Will require new Remote PED
built at manufacturing (not
field upgradeable). Can be
used as either remote/local
PED.
2.
Will not be compatible with
2U units.
PKI Bundle (part of Luna SA 4.4 release, Q4/08)
Why?
•Customer/Partners have asked for it; Verisign, Entrust, Arcot, Microsoft, RSA….
•Allows us to leverage existing technology Luna SA/Luna tokens
•Create competitive differentiator
What is it?
• Luna SA, up to 20 partitions for Signing/key management. Internal SA card reader is used to house PCM tokens.
• Tokens are accessible via same client API as the Luna SA. Each token is a member of the available slot list exposed
by the SA/CA4/KE total.
Benefit:
• Key Gen/Offline Root/Online Root capable from 1 unit
• Cost savings to customer
•Product
•IT
Will not be compatible with
2U units.
SafeNet Luna XML…world’s first!
Rapid-to-deploy high-assurance HSM for XML environments
Revolutionizing application and transactional security with the world’s easiest to
integrate and deploy hardware security module
Why?

Business applications move to Service Oriented / XML based
architecture.

Nature of XML is designed to allow for B2B, B2G, B2C inline
communication/processing = Security Need!
Benefits?
Scalable, Reduces IT costs and
Time to deploy.

Clientless

OS independent

Customers don’t need to be crypto API gurus(P11/JCA/CAPI)
Architectures

FIPS validated HSM 140-2 Level 3
Built for Service Oriented
Meets Compliance Needs
Rapid Deployment with Luna XML
Traditional HSM
SafeNet Luna XML
OS dependency
OS independent!
Customer Application
Customer XML Application
Custom built XML service
Custom Java layer
JCA/JCE API
Cryptoki Layer
XML Crypto Service
From months …
Jan | Feb | Mar | Apr | Jun | … ?
… to days!
Mon | Tue | Wed | Thu | Fri !
Luna XML Operational Use
XML Based Application
Platform
independent
SXS
S MS
LLL
Easy to Scale!
Load balancer
Available
across multiple
sites for DR
Crypto object synchronization
Sample XML Call

XMLSign
XML Document
What isSigns
XML?
(Extensible Markup Language)
<xmlSign Profile="urn:oasis:names:tc:dss:1.0:profile:dss_interop" RequestID="id">
<OptionalInputs>
•Like HTML in structure
<KeySelector>
<KeyInfo/>
</KeySelector>
•Data centric, not concerned
with display
<IncludeObject WhichDocument="12345" ObjectID="54321"/>
</OptionalInputs>
•Leveraged via WSDL
(Web Service def’n language)…like
<InputDocuments>
<Document ID="12345" RefURI="uri">
our PKCS#11 API.
<EscapedXML>escaped XML</EscapedXML>
<InlineXML>Some XML</InlineXML>
•SOAP (Simple object access protocol),
used to encapsulate
<Base64XML>base64 encoded xml </Base64XML>
msg objects.
<Base64Data>base64 data</Base64Data>
</Document>
</InputDocuments>
•SOAP msg’s defined
in pairs (request/response)
<AuthToken/>
</xmlSign>
Luna XML

Replacement for Luna SA?

No it is not…

New customers, new opportunities
 Paper to digital
 PCI DSS
 B2B, B2G

Existing customers, new opportunities
 New deployments
XML Value Added Questions
Reduce risk, $ cost of
compromise
1.
Are you deploying SOA/XML today, or in the future?
2.
What if your services were compromised?
3.
Are these services client or partner based?
4.
There are 1000’s of
companies deploying Web
Would you like to differentiate from your competitors?
Services…FIPS/CC HSM
differentiates
5.
Help Architect. Know the
customer = larger deals
Would you like decrease your HSM deployment and management
costs
No more platform
Dependence, Upgrades
6.
Would you like a quick/easy way to add Enterprise grade security
to your service offerings?
Luna XML!
Luna SX (Start-up Xpress)
Why?

Difficult setup

So is Competitors

Gives us another competitive advantage.
What is Sx?

GUI management

Built in partnership with KEYON.

Can Manage SA or SP appliances (multiple)
How to get it?

Demo available

Production features will require update to license on the sentinel key.

GA?

Q2, 2008.
Luna SX Screen shot
Partition
details
Multiple
clients
Multiple
devices,
SA/SP
Admin Tabs
Available
preset actions
BrainPool Support

PSG with PTK 3.32 release GA May /08

Luna SA with 4.3 release GA March 31/08

Luna PCI with 3.0 release GA Q3/08

Support for Named, and “user defined” Brainpool ECC curves
Driven By ePassports Initiatives
World Wide
User Defined feature…opens other
doors (like Marlin curve set)
Release Details (Protect Server)

PTKC 3.32 (May/08)

Brainpool support

RoHS Card reader/Pin Pad support

PTK-M password fix

PSO/PSG support

CNG support

New OS support

Java 1.5 support

PTK 4.0 (Q1/09)

PCI-Express support

New PCI board layout
SafeNet HSM Product Range
Overview
Attachment
Certifications
SW Support
1024 RSA
Signings (max)
Server
CCEA
L(CA3)
4+
Network
Network
CCEAL 4+
PKCS 11, Java, CAPI
27/sec
Embedded Embedded Embedded
FIPS 140 Level 2 and Level 3
PPO
4000+/sec 4000+/sec 600/sec
Encryption
Algorithms
Other
features
Network
PPO
27/sec
Server/
Network
CCEA
L 4+
PPO
600/sec 7000/sec 1200/sec
Symmetric and Asymmetric
20 x
partitions,
SSL acceleration
EFT Command
Sets
SafeNet Network-Attached HSMs
Luna SA / SP
Luna XML
Luna SX
 High assurance
enterprise-grade HSM
for XML environments
 Central HSM
Management Console
• 4,000 ops/s
 High assurance
HSM for financial
payment systems
• FIPS 140-2 Level 3,
CC EAL 4+
• PIN generation &
verification
• Full platform support
• Supports global
payment processing,
EMV, and Card
Issuance APIs
• XML interface (WSDL)
encapsulates crypto
functions, enabling rapid
integration development
 High assurance
enterprise-grade HSM
• Secure remote
administration
• 10/100 Ethernet interface
• Protected application
execution environment
(Luna SP)
• Extensive algorithm
support
ProtectHost EFT
• FIPS 140-2 Level 3
• Extensive algorithm
support
• 1,200 Visa PIN Verify
operations / sec
• No client required
• Certifications: FIPS
140-2 Level 3, CC
• OS independent
• Easy GUI-based
administration
• 2,200 ops/sec
• Secure remote
administration
• 10/100/1000 Ethernet
interface
• Intuitive GUI
• Easy setup &
management of multiple
HSM appliances
• Reduces cost of
administration
SafeNet Internal HSMs
CA4
 Root key HSM for
true hardware key
management
• FIPS 140-2 Level 3
certified
• Extensive algorithm
support
• Supports two-factor
trusted path
authentication
• Supports common
certificate authorities
(Microsoft, Entrust,
Verisign, RSA, etc.)
Luna PCM
ProtectServer Gold
Luna PCI
 Portable, costeffective PCMCIA HSM
card for hardware key
management and
crypto acceleration
 Cost-effective highassurance PCI HSM
card for customizable
hardware key
management
 Fast, high-assurance
PCI HSM card for
hardware key
management and
crypto acceleration
• Versions for document
signing, key export for
registration of tokens,
and signing and back up
of key material to a token
• 600 ops/s
• 7,000 ops/s
• Easy GUI-based
administration
• FIPS 140-2 Level 3,
CC EAL 4+
• Customizable interface
• FIPS 140-2 Level 3
• FIPS 140-2 Level 3
• Extensive algorithm
support
• Extensive algorithm
support
• Supports two-factor
trusted path
authentication
• Secure remote
administration
• Extensive Algorithm
support
Competitive Details
SafeNet HSM Industry Leadership
 First general purpose network HSM
 Secures the most financial transactions
 Most PKI deployments
 Most HSM hardware form factors/toolkits
 HSM leader for 15 years
 Leader in HSM compliance (FIPS, CC, PCI-DSS, Epassports…)
 ……New Luna XML
Why SafeNet HSM’s?
Do You Care about these things?
 Reducing your risk
 Fraud/Breaches
 Physical disaster
Who does: Largest online PKI
provider in the World. Deploys
1000’s of SafeNet HSMs
 Reducing your costs
 Moving to digital processing
 Deployment/integration costs
 Increasing your revenue
Who does: Largest Financial
Network in the World. Deploys
1000’s of SafeNet HSM’s.
 Enabling new online Business process
 Industry regulation/complianceWho does:
Bank.
World’s Largest internet
 FIPS, CC, Sarbox, PCI-DSS, E-Passports, EMV, and industry audits
Luna Vs. PS, which to position?

Luna

HW Key Management
Position
Luna:class Appliance

Enterprise

SNMP, HA, secure CLI, NTLS, Shareability
•High Assurance,
security focused offering.

CC certification in process
auth
•More FF PED
choices.

More 3rd party integrations

Existing Luna install base

Higher Performance
•Enterprise
Grade Appliance offering.

HSM backup option

on Security:
Leverage Luna features
on Entry Price:
PS

FM’s (and the customization they offer)

PCI FF, lower entry $price$
Leverage PS features

Embedded
Position
PS: OEM opportunities

Competing v nCipher
Fuller OS support than Luna PCI
•Flexible,
focused offering
 Embedded
EFT FM

Existing
PS install base
•Customizable
Firmware
•lower entry price.
Competitive Details (Positioning)

More Secure key management

More Enterprise Grade features

More speed, up to 7000 ops/sec (more than Double nCipher)

First to market XML HSM

Easiest to Set up/Manage 1.
(LunanCipher
Sx)

More extensive API/Toolkit set


•
Tape backup
•
Key Man App (not very Robust).
FM’s, XML, Java, OpenSSL, P11, CAPI
Appliances, PCI cards,
tokens
• PCM
Bankrupt,
SWIFT, SIC, DOD UBS, Verisign, NCR, AOL
LESS expensive HSM’s
2.
Sun Crypto card
•
Cheap, but not real threat.
•
Ltd OS/API support
Luna SA(Fips 3) Bundle
•
•

$21,950.00
FCC only
Difference
in SUN box.NetHSM
$28,880.53
Difference
$0.00
SEE
$
6,989.96
$2,500.00
NetHSM
connection licence
(1)
$6,989.96
Difference
LESS expensive HSM product options (licenses, toolkits, FM)
Luna SA partition upgrade
from 2 to 5 partitions
$6,930.53
SSL/IPSec target card.
LESS expensive HSM product options (licenses, toolkits, FM)
Protect Server FM

then bought
More Large Customer installations


Buys Neoscale.
More Extensive range of HSM offerings


Updates:
$4,813.43
$2,313.43
Competitor’s Positioning

nCipher leads with Key Management positioning
 We offer True Hardware key management

nCipher positions themselves as “Enterprise provider”, SFNT as “low-cost”
provider.
 We have lower list prices, but a more extensive, secure HSM offering

nCipher offers discounts on maintenance, and initial purchases.

nCipher has a stronger MS relationship

nCipher “solution sells”, often is more marketing than “meat”.
 Most of what they market as solutions, are the same partnerships
offering we have. We are moving to a clearer marketing focus on
solutions.
Payment HSMs
Rene Bastien
Product Marketing Manager
HSMs in Payment
 Market drivers differ
 Retail Market:
 EMV
 PCI-DSS
 Streamlining of operations (outsourcing, PIN)
 Move to contactless cards
 Payment over new channels (m-payment, NFC, transit,
loyalty)
 Wholesale:
 Transaction authentication
 User authentication
 Compliance requirements
Payment Products
 Network-attached HSM: ProtectHost EFT
 Replaces PHW
 Great competitive features :
 Form factor (1U instead of 4U)
 Price competitive
 Performance (50% faster than Thales)
 Ease of integration (runs same software as PHW)
 Backwards compatible
Payment Products
 ProtectTool EFT
 Version 5.02 in SQA.
 Expected GA by Q3-2008.
 Sits on ProtectServer Gold
 Essentially, Mark II in a different form factor
 Works with PTK C
Payment Products
 ViewPIN+
 Application that does 2 things quite well:
 Changes your PIN
 Enables you to retrieve a forgotten PIN
 All of this securely
 All of this either at home through a web browser, or in a
bank branch
 No one does that!
 Replaces IVR interface
 Simplifies ATM upgrades
 Great lead-in to new accounts
Payment Product Roadmap
 ViewPIN+ formal launch in November 2008
 Mark II roadmap for the next 2 years
 Full EMV support
 Dual role devices (MarkII plus AMB)
 Contactless
 Mobile commerce
 Multiple languages, printers for PIN mailers
 Integration with other products, partners
 Mark II over multiple platforms
SafeNet’s Competitive Edge




Hardware:

Performance

Commonality of platform

Multiple form factors

Continuous R&D

FIPS and CC compliance
Application:

General purpose appliances (including XML appliance)

Depth, breadth of offering
Market share:

General purpose worldwide: leader

Payment:

EMEA (2nd)

APACS (1st)
Partnerships and integrations
HSM Marketing Materials and
Campaigns
Clara Wicke
Product Marketing Manager, HSM
MySafeNet.com
Sales Tools

Case Studies

Qatar Central Bank

Security Biometric

PCI DSS

E-passport

Egg Bank

Canadian Government

Automotive

Pharmaceutical

Sales & Partner Success Kits


Hard and Soft Copy
Solutions Briefs

Solutions Selling Handouts

Technical Matrixes

Webinars

Application Development

Competitive Matrixes

PCI- Changes and Audits

Presentations

PCI- Global Compliance

PCI- Technical Architecture & Best Practices

PCI- Deadlines Past Merchants Still Not Compliant
Parts 1 & 2


Sales Presentations and Corporate Product Slides
Product Briefs

Luna XML

SOA Web Services Security with Layer 7

Luna SA

HSM 101

Luna SP

Luna CA4

Luna PCI 7000

ProtectServer External

ProtectServer Gold

ProtectHost EFT

Whitepapers & Guides

CA3-CA4 Migration Guide

Compliance

Microsoft Guide (almost there)

Tumbleweed User Guide

E-Passport

PKI Best Practices

XML Security
HSM XML “Cheat Sheet”
Sales Kit- What’s Inside!

HSM Overview

Key Drivers (Internal and External)

HSM Value Proposition

Applications by Vertical

Problem Owner Profiles

Vertical Solutions

Competitive Analysis

Partner Guides

Quick Sheets for Applications, Competition, and Objection
Handling

Prospect List

And More!!!
Online version of sales kit http://mysafenet
Upcoming HSM Campaigns Q2/Q3
 HSM Luna XML Campaign
 Launched product at RSA
 List being purchased to identify project managers for
applications in IT
 Also use internal house list of software developers
 May: Email to promote XML white paper
 June: Email to promote XML webinar
 Vertical Focused Campaigns
 Financial
 PCI DSS Compliance
 Paper to Digital Transactions
 Government
 E-passport
 First Responders
Thank You
Descargar

SafeNet Data Protection Network Product Overview