Hardware Security Module, Information Security Systems, HSM

Database Security for SQL Server

admin — Sat, 27 Nov 2010 00:58:36 +0000

Databases are a significant repository of sensitive information in most organizations. Corporate databases contain customers’ credit card data, confidential competitive information, and intellectual property. Lost or stolen data puts organizations at significant risk of reputation and brand damage as well as serious fines. By protecting critical data from both internal and external threats, organizations mitigate the risk of data breaches and comply with regulatory and legislative mandates, including the Payment Card Industry Data Security Standard (PCI DSS).

Microsoft SQL Server 2008 ships with two built-in encryption features to protect your data: transparent data encryption (TDE) and cell-level encryption. These functions enable you to either protect the entire database or to secure only sensitive database fields and can be activated without disrupting your current applications, database structures, and processes.

Which companies can they need to HSM?

admin — Mon, 22 Nov 2010 21:30:04 +0000

New “banks” – retailers, mobile telecom operators, overhauling/moving/consolidating their data centre, changing their payments or issuing software, introducing new applications (debit, EMV), going for in-house card issuing and need to more capacity, introduce new applications.

Source : Thales
For more information please visit their website.

Why use a payment HSM?

admin — Mon, 22 Nov 2010 21:24:00 +0000

To offload crypto work from the host computer?

No, easy enough to do on the host.

To make application development easier & faster?

No, could use a software library on the host.

Because someone’s wielding a big stick?

Yes, Card schemes (Visa, Mastercard, Amex, etc.) mandate that crypto must be done in a separate hardware module, because This provides better security, Right technology/processes and Protection against external attack than protection against insider attack.

Security Module Functions

admin — Tue, 16 Nov 2010 21:49:40 +0000

• Generating digital certificates, including public/private key pairs
• Encrypting and decrypting messages with those keys
• Generating hash values and signing messages with digital signatures
• Validating digital signatures
• Interoperating with third-party applications
• Protecting certificates and keys from both physical and network-based attacks
• Issuing and accepting requests for key materials
• Providing a two-level secure user interface (i.e. smart card reader and key pad)

Advantages of Hardware Security Modules

admin — Tue, 16 Nov 2010 21:46:53 +0000

HSMs are physically isolated. They are not part of another computer’s file system, they do not have a file system themselves, and they do not run an operating system. They are therefore virtually impossible to attack over a network. Most HSMs also offer tamper protection so that if someone attempts to open the module, the information inside will be erased. In addition, HSMs offer safeguards against software tampering. Another major advantage of HSMs is that, because their software and hardware is specifically dedicated to providing security functions, it can be specifically optimised for that purpose. HSMs perform security functions faster and with superior results than their software counterparts. For example, one of the processes at the heart of certificate generation and validation is the generation of random numbers. HSMs have dedicated hardware specifically designed to generate random numbers and they can therefore generate numbers that have greater randomness than would be the case if the hardware were not specifically designed for that purpose.

Source: AEP systems

ATM interchange

admin — Tue, 16 Nov 2010 21:27:24 +0000

HSM is designed for the ATM interchange environment and can be customized to suit individual networks and, if needed, the particular requirements of each member of the network. The wide variety of host interface options and PIN management commands available in the payShield 9000 family means that the specific needs of each member’s system can be readily accommodated. In particular, specific functions designed around AMEX, Visa and MasterCard processing requirements are an integral part of the core software packages.

Source : Thales
For more information please visit their website.

Introducing payShield9000

admin — Sat, 13 Nov 2010 20:32:46 +0000

Designed specifically to secure card payment systems
First payment HSM with high resilience features
Market leading performance of 1500 tps using key blocks
Banking grade security designed to meet the latest FIPS and PCI HSM security standards
Scalable remote management lowering operating costs
Modular software with field-upgradeable functionality
Backwards compatible with Thales RG7000 and HSM 8000
Range of support services including software customization

Source : Thales
For more information please visit their website.

Thales HSM’s advantages

admin — Sat, 13 Nov 2010 20:19:53 +0000

• Involved in securing over 70% of the world’s payment card transactions
• Deployed by leading card schemes and payment processors for a variety of key
management, payment switching and authorisation purposes
• Capable of being fully managed remotely from the data centre
• Proven in delivering strong security for ATM, POS, corporate banking, card issuing, funds
transfer and share trading systems
• Easy to customise for individual user applications
• Designed to support a wide range of host interface connectivity options
• Available in various performance variants to match user transaction processing
requirements
• Upgradeable in terms of functionality through secure auditable software license downloads
• Integrated with all major payment applications provided by leading vendors
• Independently certified to the most rigorous global and national security standards

Source : Thales
For more information please visit their website.

HSM Introduction

admin — Sat, 13 Nov 2010 20:12:05 +0000

As an organisation in the payment card industry, you face the challenges of supporting increases in transaction volumes, replacing magnetic stripe cards with contact and/or contactless smart cards, securing remote delivery channels such as mobile or internet while still needing to differentiate your services for competitive advantage. The constant need to defeat new security threats is a major consideration in your IT investment year-on-year. In addition to the increasing burden of regulation, your solutions must incorporate cryptographic security that meets the latest payment card industry (PCI) mandates and is able to grow and adapt to support your emerging needs.

The payShield 9000, the latest hardware security module (HSM) from Thales, meets these challenges. Its software options address the needs of card issuers, merchant acquirers, switches, third party payment processors, card schemes and ATM network providers. The core security component of the payShield 9000, which delivers the critical security functionality, is designed to exceed the requirements of FIPS 140-2 Level 3 – the most widely adopted certification standard for cryptographic modules which is mandated by the card schemes. The payShield 9000 is fully backward compatible with the HSM 8000 and RG7000 ranges which it succeeds.

Source : Thales
For more information please visit their website.

HSM Technical specifications

admin — Sat, 13 Nov 2010 15:24:53 +0000

Key management
> Multiple Master Keys for secure storage and distribution of keys. Separation of different key types, applications or clients, and of development and production use
> ANSI TR-31 Key Block support
> RSA Public Key
> DUKPT (DES and Triple-DES)
> Master/Session Key
> Racal Transaction Key
> Australian Transaction Key (DES and Triple-DES)
Cryptographic support
> DES and Triple-DES (two and three key)
> RSA
Performance
> Range of performance models up to 800
Triple-DES pin block translates/sec.
> Multi-threading to exploit full capacity
> Clustering capability
Host connectivity
> Asynchronous (v.24, RS-232)
> TCP/IP & UDP (10/100 Base-T)
> SNA (v.24, RS-232)
> ESCON
Certifications
> Secure Generic Sub-System (SGSS) certified at FIPS 140-2 Level 3
> RoHS
> MEPS
Financial industry standards
> VISA/MasterCard/American Express PIN and Card Verification functions
> EMV 3.1.1, 4.0, and 4.1 transactions and messaging (inc. PIN Change)
> Remote Key Loading to NCR, Diebold and Wincor Nixdorf ATMs
> Europay Security Platform
> VISA Cash, CLIP, and VCEPS electronic purse
> Integration with all major payment authorisation and transaction switching applications
Management facilities
> Console interface for “dumb” terminals
> Graphical User Interface option for standard PC hardware over Ethernet
> Host applications able to manage clusters of HSM 8000s
Security
> Two-Factor Authentication of operators using Smart Cards
> Dual physical locks control setting of modes
> Tamper-resistance certified to FIPS 140-2
Level 3
> Detection of removal of covers
> Disabling of functionality not required

Source : Thales
For more information please visit their website.