HSM Certificate Authority

CSG™ HSM

[1] The CSG™ uses the high security, highly scalable, large capacity, resilient nCipher Security World HSM 500 that is FIPS certified and offers the security and flexibility required by the AACD™ system.

The Secure Execution Engine Code within the FIPS hardware offers the highest integrity and protection using nCipher Trusted Computing Environment that protects application software as it is executed. Keys can only be used by signed SEE code that runs within the physical FIPS boundary. SEE secures utilization of keys in a FIPS Approved HSM and removes the risk of attack on the host machine.

The HSM uses the ‘impath’ protocol, a stronger development of existing protocols like SSL that ensure encryption of the host-HSM link and enable strong mutual authentication between systems.

The nCipher have more FIPS certificates than any other HSM vendor and nCipher ensure all versions of the CSG™ HSM receive separate FIPS certification [2], ensuring that each HSM component used is FIPS validated.

• CSG™ CA
The CSG™ has an integral CA [3] for issuing the authentication Certificates to each DSSA™ [4] it authenticates. This is a specifically modified version of the Digi-CA™ Xs system designed for single purpose use that is further modified to meet some of the unique automation and validation instances within the AACD™ system. For further details see sub section 6.1)




• Performance Data
Number of certificates: Unlimited

Production speed: Up to 10,000 1024-bits Digi-IDs™/hour

Key length: Digi-Access™ [5] 1024-2048 bits
Symmetric Keys 56 to 256 bits

Certificate validity: Sub-CA 1 to 10 years

Key storage: Subordinate CA stored within the boundary of the CSG™ HSM device. Access to these keys can be also protected with multiple Operator cards.

Cryptographic Ciphers: AES, Blowfish, CAST5, DES, 3DES, IDEA, RC2, RC4, RC5 and RSA

Signature Algorithms: MD2, MD4, MD5, MDC2, SHA1 (DSSI) and RIPEMD-160

Entropy: 2127