nShield Connect


 
 

nShield Connect

Flexible, scalable &
fault-tolerant
network-attached HSM

FIPS 140-2   Common Criteria

nShield Connect from Thales e-Security is a high-performance network-attached hardware security module (HSM) that delivers secure cryptographic services as a shared resource for distributed application instances and virtual machines. With nShield Connect, organizations have a cost-effective way to establish appropriate levels of physical and logical controls for server-based systems where software-based cryptography is inadequate. Fully supporting the Thales Security World architecture, nShield Connect provides an ideal combination of high assurance and operational ease. This makes it easier for you to define and enforce security policies such as dual controls while also automating burdensome and risk-prone administrative tasks.

nShield Connect is fully compatible with the rest of the nShield HSM family, enabling mixed deployments and easy migration as performance requirements increase. The product is available in multiple models with varying performance characteristics, including a model specifically optimized for elliptic curve cryptography (ECC), to match your capacity requirements. Redundant hardware provides fault tolerance, making nShield Connect suitable for high-availability data centers. This independently certified security platform performs key management and cryptographic operations such as encryption and digital signing on behalf of a wide range of commercial and custom-built business applications and critical security systems including public key infrastructures (PKIs), identity management systems, databases, web fabric, domain name system security extension (DNSSEC) deployments and code signing. Its security boundary is validated to FIPS 140-2 Level 3 and Common Criteria EAL4+.

Benefits of nShield Connect

  • HSMs overcome the inherent vulnerabilities of software-based cryptography.
  • Powerful key management architecture minimizes operational costs including compliance reporting.
  • Shared, centralized platform maximizes utilization and scalability.
  • Resilient design for deployment in high availability environments.
  • Networked architecture supports traditional, virtualized and cloud deployments.

   

nShield Connect Features

Security Features

The primary purpose of a hardware security module (HSM) is to provide enhanced security for cryptographic operations that would otherwise be performed by software applications, operating systems or unprotected server hardware—the majority of which are vulnerable to eavesdropping, misconfiguration or modification. This additional protection arises from the use of a number of proven technologies that combine in a multi-layered approach. Some of those technologies include:

Physical security measures

  • A dedicated appliance that isolates cryptographic processes and keys from applications and host operating systems—accessible only through tightly controlled cryptographic APIs.
  • Optional capability, through the use of the CodeSafe feature, to migrate security critical portions of application code from the host server and to execute securely within a tamper-resistant application ‘sandbox’ that is protected by the HSM’s physical security.
  • Custom built chassis to guard against physical attack including the use of epoxy potting to shield internal circuitry and security labels to expose attempts to tamper with the device.
  • Monitoring of environmental conditions including the integrity of the chassis, power supplies and temperature to detect potential attack.
  • Ability to strongly authenticate client machines that access the shared resources of the nShield Connect HSM (see nToken accessory).

Logical security measures

  • All administrators and users that directly access the HSM are strongly and individually authenticated using smart cards that are issued and managed by the HSM itself—avoiding the need to rely on weak and often shared passwords managed within other systems or exposed to other applications.
  • Clear separation of duties that distinguish between HSM administrators and key custodians that approve the use of HSM protected keys in contrast to software based systems where application ‘super-users’ or root level administrators might enjoy widespread entitlements.
  • Dual controls where multiple administrators or operators might be required to operate as a quorum to perform particularly sensitive tasks such as key recovery. This approach to mutual supervision is common as a way to minimize the threat of malicious insiders and is highly configurable and strongly enforced within the HSM.
  • Strong integrity validation and policy enforcement for CodeSafe protected applications (option).

Operational Features

In the past, high-security features tended to be cumbersome, adding effort and affecting performance. As a result, administrators were forced to make unfortunate tradeoffs between security on the one hand and performance and efficiency on the other. The nShield family of HSMs and its Security World key management architecture deliver both security and convenience by automating a number of important key management tasks and removing restrictions that would otherwise limit capacity or performance. These include:

  • The power to utilize existing data backup, replication and file sharing practices to safely and automatically perform application key sharing, distribution, and back up—dramatically simplifying HSM deployment and management tasks by minimizing the need to establish costly HSM specific practices.
  • Standard application interfaces to support the widest range of applications and systems and an extensive pre-testing program with leading application vendors to minimize deployment risk.
  • Cryptographic acceleration and off-load to remove resource intensive operations from client machines, boosting overall performance and maximizing capacity.
  • Unlimited capacity for protected key storage, increasing overall scalability.
  • Back up techniques that avoids the need to archive keys in dedicated hardware or costly backup HSMs.
  • Fault-tolerant chassis design includes dual hot-swap power supplies and redundant field-serviceable fans.
  • The ability to combine multiple HSMs to create a highly resilient network for load balancing and failover.
  • Remote control to enable key custodians and administrators to perform duties in a secure fashion, reducing cost and inconvenience.
  • Remote provisioning of CodeSafe-protected applications (option).

nShield Connect Options & Accessories


QUICK LINKS

Developer Software & Options

Accessories



Developer Software & Options

Performance Rating

The nShield Connect is available in multiple performance variants: the 500, 1500 and 6000, which indicate their approximate capacity for signing operations, measured as transactions per second for 1024 bit RSA signatures. Additionally, model 6000+ is optimized for high performance elliptic curve cryptography (ECC). Please consult the nShield Connect data sheet for additional performance data.

Client Licenses

Each nShield Connect is shipped with 3 bundled client licenses. Additional Client Licenses are available for organizations that wish to connect their nShield Connect HSM to more than 3 clients. Please consult the nShield Connect data sheet for the maximum number of clients supported by your HSM. Additionally, see nToken under Accessories for an additional option available to organizations that wish to enhance security for their HSM clients.

CodeSafe

CodeSafe enables application developers to write programs that are securely loaded within the secure environment of an nShield HSM, protecting them from threats such as insider attacks, malware and Trojans that they would otherwise face on typical server platforms. CodeSafe provides an application “sand box” where code can be validated for integrity and authorized to execute in a tamper-resistant manner—ideal for applications residing in untrusted locations. The secure execution capability provides additional security features to enable fine-grained access control and authorization for the use of security critical resources that are protected on the device, such as private keys, non-volatile user memory, and hardware-secured time. Examples include digital meters, authentication agents, time-stamp engines, audit loggers, digital signature agents, and custom encryption processes. CodeSafe is available for all nShield FIPS 140-2 Level 3 certified HSMs excluding the nShield Edge.

 
 
   
 CodeSafe
Activation
Organizations wishing to leverage the power of CodeSafe will need one CodeSafe Activation license for each HSM executing CodeSafe programs.
   
CodeSafe SSL
Activation
An optional CodeSafe feature is SSL Activation which enables SSL sessions to be securely terminated within the HSM. Unlike typical SSL host-based termination, which exposes sensitive clear text data on the host, CodeSafe SSL enables sensitive data such as personal account numbers (PANs) and passwords to be protected with full end-to-end encryption.
   CodeSafe Developer Toolkit CodeSafe will need the CodeSafe Developer Toolkit that includes detailed tutorials and reference documentation and sample CodeSafe programs.
 

CipherTools Developer Toolkit 

With the CipherTools Developer Toolkit, developers can take full advantage of the advanced capabilities offered by the nShield HSM family when integrating HSMs with custom applications. It includes detailed tutorials and reference documentation, sample programs written in a range of high level languages, and additional versions of libraries to expand capabilities for integration with business applications beyond those that can be achieved by the standard application program interfaces (APIs). 

Elliptic Curve Cryptography (ECC) Activation

nShield HSMs offer a large number of cryptographic algorithms as part of the standard feature set, including AES, DSA and RSA. For organizations wishing to use elliptic curve cryptography (ECC), an ECC Activation license is available. The optional activation license enables ECC operation on all nShield Solo and Connect models. For organizations that require significantly accelerated ECC, two additional nShield models are also available.  The nShield Solo PCIe 6000+ and nShield Connect 6000+ deliver hardware-optimized ECC performance and come bundled with the ECC Activation license.

Database Security Option Pack

Databases often contain an organization's most sensitive data. As a result, major database vendors have implemented native encryption in their database server products. The nShield Database Security Option Pack adds support for Microsoft’s Extensible Key Management (EKM) API. It enables organizations to better protect keys that protect sensitive data in Microsoft SQL Server 2008 deployments utilizing Transparent Data Encryption (TDE), manage keys across multiple databases and systems, and separate key management and database administration. More information >>

Users of Oracle 11g TDE can take advantage of these features without requiring this option pack. More information >>

payShield Cardholder Authentication for nShield

To protect against credit card and online banking fraud, many financial institutions have implemented additional security measures for card-not-present transactions. payShield Cardholder Authentication for nShield complements other Thales payments products by enabling organizations to authenticate the cardholder through various means, such as Chip and PIN (CAP) authentication for online banking transactions and 3-D Secure, also known as Verified by Visa and MasterCard SecureCode. This option integrates with cardholder authentication solutions including ActivIdentity, Arcot, Bell ID and Gemalto.




    Key Loading Device
Some organizations rely on importing key components to securely exchange sensitive data between partners or systems from different vendors. The nShield Key Loading Device enables organizations to load symmetric encryption key fragments into nShield HSMs through the use of a dedicated secure PIN pad. The Key Loading Device requires the use of payShield Cardholder Authentication for nShield.
 

Remote Operator

HSMs typically run in physically secure, lights-out data centers, often at several, redundant sites. Many organizations therefore find it impractical to gain physical access to the HSM for day-to-day operations. Remote Operator saves time and reduces travel costs by enabling users to present credentials to a remote HSM in a secure manner directly from their workstation.

KCDSA Activation

Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. The KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM. Thales recommends CodeSafe technology to organizations that wish to implement their own national algorithms on the protected HSM platform.

Accessories

nToken

For organizations that wish to enhance additional security for their HSM clients, nTokens are PCI or PCI Express (PCIe) cards that enable strong authentication for clients of network-attached HSMs such as nShield Connect, ensuring that clients cannot be impersonated. Thales offers HSM bundles that already include 3 nTokens; and customers can purchase additional nTokens that each include a client license. PCI variants are full-height; PCI Express variants are low-profile cards. nTokens are not compatible with virtual servers.

Thales nToken

Replacement Power Supply Unit

nShield Connect features dual, hot-swap power supplies to enable premium business continuity. Thales offers replacement PSUs for nShield Connect to enable you to replace failed parts instantly without downtime.

Replacement Fan Tray

nShield Connect features redundant, field-replaceable fans. The fans and battery are mounted on a fan tray that enables easy replacement; fans cannot be replaced individually. Like the power supplies, the fans are located outside the security boundary of the HSM. Thales replacement fan trays enable you to replace failed parts instantly without downtime.

Keyboard

While many functions of nShield Connect can be carried out easily with the touch wheel at the front of the unit, operators may require a keyboard for some operations and to configure the modules more efficiently. Thales offers an optional USB keyboard for these tasks. Because the keyboard is only required for few operations, one keyboard per data center site is typically sufficient. You can also use standard USB keyboards.

nShield Connect 6000 accessories include slide rails, smart cards, and an optional USB keyboard

Slide Rails

To mount nShield Connect in a 19" rack without a shelf, Thales offers optional slide rails to be fitted with nShield Connect. These enable easier hardware installation and allow you to use server racks more densely. Thales recommends that customers use these slide rails exclusively because parts from other manufacturers may not be compatible. The slide rails are always sold as a pair, i.e. ordering one unit of this part code will include two slide rails, sufficient to mount one nShield Connect module.

Compatibility Overview

nShield Solo FIPS 140-2 Level 2 nShield Solo FIPS 140-2 Level 3 nShield Edge netHSM (legacy) nShield Connect 
CipherTools Developer Software O O O O O
CodeSafe / SEE Activation*   O   O O
Database Security Option Pack   O O   O O
payShield Cardholder Authentication for nShield*   O   O O
payShield Key Loading Device   O   O O
Time Stamping Option Pack*   O      
Time Stamping Developer Software   O      
Remote Operator Activation O O O O O
Elliptic Curve (ECC) Activation O O O O O
KCDSA Activation O O O O O
nShield Smart Card Reader Rackmount O O      
Additional Client License       O O
nToken       O O
Replacement PSU for nShield Connect         O
Replacement Fan Tray for nShield Connect         O
Keyboard for nShield Connect         O
Slide rails for nShield Connect         O
S = standard; O = optional *No more than one of these CodeSafe applications can be run on a single HSM.

nShield Connect Specifications

Cryptographic algorithms supported:

  • Symmetric
    • AES (128, 192, and 256 bit)
    • Aria (128, 192, and 256 bit)
    • Camelia (128, 192, and 256 bit)
    • Triple DES (112, 168 bit)
  • Asymmetric
    • RSA (1024, 2048, 4096, 8192 bit)
    • Diffie-Hellman
    • DSA
    • ECC Suite B
  • Hashing
    •  SHA-1, SHA-2 (224, 256, 384, and 512 bit)

Certifications:

  • FIPS 140-2 Level 3
  • Common Criteria EAL 4+
  • UL, CE, FCC
  • RoHS, WEEE

Operating systems supported:

  • Windows
  • Linux
  • Solaris
  • IBM AIX
  • HP-UX
  • VMware
  • Hyper-V
  • AIX LPARs

APIs supported:

  • PKCS#11
  • Open SSL
  • Java (JCE)
  • Microsoft CAPI and CNG

Below is a non-exhaustive list of applications that utilize these APIs and have been tested by Thales, our partners, and/or our mutual customers.

  • Aconite Affina
  • ActivIdentity Card Management System, 4Tress, Validations Authority
  • Apache
  • Axway Validation Authority
  • Bell ID Token Manager, EMV Data Preparation
  • CA Application Performance Manager
  • CyberArk Digital Vault
  • EfficientIP SolidServer
  • Entrust Authority Security Manager
  • IBM Tivoli Access Manager, Websphere
  • Imperva SecureSphere
  • Infoblox IPAM Appliance
  • Insta Certifier Certificate Authority
  • Intercede MyID
  • ISC BIND
  • Lieberman Software Enterprise Random Password Manager
  • Keynectis OpenTrust PKI
  • McAfee Iron Mail, Web Gateway
  • Microsoft Active Directory Federated Services (ADFS), Active Directory Certificate Services (ADCS), Forefront Identity Manager (FIM), Internet Services Accelerator (ISA), Rights Management Services (RMS), Internet Information Services (IIS), BizTalk Server, Authenticode, Hyper-V, SQL Server, Mediaroom
  • nuBridges Protect
  • PingIdentity PingFederate
  • Prime Factors EncryptRIGHT
  • PrimeKey EJBCA
  • Protegrity Data Security Platform
  • Red Hat Certificate System
  • Riverbed Stingray
  • RSA Certificate Manager, Data Protection Manager
  • Totemo Trustmail
  • Vasco Vacman
  • Verisec Hnossa
  • Voltage SecureData

nShield Connect Data Sheet

nShield Connect

Related Products