Keyper HSM - DNSSEC Solution
Transcription
Keyper HSM - DNSSEC Solution
Security & Cyber Key business benefits ■■ Data integrity - DNSSEC is a mechanism to verify DNS data Keyper HSM - DNSSEC Solution Datasheet DNSSEC extends standard DNS to prove that data has not been modified and came from the official source. The ■■ Compatibility - designed to be backwards com- patible with DNS original standard DNS protocol continues to work the same. ■■ Automation - auto zone signing and key rollover of a BIND virtual appliance based on a hardened Linux ■■ Assurance – the only FIPS 140-2 Level 4 HSM ■■ Capability – broad range of algorithms ■■ Scalability - Load balancing of multiple HSMs across multiple hosts and locations “Security ICANN’s Ultra Electronics AEP's DNSSEC Solution is the combination DNSSEC deployment, operating system and AEP's Keyper HSM. AEP's Keyper HSM ISC BIND is the gold standard for DNS Servers on the Internet, & FIPS Level 4 was supports the full DNSSEC standard and automatic key rollover. an easy choice“ Keyper is the only HSM wholly certified to FIPS 140-2 Richard Lamb, ICANN Level 4 and Common Criteria EAL4+ for the ultimate in cryptographic assurance of signed resource records. Solution offers true random number generation for the highest quality keys, hardened platform and cryptography. ■■ ccTLDs ■■ gTLDs ■■ sTLDs ■■ Domain Registrars and ISPs ■■ Blue chip corporations a critical factor for key management. Also resilience and elliptic curve Applicable markets is AEP Security & Cyber What is DNSSEC? DNSSEC (Domain Name System Security Extensions) adds resource records and message header bits which can be used to verify that the requested data matches what the zone administrator put in the zone and has not been altered in transit. DNSSEC doesn’t provide a secure tunnel; it doesn’t encrypt or hide DNS data. It was designed with backwards compatibility in mind. The original standard DNS protocol continues to work the same. Why Keyper HSM for DNSSEC? Hackers attack public key infrastructure by compromising weak keys or simply finding them. Robust DNSSEC solutions require good random number generation and secure keys. Keyper fulfils these most important technical requirements for DNSSEC by generating the keys using hardware random number generation and securing the private keys in a tamper reactive environment. "AEP Protecting the very core of the Internet" AEP has designed the Ultra Safe Keyper range of HSMs to provide the ultimate level of protection for the most sensitive data and information systems. At the heart of Keyper is AEP revolutionary ACCE technology. ACCE is the next generation flexible crypto platform that provides the highest level of assurance – FIPS 140-2, Level 4. Ultra Electronics AEP Keyper: The ultimate protection of key material ■■ Data integrity - DNSSEC is a mechanism to verify DNS data ■■ Compatibility - designed to be backwards compatible with the original standard DNS protocol ■■ Automation - automatic zone signing achievable using new inline-signing feature and automatic key rollover ■■ Ease of deployment - Hyper-V or VMware virtual appliance eases deployment of OS and DNSSEC into service. ■■ Assurance - the only FIPS 140-2 Level 4 HSM ■■ Capability - broad range of algorithms including elliptic curve ■■ Architecture - Built using ACCE giving tamper protection to FIPS 140-2 Level 4 ■■ Fault Tolerance - Supports resilient configurations ■■ Scalability - Load balancing of multiple HSMs across multiple hosts and locations ■■ Authenticated Use of Keys - Optionally PIN activated AEP Security & Cyber Technical Specifications Keyper Professional Keyper Enterprise Keyper Plus Product Dimensions Power Requirements 100 – 240VAC, 47-63 Hz (42VA) Cryptographic Functions and • Services • • • • 223 x 51 x 244 mm RSA: 1024-4096 bit key length DSA: 1024 bit key modulus AES: 128-256 bit key length DES/3DES: 112/168 bit key length Hash: SHA-1, SHA-2, MD5 100 – 240VAC, 47-63 Hz (65VA) • • • • • • • ECDSA: P192-P521 curves ECDH: P192-P521 curves RSA: 1024-4096 bit key length DSA: 1024 bit key modulus AES: 128-256 bit key length 3DES: 168 bit key length Hash: SHA-2 Performance (key signing, using up to 8 connections) • Keyper Professional: 300 tps (RSA 1024) • Keyper Enterprise: 1,200 tps (RSA 1024) • • • >3,500 tps (RSA 1024) >2,000 tps (RSA 2048) >950 tps (ECDSA 256) Administrator Roles • • Security Officer Operator • • • Security Officer Crypto Officer Operator Key management • • Storage Master Key (SMK) import/export via smart cards in M of N components Application Key import/export via smart cards protected with an internal Master Key (also via USB on Keyper Plus) Key storage • • Red Key Store: keys actively erased when a tamper is detected Black Key Store: large key store encrypted under the SMK Connectivity • TCP/IPv4 over Ethernet at 10/100 Mbps full/half duplex with autonegotiation Up to 32 concurrent connections (256 with Extra Connections model) • • TCP/IPv4 and IPv6 over Ethernet at 10/100/1000 Mbps full/half duplex with auto-negotiation Up to 256 concurrent connections • • FIPS 140-2 Level 4 (expected 2013) FIPS 140-3 Level 4 (expected 2014) • Certification • • FIPS 140-2 Level 4 (cert. #1340) Common Criteria EAL4+ Operating Environment • • Operating temp: 5 to 40 °C (25 to 90% humidity, non-condensing) Storage temp: -15 to 65 °C Host Software • • • • • • Keyper Management Centre PKCS#11 Provider Centos 6.4 Final Openssl 1.0.0f BIND 9.9 AEP Keyper Load Balancer (optional) • • • • • • Keyper Management Centre PKCS#11 Provider Centos 6.4 Final Openssl 1.0.0f BIND 9.9 AEP Keyper Load Balancer (optional) Platform • • Microsoft Hyper-V * VMware vSphere * • • Microsoft Hyper-V * VMware vSphere * * Microsoft and VMware licences are not included. AEP Security & Cyber Ordering information Product Ordering Part Number Keyper 9720 Enterprise DNSSEC E-KEY-ENT-DNS Keyper 9720 Professional DNSSEC E-AS-KEY-PRO KeyperPlus DNSSEC E-KEY-PLS-DNS Ultra Electronics AEP Knaves Beech Business Centre Loudwater High Wycombe Buckinghamshire, HP10 9UT Main Switchboard: +44 (0)1628 642 600 Email: [email protected] www.ultra-aep.com www.ultra-electronics.com Ultra Electronics reserves the right to vary these specifications without notice. © Ultra Electronics Limited 2013. 120706 / ULT / 3261 / JS