Fundamentals of Hardware Security Modules

Mark Yakabuski Product Manager, HSM

René BastienProduct Manager, Payment Products

Clara WickeProduct Marketing Manager, HSM

Agenda

Definition of an HSM

Product overview & general applications

Market drivers/trends

Going to market/ Why we win

Product overview (individual)

Competitive matrix

Payment products

Marketing tools and Q2 outlook

What is a Hardware Security Module (HSM)?

A device to keep Business critical crypto keys at the highest level of security

Accelerate Crypto operations to eliminate bottlenecks

Provides a clear audit trail for all key materials, crypto operations

We have a wide range of HSM options Varying performance, storage capacity, and Form Factors, authentication models

Wide range of SDKs/Toolkits for flexible integration

HSM TechnologyBreadth of Hardware Security Offerings

Customizable,Economical

SOA, Web Services

FastestNetworked, Scaleable

Per

form

ance

PCM, CA4

Luna PCI

Luna SA / SP

Offline Key Archive

Protect Server

Luna XML

Protect Host EFT

Payments, EMV/EFT

Market Overview

Typical HSM Applications

Documents

10. FinancialTransactions:

EFT, Payments Clearing & PIN Mgt

9. SSL & XMLWebservers

FinancialNetworks

Internet

1. PKI Certificate Authority

2C. Smart Card, Passport & License

Issuance

4. Authentication& VPN

Access Control

5. Certificate Validation

7. Secure EMAIL & Document

Rights Mgt / Signing

6. Database Encryption Database

1B. Time Stamp

3. Client Systems with Disc Enc &

2F Auth

2A. Code Signing

2B. Secure Manu. / Device Issuance

8. Gaming consoles

HSM’s are the Tire!...Find the cars that need high

security Tires!

General Purpose Market Trends

ECC Brainpool/E-passport projects

ECC interest, Suite B (NSA standard http://en.wikipedia.org/wiki/NSA_Suite_B)

Key Management

PKI…real growth of 3rd gen PKI apps

Combining COTS solutions, and Customized development efforts.

Web Services/Service oriented architectures

MS CertServ continuing to gain install base

PCI-express

Paper to digital processing

PCI-DSS standard

SWIFT/UBS/SIC…

The BIG DEALS.

Large HSM deployments

•Hand/Hand with customized solutions.

•In account early, help architect

•Leverage our great SE’s

Ideal Customers – how to find them

Solution Seekers

Are purchasing/have purchased some application from a 3rd party

Our HSM has either been recommended or referred as one of a number of supporting HSMs

Customers will select an HSM based on

3rd party recommendation

Responsiveness & Support

global presence and capability

level of integration

price

Developers

Are developing their own application for sell, cost or competitive reasons

Developers are either internal users or OEMs

Customer will select their HSM partner based on:

Apps Eng team, SE capabilities

technology & toolkits

Responsiveness & Support

global presence and capability, stability

price

•An HSM is nothing without a Host Application (a car).

•Off the Shelf or Custom?

Integrations team in India

• Building Integration guides

Examples

Solution Seekers …any size organizations – with small to

medium sized deployments

Always because of a Partner Integration

SafeNets most valuable partners

Entrust & Verisign

Microsoft

Card Personalization

Payments Apps providers

From Contact to Contract ~ 3 months

Revenue from the deal is mostly complete at that point

but the partnership continues to deliver

Developers …large organizations – with large future

plans

Select SafeNet because of the quality of products/tools, our global presence and our relationship management

Examples

SWIFT, NCR, Cisco, Cavium, SIC

From Contact to Contract ~ 3 to 12 months

Revenue follows 3 to 6 months after Contract

Revenue is then ongoing based on the nature of the end solution

Action: Continue enhanced focus on partners – and developing those relationships

Action: Continue enhanced focus on partners – and developing those relationships

Action: Focus on enhancing toolkit & product offerings, material and positioning - and training Sales & responsiveness

Action: Focus on enhancing toolkit & product offerings, material and positioning - and training Sales & responsiveness

Roadmap

2008 HSM Value Add

Early 2008

Luna Sx

Luna SA maturity

Luna XML

Brainpool support (PSG, SA)

DOCK II (I know…finally!)

Mid 2008

PCI Express support on Luna platform

Luna XML v2

Luna Sx v2

Late 2008, early 2009

Luna “PKI Bundle”

Luna SA maturity continued

Remote PED

PCI Express support on PS platform

Easy setup/management

Enterprise Grade Features

Easy deployment, First XML HSM in Market

ePassports

Initiative

PCI Express Support

Luna SA

SA 4.2(Nov 2007):• NTLS redesign (connection limit increase, 800)• Over 4000 ops/sec• CNG support• Enhanced SNMP•Fuller Platform support (including Solaris X86 support)

Luna SA 4.4(Q4/08)

•HA Overhaul

•Remote PED

•PKI Bundle

Luna SA 4.3(march 31/08)

•Brain pool Support

•HP Itanium OS support

Result:

•A mature Enterprise Grade Appliance

•Robust Feature Set

•The required certifications

Remote PED Administration (part of Luna SA 4.4 release, Q4/08)

010110111010111011

New Orange PED key for

Remote Admin

1. Will require new Remote PED built at manufacturing (not field upgradeable). Can be used as either remote/local PED.

2. Will not be compatible with 2U units.

Will offer full PED functionality at Remote Admin work station.

•Centralized control

•No PED required at Data Centers

PKI Bundle (part of Luna SA 4.4 release, Q4/08)

Why?

•Customer/Partners have asked for it; Verisign, Entrust, Arcot, Microsoft, RSA….

•Allows us to leverage existing technology Luna SA/Luna tokens

•Create competitive differentiator

What is it?

• Luna SA, up to 20 partitions for Signing/key management. Internal SA card reader is used to house PCM tokens.

• Tokens are accessible via same client API as the Luna SA. Each token is a member of the available slot list exposed by the SA/CA4/KE total.

Benefit:

• Key Gen/Offline Root/Online Root capable from 1 unit

• Cost savings to customer

•Product

•IT Will not be compatible with 2U units.

SafeNet Luna XML…world’s first!Rapid-to-deploy high-assurance HSM for XML environments

Revolutionizing application and transactional security with the world’s easiest to integrate and deploy hardware security module

Why?

Business applications move to Service Oriented / XML based architecture.

Nature of XML is designed to allow for B2B, B2G, B2C inline communication/processing = Security Need!

Benefits?

Clientless

OS independent

Customers don’t need to be crypto API gurus(P11/JCA/CAPI)

FIPS validated HSM 140-2 Level 3

Scalable, Reduces IT costs and Time to deploy.

Built for Service Oriented Architectures

Meets Compliance Needs

Rapid Deployment with Luna XML

Customer Application

Custom built XML service

JCA/JCE API

Cryptoki Layer

Customer XML Application

Custom Java layer

OS dependency

From months … … to days!

Jan | Feb | Mar | Apr | Jun | … ? Mon | Tue | Wed | Thu | Fri !

OS independent!

Traditional HSM SafeNet Luna XML

XML Crypto Service

Luna XML Operational Use

Load balancer

XML Based Application

SSL

SSL

XML

SSL

SSL

XML

SSL

SSL

XML

Crypto object synchronizationXML crypto service

XML crypto service XML crypto service

Available across multiple sites

for DR

Easy to Scale!

Platform independent

Sample XML Call

XMLSign

Signs XML Document

<xmlSign Profile="urn:oasis:names:tc:dss:1.0:profile:dss_interop" RequestID="id">

<OptionalInputs>

<KeySelector>

<KeyInfo/>

</KeySelector>

<IncludeObject WhichDocument="12345" ObjectID="54321"/>

</OptionalInputs>

<InputDocuments>

<Document ID="12345" RefURI="uri">

<EscapedXML>escaped XML</EscapedXML>

<InlineXML>Some XML</InlineXML>

<Base64XML>base64 encoded xml </Base64XML>

<Base64Data>base64 data</Base64Data>

</Document>

</InputDocuments>

<AuthToken/>

</xmlSign>

What is XML? (Extensible Markup Language)

•Like HTML in structure

•Data centric, not concerned with display

•Leveraged via WSDL (Web Service def’n language)…like our PKCS#11 API.

•SOAP (Simple object access protocol), used to encapsulate msg objects.

•SOAP msg’s defined in pairs (request/response)

Luna XML

Replacement for Luna SA?

No it is not…

New customers, new opportunities

Paper to digital

PCI DSS

B2B, B2G

Existing customers, new opportunities

New deployments

XML Value Added Questions

1. Are you deploying SOA/XML today, or in the future?

2. What if your services were compromised?

3. Are these services client or partner based?

4. Would you like to differentiate from your competitors?

5. Would you like decrease your HSM deployment and management costs

6. Would you like a quick/easy way to add Enterprise grade security to your service offerings?

Reduce risk, $ cost of compromise

Help Architect. Know the customer = larger deals

There are 1000’s of companies deploying Web Services…FIPS/CC HSM

differentiates

Luna XML!

No more platform Dependence, Upgrades

Luna SX (Start-up Xpress)

Why?

Difficult setup

So is Competitors

Gives us another competitive advantage.

What is Sx?

GUI management

Built in partnership with KEYON.

Can Manage SA or SP appliances (multiple)

How to get it?

Demo available

Production features will require update to license on the sentinel key.

GA?

Q2, 2008.

Luna SX Screen shot

Multiple devices, SA/SP

Multiple clients

Partition details

Available preset actionsAdmin Tabs

BrainPool Support

PSG with PTK 3.32 release GA May /08

Luna SA with 4.3 release GA March 31/08

Luna PCI with 3.0 release GA Q3/08

Support for Named, and “user defined” Brainpool ECC curves

Driven By ePassports Initiatives World Wide

User Defined feature…opens other doors (like Marlin curve set)

Release Details (Protect Server)

PTKC 3.32 (May/08)

Brainpool support

RoHS Card reader/Pin Pad support

PTK-M password fix

PSO/PSG support

CNG support

New OS support

Java 1.5 support

PTK 4.0 (Q1/09)

PCI-Express support

New PCI board layout

PTK BETA with Brainpool

support ava

ilable Now!

SafeNet HSM Product Range Overview

1024 RSASignings (max)

FIPS 140 Level 2 and Level 3 FIPS 140 Level 2 and Level 3

NetworkNetwork NetworkNetwork NetworkNetworkLu

na C

A3/CA4

Luna

SA

Luna

SP

Attachment ServerServer EmbeddedEmbedded

Luna

PCM Lu

na

PCI

Certifications

PKCS 11, Java, CAPI PKCS 11, Java, CAPISW Support

CCEAL 4+

(CA3)

CCEAL 4+

(CA3)

20 x partitions,

SSL acceleration

20 x partitions,

SSL acceleration

4000+/sec4000+/sec 4000+/sec4000+/sec 600/sec600/sec 7000/sec 7000/sec

PPOPPO PPOPPO

EncryptionAlgorithms Symmetric and Asymmetric Symmetric and Asymmetric

27/sec27/sec

EmbeddedEmbedded

600/sec600/sec

Other features

EmbeddedEmbedded

Prote

ctSer

ver

Exter

nal

Prote

ctSer

ve

r Int

erna

l

27/sec27/sec

CCEAL 4+ CCEAL 4+

1200/sec 1200/sec

Server/NetworkServer/Network

Prote

ctHos

t

EFT

PPOPPO

EFT CommandSets

EFT CommandSets

CCEAL 4+

CCEAL 4+

SafeNet Network-Attached HSMs

Luna SA / SP

High assurance enterprise-grade HSM

• 4,000 ops/s

• FIPS 140-2 Level 3, CC EAL 4+

• Full platform support

• Secure remote administration

• 10/100 Ethernet interface

• Protected application execution environment (Luna SP)

• Extensive algorithm support

ProtectHost EFT

High assurance HSM for financial payment systems

• PIN generation & verification

• Supports global payment processing, EMV, and Card Issuance APIs

• 1,200 Visa PIN Verify operations / sec

• Certifications: FIPS 140-2 Level 3, CC

• Easy GUI-based administration

Luna XML

High assurance enterprise-grade HSM for XML environments

• XML interface (WSDL) encapsulates crypto functions, enabling rapid integration development

• FIPS 140-2 Level 3

• Extensive algorithm support

• No client required

• 2,200 ops/sec

• OS independent

• Secure remote administration

• 10/100/1000 Ethernet interface

Luna SX

Central HSM Management Console

• Intuitive GUI

• Easy setup & management of multiple HSM appliances

• Reduces cost of administration

SafeNet Internal HSMs

CA4 Luna PCI

Root key HSM for true hardware key management

• FIPS 140-2 Level 3 certified

• Extensive algorithm support

• Supports two-factor trusted path authentication

• Supports common certificate authorities (Microsoft, Entrust, Verisign, RSA, etc.)

Fast, high-assurancePCI HSM card forhardware key management and crypto acceleration

• 7,000 ops/s

• FIPS 140-2 Level 3, CC EAL 4+

• Supports two-factor trusted path authentication

• Extensive Algorithm support

Luna PCM

Portable, cost-effective PCMCIA HSM card for hardware key management and crypto acceleration

• Versions for document signing, key export for registration of tokens, and signing and back up of key material to a token

• FIPS 140-2 Level 3

• Extensive algorithm support

ProtectServer Gold

Cost-effective high-assurance PCI HSM card for customizable hardware key management

• 600 ops/s

• Easy GUI-based administration

• Customizable interface

• FIPS 140-2 Level 3

• Extensive algorithm support

• Secure remote administration

Competitive Details

SafeNet HSM Industry Leadership

First general purpose network HSM

Secures the most financial transactions

Most PKI deployments

Most HSM hardware form factors/toolkits

HSM leader for 15 years

Leader in HSM compliance (FIPS, CC, PCI-DSS, E-passports…)

……New Luna XML

Why SafeNet HSM’s?

Do You Care about these things?

Reducing your risk Fraud/Breaches

Physical disaster

Reducing your costs Moving to digital processing

Deployment/integration costs

Increasing your revenue Enabling new online Business process

Industry regulation/compliance FIPS, CC, Sarbox, PCI-DSS, E-Passports, EMV, and industry

audits

Who does: Largest online PKI provider in the World. Deploys 1000’s of SafeNet HSMs

Who does: Largest Financial Network in the World. Deploys 1000’s of SafeNet HSM’s.

Who does: World’s Largest internet Bank.

Luna Vs. PS, which to position?

Luna

HW Key Management

Enterprise class Appliance

SNMP, HA, secure CLI, NTLS, Shareability

CC certification in process

PED auth

More 3rd party integrations

HSM backup option

Existing Luna install base

Higher Performance

PS

FM’s (and the customization they offer)

PCI FF, lower entry $price$

Embedded OEM opportunities

Fuller OS support than Luna PCI

EFT FM

Existing PS install base

Position Luna:

•High Assurance, security focused offering.

•More FF choices.

•Enterprise Grade Appliance offering.

Position PS:

•Flexible, Embedded focused offering

•Customizable Firmware

•lower entry price.

Competing v nCipher on Security:

Leverage Luna featureson Entry Price:

Leverage PS features

Competitive Details (Positioning)

More Secure key management

More Enterprise Grade features

More speed, up to 7000 ops/sec (more than Double nCipher)

First to market XML HSM

Easiest to Set up/Manage (Luna Sx)

More extensive API/Toolkit set

FM’s, XML, Java, OpenSSL, P11, CAPI

More Extensive range of HSM offerings

Appliances, PCI cards, PCM tokens

More Large Customer installations

SWIFT, SIC, DOD UBS, Verisign, NCR, AOL

LESS expensive HSM’s

LESS expensive HSM product options (licenses, toolkits, FM)

LESS expensive HSM product options (licenses, toolkits, FM)

Protect Server FM $0.00 SEE 6,989.96$ $6,989.96

Luna SA partition upgrade from 2 to 5 partitions $2,500.00

NetHSM connection licence

(1) $4,813.43 $2,313.43

Difference

Luna SA(Fips 3) Bundle $21,950.00 NetHSM $28,880.53 $6,930.53

Difference

Difference

= BEST VALUE

Updates:

1. nCipher Buys Neoscale.

• Tape backup

• Key Man App (not very Robust).

• Bankrupt, then bought

2. Sun Crypto card

• Cheap, but not real threat.

• Ltd OS/API support

• FCC only in SUN box.

• SSL/IPSec target card.

Competitor’s Positioning

nCipher leads with Key Management positioning

We offer True Hardware key management

nCipher positions themselves as “Enterprise provider”, SFNT as “low-cost” provider.

We have lower list prices, but a more extensive, secure HSM offering

nCipher offers discounts on maintenance, and initial purchases.

nCipher has a stronger MS relationship

nCipher “solution sells”, often is more marketing than “meat”.

Most of what they market as solutions, are the same partnerships offering we have. We are moving to a clearer marketing focus on solutions.

Payment HSMs

Rene Bastien

Product Marketing Manager

HSMs in Payment

Market drivers differ

Retail Market: EMV

PCI-DSS

Streamlining of operations (outsourcing, PIN)

Move to contactless cards

Payment over new channels (m-payment, NFC, transit, loyalty)

Wholesale: Transaction authentication

User authentication

Compliance requirements

Payment Products

Network-attached HSM: ProtectHost EFT

Replaces PHW

Great competitive features :

Form factor (1U instead of 4U)

Price competitive

Performance (50% faster than Thales)

Ease of integration (runs same software as PHW)

Backwards compatible

Payment Products

ProtectTool EFT

Version 5.02 in SQA.

Expected GA by Q3-2008.

Sits on ProtectServer Gold

Essentially, Mark II in a different form factor

Works with PTK C

Payment Products

ViewPIN+

Application that does 2 things quite well:

Changes your PIN

Enables you to retrieve a forgotten PIN

All of this securely

All of this either at home through a web browser, or in a bank branch

No one does that!

Replaces IVR interface

Simplifies ATM upgrades

Great lead-in to new accounts

Payment Product Roadmap

ViewPIN+ formal launch in November 2008

Mark II roadmap for the next 2 years

Full EMV support

Dual role devices (MarkII plus AMB)

Contactless

Mobile commerce

Multiple languages, printers for PIN mailers

Integration with other products, partners

Mark II over multiple platforms

SafeNet’s Competitive Edge

Hardware: Performance

Commonality of platform

Multiple form factors

Continuous R&D

FIPS and CC compliance

Application: General purpose appliances (including XML appliance)

Depth, breadth of offering

Market share: General purpose worldwide: leader

Payment: EMEA (2nd)

APACS (1st)

Partnerships and integrations

HSM Marketing Materials and Campaigns

Clara Wicke

Product Marketing Manager, HSM

MySafeNet.com

Sales Tools

Case Studies Qatar Central Bank

Security Biometric

PCI DSS

E-passport

Egg Bank

Canadian Government

Automotive

Pharmaceutical

Competitive Matrixes

Presentations Sales Presentations and Corporate Product Slides

Product Briefs Luna XML

Luna SA

Luna SP

Luna CA4

Luna PCI 7000

ProtectServer External

ProtectServer Gold

ProtectHost EFT

Sales & Partner Success Kits Hard and Soft Copy

Solutions Briefs Solutions Selling Handouts

Technical Matrixes

Webinars Application Development

PCI- Changes and Audits

PCI- Global Compliance

PCI- Technical Architecture & Best Practices

PCI- Deadlines Past Merchants Still Not Compliant Parts 1 & 2

SOA Web Services Security with Layer 7

HSM 101

Whitepapers & Guides CA3-CA4 Migration Guide

Compliance

Microsoft Guide (almost there)

Tumbleweed User Guide

E-Passport

PKI Best Practices

XML Security

HSM XML “Cheat Sheet”

Sales Kit- What’s Inside!

HSM Overview

Key Drivers (Internal and External)

HSM Value Proposition

Applications by Vertical

Problem Owner Profiles

Vertical Solutions

Competitive Analysis

Partner Guides

Quick Sheets for Applications, Competition, and Objection Handling

Prospect List

And More!!!

Online version of sales kit http://mysafenet

Upcoming HSM Campaigns Q2/Q3

HSM Luna XML Campaign Launched product at RSA

List being purchased to identify project managers for applications in IT

Also use internal house list of software developers

May: Email to promote XML white paper

June: Email to promote XML webinar

Vertical Focused Campaigns Financial

PCI DSS Compliance

Paper to Digital Transactions

Government E-passport

First Responders

Thank You