PCI and SBus Cryptographic Services Providers Product Specifications

Hardware Description | Software Description | Key and Certificate Management | Authentication and Access Control

3Si's advanced technology Cryptographic Services Provider (SCP) provides a high-performance server system by off-loading cryptographic processing from the host system. It provides hardware based security services to applications or provides network security on the Internet.     It consists of:
  • Hardware board(s) loaded with firmware
  • Software on the host server platform which includes a cryptographic API (CAPI), Security Manager, board driver and Administration graphical user interface.
  •    Features    Benefits
    • Government and commercial algorithms (SkipJack, KEA, DES, 3DES, SHA-1, MD5, DSA, D-H and others) in hardware
    • Multiple cryptographic processor design optimized for significant performance
    • Scaleable and flexible design - one or more cryptographic processors per board and multiple boards in a system
    • Data confidentiality, data integrity, key management, digital signature and time-stamp services
    • FORTEZZA Cryptographic Interface (CI) and PKCS #11 Application Programming Interface (API) support
    • Secures Government and commercial information systems at the application or network layers
    • Provides security without degrading performance or requiring costly upgrades
    • Supports concurrently a mix of server applications such as E-Commerce, web, database and others
    • Provides high-assurance security solutions
    • Security Manager manages sessions and tokens
    • Layered architecture is adaptable to other CAPIs
    • Virtual token support is adaptable to different formats
    • Ideal for Virtual Private Network (VPN) infrastructure components, and banking and finance applications
    Characteristic PCI Version SBus Version
    Form FactorSingle Slot Long Care Single Width
    Voltage5V@3.0 Amps5v@2.0 Amps
    Normal Operating Temperature10 to 40 degrees C (50 to 104 Degrees F) 10 to 40 degrees C (50 to 104 Degrees F)
    Operating SystemsSun Solaris x86 Version 2.6 and 7; Windows NT 4.0 Sun Sparc Solaris 2.6 and 2.7
    Number of Cryptoprocessors (max.)84

    Hardware Description

    The board limits and controls access to the multiple cryptographic processors as the bus master. Multiple internal DMA channels transfer data across the host system bus and to the cryptographic processors. Dual-ported RAM interface facilitates independent reads/writes between each cryptographic processor and the on-board control processor. Each cryptoprocessor has dedicated hardware for computing the FORTEZZA SkipJack, DES, and 3DES (single and two key) encryption algorithms (several chaining modes), Key Exchange Algorithm (KEA), Digital Signature Algorithm (DSA), Secure Hash Algorithm (SHA-1), Message Digest (MD5) and other algorithms. Each cryptographic processor is also equipped with: a full 1024-bit (extendible to 2048 bits in firmware) exponentiator to facilitate key operations such as in RSA algorithms, a digital non-deterministic randomizer, and a key cache for high speed cryptographic context switching.

    On board flash memory retains trusted keys and certificates and the firmware code which is digitally signed and verified upon initialization. An identifier unique to each board is programmed in a dedicated programmable memory chip (based on Dallas Semiconductor's I-Button technology) which serves as a 'signature' unique to an organization or a company. A time-of-day clock on the board provides time/date stamping preventing replay attacks. The cryptographic mechanisms comply with the FIPS PUB 140-1 level 2 standard.

    Software Description

    The Security Manager is the interface (via the CAPI) between the users (or server applications) and security services such as strong authentication, certificate management, access control and directory access.

    The Security Manager stores and retrieves individual users' virtual tokens, containing the users' keys and certificates. A user can own more than one token. Each instantiation of the virtual token on the board is unique and provides the user with a "physical" implementation of a cryptographic card. The Security Manager manages an unlimited number of concurrent sessions or connections, constrained only by the computer hardware resources. The Security Manager also performs security administration and auditing.

    Key and Certificate Management

    Trusted keys and certificates are either loaded into or generated, and protected on the board. This minimizes the possibility of compromise common to software based security solutions. User keys and certificates stored in virtual cryptographic tokens contain a minimum 10 key registers and 48 certificate slots. Virtual tokens, when they are held in the host environment, are cryptographically protected with keys that are generated and resident only on the board, thereby providing the full benefit of a hardware based security solution. Large numbers of virtual tokens can be stored securely in the host environment.

    Interface to Government and commercial certificate authorities is provided and the CSP is public key infrastructure (PKI) enabled.

    Authentication and Access Control

    User will access the keys and certificates in the virtual token via a Personal Identification Number (PIN). Role-based access controls define the level of access given to users: Site Security Officer (SSO) or Administrator; or User requesting security services from the board. Access to security-critical cryptographic functions are restricted to the SSO or Administrator.