Table of Contents
Advertisement
of a Rainbow Technologies key management utility. This allows boards to share keys as be
appropriate for load distribution or redundancy needs.
The key wrapping key also makes it possible for keys to be stored in encrypted form on backup
tapes or hard drives for archival purposes. The keys encrypted with the Key-Wrapping-Key
need never exist in plaintext form outside of an HSM. When an operator uses an HSM, he will
be assisted by a key management utility. This utility will prompt the operator when it is time to
plug a particular token into a particular HSM. A particular host system may contain one or more
HSM's. So that there is no confusion, the key management utility will control an LED on each
HSM to alert the operator to know where to insert a particular token. 1. The HSM can detect
attempts to penetrate its cryptographic envelope. If it detects a tamper attempt, the HSM will
erase all of the critical security parameters that it contains. The HSM is controlled through its
PCI interface. Commands are entered through the PCI bus, and status is read from the PCI
bus. Also, both plaintext and encrypted data is transmitted over the PCI interface. The serial
port is disabled in the production version of the HSM. A primary function of the HSM is to
securely generate, store, and use private keys (particularly for signing operations).
4.0 Capabilities
The HSM is capable of performing a wide variety of cryptographic calculations including DES,
SHA-1, DSA, 3DES, RSA exponentiation, RC4 and HMAC. When in the FIPS 140-1 mode,
the board can perform DES, 3DES, RSA Signatures, RSA Signature Verifications and SHA-1
functions. When in the non-FIPS 140-1 mode, the board can also perform the RSA
exponentiation, RC4, MD5, HMAC (SHA-1 and MD5) and DSA. The RSA signature and
verification implementation is compliant with the PKCS #1 standard. The following table
describes how each cryptographic algorithm is used by our module while operating in the FIPS
140-1 Mode:
Algorithm
DES
3DES
User Guide
How it is used by the HSM module
The module provides services for encryption/decryption. As
currently implemented, the plaintext key must be input through
the PCI interface. Therefore, this algorithm is not accessible in
the FIPS 140-1 Mode. The self-tests perform a known answer
test on this algorithm in FIPS 140-1 Mode.
Used to generate Pseudo-random numbers using the X9.17
Appendix C PRNG algorithm for the purposes of key generation
of RSA and 3DES keys. Encryption/decryption of every key
stored in persistence storage within the module using the
Master Key. Wrapping (encryption) of Private RSA Keys using
the Key-Wrapping-Key for archival purposes. Unwrapping
(decryption) of Private RSA Keys using the Key-Wrapping-Key
for the purpose of restoring an archived key. Note: The 3DES
4.0 Capabilities
Used in
FIPS 140-1
Mode?
No
Yes
April 2013
221
Advertisement
Table of Contents
