Keyper HSM - DNSSEC Solution

Security & Cyber
Key business benefits
■■ Data integrity - DNSSEC is a mechanism to verify DNS data
Keyper HSM - DNSSEC Solution
Datasheet
DNSSEC extends standard DNS to prove that data has not
been modified and came from the official source. The
■■ Compatibility - designed to be backwards com-
patible with DNS
original standard DNS protocol continues to work the same.
■■ Automation - auto zone signing and key rollover
of a BIND virtual appliance based on a hardened Linux
■■ Assurance – the only FIPS 140-2 Level 4 HSM
■■ Capability – broad range of algorithms
■■ Scalability - Load
balancing of multiple HSMs across multiple hosts and locations
“Security
ICANN’s
Ultra Electronics AEP's DNSSEC Solution is the combination
DNSSEC
deployment,
operating system and AEP's Keyper HSM.
AEP's Keyper HSM
ISC BIND is the gold standard for DNS Servers on the Internet,
& FIPS Level 4 was
supports the full DNSSEC standard and automatic key rollover.
an easy choice“
Keyper is the only HSM wholly certified to FIPS 140-2
Richard Lamb, ICANN
Level 4 and Common Criteria EAL4+ for the ultimate
in cryptographic assurance of signed resource records.
Solution offers true random number generation for
the highest quality keys, hardened platform and
cryptography.
■■ ccTLDs
■■ gTLDs
■■ sTLDs
■■ Domain Registrars and ISPs
■■ Blue chip corporations
a
critical factor for
key management. Also resilience and elliptic curve
Applicable markets
is
AEP
Security & Cyber
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds resource records and message header bits which can be used
to verify that the requested data matches what the zone administrator put in the zone and has not been altered in
transit. DNSSEC doesn’t provide a secure tunnel; it doesn’t encrypt or hide DNS data. It was designed with backwards
compatibility in mind. The original standard DNS protocol continues to work the same.
Why Keyper HSM for DNSSEC?
Hackers attack public key infrastructure by compromising weak keys or simply finding them. Robust DNSSEC solutions
require good random number generation and secure keys. Keyper fulfils these most important technical requirements
for DNSSEC by generating the keys using hardware random number generation and securing the private keys in a
tamper reactive environment.
"AEP Protecting the very core of the Internet"
AEP has designed the Ultra Safe Keyper range of HSMs to provide the ultimate level of protection for the most
sensitive data and information systems. At the heart of Keyper is AEP revolutionary ACCE technology. ACCE is the next
generation flexible crypto platform that provides the highest level of assurance – FIPS 140-2, Level 4.
Ultra Electronics AEP Keyper: The ultimate protection of key material
■■ Data integrity - DNSSEC is a mechanism to verify DNS data
■■ Compatibility - designed to be backwards compatible with the original standard DNS protocol
■■ Automation - automatic zone signing achievable using new inline-signing feature and automatic key rollover
■■ Ease of deployment - Hyper-V or VMware virtual appliance eases deployment of OS and DNSSEC into service.
■■ Assurance - the only FIPS 140-2 Level 4 HSM
■■ Capability - broad range of algorithms including elliptic curve
■■ Architecture - Built using ACCE giving tamper protection to FIPS 140-2 Level 4
■■ Fault Tolerance - Supports resilient configurations
■■ Scalability - Load balancing of multiple HSMs across multiple hosts and locations
■■ Authenticated Use of Keys - Optionally PIN activated
AEP
Security & Cyber
Technical Specifications
Keyper Professional
Keyper Enterprise
Keyper Plus
Product Dimensions
Power Requirements
100 – 240VAC, 47-63 Hz (42VA)
Cryptographic Functions and •
Services
•
•
•
•
223 x 51 x 244 mm
RSA: 1024-4096 bit key length
DSA: 1024 bit key modulus
AES: 128-256 bit key length
DES/3DES: 112/168 bit key length
Hash: SHA-1, SHA-2, MD5
100 – 240VAC, 47-63 Hz (65VA)
•
•
•
•
•
•
•
ECDSA: P192-P521 curves
ECDH: P192-P521 curves
RSA: 1024-4096 bit key length
DSA: 1024 bit key modulus
AES: 128-256 bit key length
3DES: 168 bit key length
Hash: SHA-2
Performance (key signing,
using up to 8 connections)
•
Keyper Professional: 300 tps
(RSA 1024)
• Keyper Enterprise: 1,200 tps
(RSA 1024)
•
•
•
>3,500 tps (RSA 1024)
>2,000 tps (RSA 2048)
>950 tps (ECDSA 256)
Administrator Roles
•
•
Security Officer
Operator
•
•
•
Security Officer
Crypto Officer
Operator
Key management
•
•
Storage Master Key (SMK) import/export via smart cards in M of N
components
Application Key import/export via smart cards protected with an internal
Master Key (also via USB on Keyper Plus)
Key storage
•
•
Red Key Store: keys actively erased when a tamper is detected
Black Key Store: large key store encrypted under the SMK
Connectivity
•
TCP/IPv4 over Ethernet at 10/100
Mbps full/half duplex with autonegotiation
Up to 32 concurrent connections (256 with Extra Connections
model)
•
•
TCP/IPv4 and IPv6 over Ethernet at
10/100/1000 Mbps full/half duplex
with auto-negotiation
Up to 256 concurrent connections
•
•
FIPS 140-2 Level 4 (expected 2013)
FIPS 140-3 Level 4 (expected 2014)
•
Certification
•
•
FIPS 140-2 Level 4 (cert. #1340)
Common Criteria EAL4+
Operating Environment
•
•
Operating temp: 5 to 40 °C (25 to 90% humidity, non-condensing)
Storage temp: -15 to 65 °C
Host Software
•
•
•
•
•
•
Keyper Management Centre
PKCS#11 Provider
Centos 6.4 Final
Openssl 1.0.0f
BIND 9.9
AEP Keyper Load Balancer (optional)
•
•
•
•
•
•
Keyper Management Centre
PKCS#11 Provider
Centos 6.4 Final
Openssl 1.0.0f
BIND 9.9
AEP Keyper Load Balancer (optional)
Platform
•
•
Microsoft Hyper-V *
VMware vSphere *
•
•
Microsoft Hyper-V *
VMware vSphere *
* Microsoft and VMware licences are not included.
AEP
Security & Cyber
Ordering information
Product
Ordering Part Number
Keyper 9720 Enterprise DNSSEC
E-KEY-ENT-DNS
Keyper 9720 Professional DNSSEC
E-AS-KEY-PRO
KeyperPlus DNSSEC
E-KEY-PLS-DNS
Ultra Electronics
AEP
Knaves Beech Business Centre
Loudwater
High Wycombe
Buckinghamshire, HP10 9UT
Main Switchboard: +44 (0)1628 642 600
Email: info@ultra-aep.com
www.ultra-aep.com
www.ultra-electronics.com
Ultra Electronics reserves the
right to vary these specifications without notice.
© Ultra Electronics Limited 2013.
120706 / ULT / 3261 / JS