Cryptographic services to a variety of applications
Cryptographic services to a variety of applications
by trevorw

Thales nShield

The Thales nShield is a general purpose HSM with unique features that enables clients to protect keys for any cryptographic requirement.

General purpose HSMs present a set of low-level cryptographic APIs that developers use to build applications that require cryptographic processing. By embedding those functions and the keys that enable them in a secure hardware environment, applications are freed from the complexities of key management in software, and the inevitable security flaws that result.

Thales HSMs provide the following libraries to help developers write applications:

  • PKCS #11
  • Cryptographic Hardware Interface Library (CHIL)
  • Microsoft CryptoAPI (MSCAPI)
  • Microsoft Cryptography API: Next Generation (CNG)
  • nCipherKM JCA/JCE cryptographic service provider

What distinguishes the Thales HSMs is the concept of a Security World. The Security World provides an environment for the secure lifecycle management of cryptographic keys. The Security World environment gives the user control over the procedures and protocols needed to create, manage, distribute and, in the event of disaster, recover keys.

A Security World provides the following features:

  • Security
  • Application independence
  • Platform independence
  • Flexibility
  • Scalability
  • Robustness

A Security World is composed of:

  • One or more Thales HSMs (such as the nShield Connect or netHSM).
  • An Administrator Card Set (ACS), used to control access to Security World configuration, as well as recovery and replacement operations.
  • Optionally, one or more Operator Card Sets (OCSs), used to control access to specific application keys.
  • Additional cryptographic key and certificate metadata, encrypted using the Security World key and stored on a host computer.

This diagram shows how the components of a Security World interact:

Source: Thales

Thales nShield HSMs provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, data encryption and more. Available in three FIPS 140-2 certified form factors, nShield HSMs support a variety of uses, including:

Public Key Infrastructures

nShield HSMs generate and protect root and certificate authority (CA) keys, providing support for PKIs across numerous use cases and industries.

Code Signing

nShield HSMs can be used to sign an organization’s application code, ensuring that the distributed software remains secure, unaltered and authentic.

Digital Certificates

nShield HSMs can sign digital certificates for credentialing and authenticating proprietary devices for IoT applications and other network deployments.

Data Encryption

nShield HSMs can be used for bulk encryption and decryption.

GEOBRIDGE offers installation, training, product support, systems integration, and custom software development in support of the nShield HSM for organizations of any size. Specifically, GEOBRIDGE can provide users with:

  • Architectural guidance for users planning a networked HSM cloud.
  • Installation procedures and scripts that simplify and automate Thales HSM installation, including adding and removing HSMs from a Security World.
  • Maintenance procedures and scripts that simplify and automate Thales HSM software upgrades.
  • Phone and on-site assistance with installation and maintenance by trained technicians and engineers.
  • Guidance for application developers in using the cryptographic APIs. Or, GEOBRIDGE can write modules that perform cryptographic functions, providing an abstracted interface model to the application and insulating the developer from the complexities of the HSM interface.

The nShield HSM is available in multiple form factors with support for a broad range of APIs. There is virtually no limit to the types of cryptographic implementations that can be supported by this platform.

Establishing longstanding customer relationships.

Top