Your SlideShare is downloading. ×
Payment Hsm Payshield9000
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Payment Hsm Payshield9000

5,514
views

Published on


0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,514
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
234
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information Security Systems > Thales Payment HSMs Bernard Foot Product Manager
  • 2. Information Security Systems > The Family – past & present
  • 3. Our pedigree < Created first Payment HSM – for Visa Market leader outside of US HP Atalla is market leader in US – but weak elsewhere We are well known & respectedIntroduction to Thales Payment HSMs – March 2011 70% of world’s payments are protected by Thales HSMs Atalla claim a similar thing! But that’s OK … each payment goes through multiple HSMs Over 12,000 units sold All major card applications work with Thales payment HSMs 2
  • 4. A history lesson < payShield 9000 (300)Introduction to Thales Payment HSMs – March 2011 HSM 8000 (5,500) RG7000 (7,000) We’ll be talking only about payShield 9000 RG6000 (3,000) 1988 1995 2003 2009 ??? 3
  • 5. Information Security Systems > How a Thales Payment HSM works
  • 6. How does a Thales HSM work? < Attaches to a computer (“host”) as a peripheral Command/Response API (Application Programming Interface): Host sends a command to HSM Asking for a function to be performed HSM sends response back to the host Confirmation/error code, results, …Introduction to Thales Payment HSMs – March 2011 These are simple messages sent by standard communications E.g. Ethernet Command requesting a function Response HSM Host Computer 5
  • 7. Command/Response API – Pro’s and Con’s < With Command/Response, nothing is installed on host So our HSMs work with any host No need to keep up with changes to Operating System A single command performs a complex functionIntroduction to Thales Payment HSMs – March 2011 We have about 300 available commands Down sides: Functionality limited to what we offer Less of a problem for payment card systems “Gaps” can be filled by Custom Software Some customers like standard APIs - PKCS #11, CAPI 6
  • 8. Reminder from last session - Card Payment Processing < Authorisation Issuer Switch PIN Block format C, Key C PIN BlockIntroduction to Thales Payment HSMs – March 2011 Format B, Key B PIN Block format A, Key A Acquirer Transaction 7
  • 9. Examples of commands for transaction processing < CA – convert a PIN Block from (format x, Terminal PIN key) to (format y, Zone PIN Key) DA - Verify a Terminal PIN using the IBM (or Diebold, Visa, Comparison) methodIntroduction to Thales Payment HSMs – March 2011 CY – verify a Visa (or Mastercard, …) Card Verification Value DU – (For PIN change by customer) Verify an IBM PIN Offset and, if successful, generate the PIN Offset of the customer- selected PIN using the IBM 3624 method. The current and new PINs are supplied in an encrypted form. 8
  • 10. Introduction to Thales Payment HSMs – March 2011 Thales API supported by the major industry software < 9
  • 11. Physical Host interfaces < payShield 9000: Dual Gigabit Ethernet ports (TCP/IP & UDP) (from v1.1) Asynchronous FICON (new IBM fibre optic) - in developmentIntroduction to Thales Payment HSMs – March 2011 HSM 8000: Single 100Mbit Ethernet port (TCP/IP & UDP) Asynchronous ESCON (obsolete IBM fibre optic) SNA/SDLC (obsolete IBM network) 10
  • 12. Information Security Systems > A bit about the payShield 9000 …
  • 13. What the customer buys < Hardware Base software package * Optional Licences Remote Management Custom softwareIntroduction to Thales Payment HSMs – March 2011 Accessories Cabinets, spare keys, rack-mount kits Professional services Support * Base software licence for HSM 8000 12
  • 14. Layout of the payShield 9000 < Cover detector 4 USB ports microswitches 4 Ethernet ports Secure Crypto Smart card reader Sub-system (TSPP) Erase Button LeftIntroduction to Thales Payment HSMs – March 2011 Keylock LEDs Main board Dual Power 2 USB ports Supply Units Restart Button Tamper Labels go here Right Keylock 13
  • 15. Local Master Keys - LMKs < The crucial secret Stored in the Secure Cryptographic Module (TSPP) No person has whole LMK – only components Always deleted when the HSM is tampered Encrypts all the operational keys used by the HSM Outside of the HSM, operational keys are never in the clearIntroduction to Thales Payment HSMs – March 2011 2 types: Variant – older, less secure, used by nearly all customers Key Block – new, more secure, little used – yet Multiple LMKs HSM can have up to 10 LMKs Managed by different security teams Allows multiple clients/applications on one HSM Makes refreshing of LMKs easier Unique to Thales payment HSMs 14
  • 16. Hardware Options < Range of performance modules 20, 50, 220, 800, 1500* tps (transactions per second) Can be upgraded in the field Dual Power Supply Unit (PSU) *Introduction to Thales Payment HSMs – March 2011 Must be ordered at time of purchase Not hot swap: lets customer plan replacement of dead PSU Power Cord type * Not available on HSM 8000 15
  • 17. About performance … < Rated Performance relates to CA command (PIN Block Translation) Most other commands run at same speed Some commands run slower (e.g. RSA Key Generation) May depend on key length and payload All commands run faster on higher performance HSMIntroduction to Thales Payment HSMs – March 2011 Dual ports do not give additional performance Multiple threads/connections needed for full throughput Up to 64 threads per Ethernet port (128 total) Maximum performance by 4-8 ports Depends on HSM model and command 16
  • 18. Software licenses – Base packages < Each payShield 9000 must have one – and only one – Base Package Packages HSM9- HSM9- HSM9- HSM9- PAC001 PAC010 PAC020 PAC030Introduction to Thales Payment HSMs – March 2011 HSM 8000 Transaction Magnetic EMV base Processing Stripe Issuers equivalent Issuers HSM 8000 has only HSM8-LIC001 base licence 17
  • 19. Software licenses – optional items < Sales Order Code License Description HSM9-LIC002 RSA license HSM9-LIC003 AS2805 license HSM9-LIC004 Europay Security Platform (ESP) license HSM9-LIC005 User Authentication (HMAC/CAP/DPA) license HSM9-LIC006 X9 TR-31 license HSM9-LIC008 Data Protection license HSM9-LIC009 Remote Management license HSM9-LIC011 Magnetic Stripe Contactless Card Data Preparation licenseIntroduction to Thales Payment HSMs – March 2011 HSM9-LIC012 LMK x 2 license HSM9-LIC013 LMK x 5 license HSM9-LIC014 WebPIN license HSM9-LIC016 EMV-based Card Data Preparation license KSM9-LIC020 Korean Algorithm license HSM9-LIC021 LMK x 10 license HSM9-LIC024 Magnetic Stripe Issuing license HSM9-LIC025 Magnetic Stripe Transaction Processing license HSM9-LIC026 EMV Transaction Processing license HSM9-LIC027 PIN and Key Printing license HSM9-LIC028 Visa Cash Processing license HSM9-LIC029 Legacy Functions license 18
  • 20. Custom software < Allows customer to have whatever functionality they need Customer pays for development once Software can be installed on multiple HSMs for free, but … Customer must buy base Package or LicenseIntroduction to Thales Payment HSMs – March 2011 Custom software is built for a specific base version (e.g. 1.0) To work with a later base version (e.g. 1.1), the custom software must be ported HSM 8000 custom software can be ported to payShield 9000 Fixed prices for porting from HSM 8000 v2 & v3 19
  • 21. Local & Remote HSM Manager < Local HSM Manager Provided as part of the base product – no charge Since HSM 8000 v3.1a & payShield 9000 v1.0a Replaces the Console (80x24 character terminal) Provides Graphical User Interface (GUI)Introduction to Thales Payment HSMs – March 2011 Locked-down bootable Linux CD Runs on most PC hardware Remote HSM Manager Similar to Local HSM Manager, but … Optional – must be purchased Allows HSM to be managed across a TCP/IP network 20
  • 22. Remote HSM Manager < Bootable CD with Linux OS & Remote Management App (RMA) Administrator smart card readers – simulate physical keysIntroduction to Thales Payment HSMs – March 2011 Operator smart card WAN reader – simulates Standard Authorising Officer PC or Laptop Ethernet card in Local Mngr Management port 21
  • 23. Remote HSM Manager < Benefits: Modern graphical user interface (GUI) Fits in with organisation’s structure Avoids time & cost of travel Gets around restrictions on data centre accessIntroduction to Thales Payment HSMs – March 2011 Updates and management changes can be done quickly What the Customer buys: 1 Remote Management System Pack HSM9-LIC009 for each HSM Optional: additional System Packs, smart cards, card readers 22
  • 24. Introduction to Thales Payment HSMs – March 201123 Remote (and Local) HSM Manager GUI <
  • 25. Main certifications < payShield 9000: FIPS 140-2 Level 3 (TSPP crypto module only) PCI HSM (in progress) APCA (in progress) MEPS (Cartes Bancaires) (future)Introduction to Thales Payment HSMs – March 2011 HSM 8000: FIPS 140-2 Level 3 (SGSS crypto module only) APCA MEPS (Cartes Bancaires) HSM 8000 will not be PCI HSM-certified 24
  • 26. Information Security Systems > Some useful materials … (all available via your Thales representative)
  • 27. Brochures < payShield 9000: Brochure Application Note Datasheet HSM 8000:Introduction to Thales Payment HSMs – March 2011 Brochure Application Note Datasheet 26
  • 28. Application Notes < • Utilization & Health Check Reporting • Packages & Licenses • Software & License Update Procedure • Introduction of New Smartcards • Thales key Blocks • TR-31 Key BlocksIntroduction to Thales Payment HSMs – March 2011 • Multiple LMKs • Remote HSM Manager • Remote Key Loading • Support for EMV PIN Change • Diagnostic Commands • Multiple Authorised States • Contactless Payments • Message Encryption 27
  • 29. Thales Payment HSMs < Foundation for Secure Banking ServicesIntroduction to Thales Payment HSMs – March 2011 bernard.foot@thales-esecurity.com 28