Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
This slide describes IMS authentication with AKAv1 and AKAv2 protocol in detail based on the Verizon White paper.
The white paper is available on SlideShare: https://lnkd.in/gkujTRV
High availability of a messaging system is essential. This is especially true for IBM MQ systems which are absolutely critical to the smooth running of many enterprises. IBM MQ Advanced made achieving high availability even easier with Replicated Data Queue Managers. Learn how this and other HA capabilities fits into a system that provides both high availability of the messaging system as a whole and every last piece of critical messaging data that you care about.
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
This slide describes IMS authentication with AKAv1 and AKAv2 protocol in detail based on the Verizon White paper.
The white paper is available on SlideShare: https://lnkd.in/gkujTRV
High availability of a messaging system is essential. This is especially true for IBM MQ systems which are absolutely critical to the smooth running of many enterprises. IBM MQ Advanced made achieving high availability even easier with Replicated Data Queue Managers. Learn how this and other HA capabilities fits into a system that provides both high availability of the messaging system as a whole and every last piece of critical messaging data that you care about.
It is about the SET that how it was launched and what were the problems which it faced after launched and what was new after it as a solution of the problems as the security experts found.
What is PCRF? – Detailed PCRF architecture and functioningMahindra Comviva
PCRF- Policy and Charging Rules Function- is a dedicated policy controller equipment standardized in 3GPP, enabling policy function for charging & bandwidth on the multimedia networks. Smart Policy Control function combines network and customer intelligence to launch tailored service offerings for business and residential customers.
Read more: http://www.mahindracomviva.com/products/internet-broadband-solutions/smart-policy-control-suite.htm
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
A presentation explaining the concepts of public key infrastructure. It covers topics like Public Key Infrastructure (PKI) introduction, Digital Certificate, Trust Services, Digital Signature Certificate, TLS Certificate, Code Signing Certificate, Time Stamping, Email Encryption Certificate
E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding). Web Security:
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
TRex is an open source, low cost, stateful traffic generator fuelled by DPDK. It generates L4-7 traffic based on pre-processing and a smart replay of real traffic templates. TRex amplifies both client and server side traffic and can scale to 200Gb/sec with one UCS.
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesNRB
We are expecting more and more from our IBM z Systems. Our critical data and applications are nested in our IBM z Systems infrastructure, and more than ever it positions itself as the security hub. It now exports services to secure distributed environment thanks to its security as a services capabilities. During this lecture, Mr Darées talks about z Systems Roles for security in most of today’s hot topics (compliance, Database encryption, Tokenization, Digital Certificates, ...).
It is about the SET that how it was launched and what were the problems which it faced after launched and what was new after it as a solution of the problems as the security experts found.
What is PCRF? – Detailed PCRF architecture and functioningMahindra Comviva
PCRF- Policy and Charging Rules Function- is a dedicated policy controller equipment standardized in 3GPP, enabling policy function for charging & bandwidth on the multimedia networks. Smart Policy Control function combines network and customer intelligence to launch tailored service offerings for business and residential customers.
Read more: http://www.mahindracomviva.com/products/internet-broadband-solutions/smart-policy-control-suite.htm
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
A presentation explaining the concepts of public key infrastructure. It covers topics like Public Key Infrastructure (PKI) introduction, Digital Certificate, Trust Services, Digital Signature Certificate, TLS Certificate, Code Signing Certificate, Time Stamping, Email Encryption Certificate
E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding). Web Security:
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
TRex is an open source, low cost, stateful traffic generator fuelled by DPDK. It generates L4-7 traffic based on pre-processing and a smart replay of real traffic templates. TRex amplifies both client and server side traffic and can scale to 200Gb/sec with one UCS.
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesNRB
We are expecting more and more from our IBM z Systems. Our critical data and applications are nested in our IBM z Systems infrastructure, and more than ever it positions itself as the security hub. It now exports services to secure distributed environment thanks to its security as a services capabilities. During this lecture, Mr Darées talks about z Systems Roles for security in most of today’s hot topics (compliance, Database encryption, Tokenization, Digital Certificates, ...).
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
TRUMON - The Smart Transaction SurveillancePRASIMAX
TRUMON Transaction Surveillance System is designed for POS/Cash Registers activity monitoring. Tax office, tenant management and customer analytic users can use them as solutions.
One of several documents describing an earlier version of the Secure Computing InFrastructure (SCIF) architecture and embodiment for a medical applicaton
Call Tracker by ICNS is very popular in the Caribbean and is used to track calls and produce a wide range of reports on PBXs from Avaya, Mitel, 3CX, Cisco, Nortel etc.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
2. About Aamra
Aamra is an combination of businesses focused
towards catalyzing the modernization of Bangladesh
by providing technology driven solutions to their
clients in various market segments.
For more info please visit www.aamra.com.bd
3. Companies of Aamra
Textile and Apparels
aamra resources limited
aamra embroideries limited
aamra fashions (cepz) limited
Information and Communication Technologies
aamra technologies limited
aamra networks limited
aamra infotainment limited
aamra solutions limited
aamra outsourcing limited
Outsourcing and Professional Development
aamra fitness limited
aamra management solutions
6. Hardware Security Modules (HSMs)
Hardware security modules (HSMs) is a tamper-resistant environment for performing
secure cryptographic processing, key protection, and key management.
With these devices you can deploy high assurance security solutions that satisfy
widely established standards for cryptographic systems and practices—while also
maintaining high levels of operational efficiency.
HSMs are available in multiple form factors to support all common deployment
scenarios ranging from portable devices to high-performance data center. Turn to
nShield HSMs for general-purpose security, and turn to payShield 9000 for leading
payment system security. Whichever HSMs you choose, you will gain confidence in
system security and streamline administration and regulatory compliance.
8. Thales payShield 9000
Designed specifically for payments applications, payShield 9000 from Thales e-
Security is a proven hardware security module (HSM) that performs tasks such as PIN
protection and validation, transaction processing, payment card issuance, and key
management.
payShield 9000 is the most widely deployed payment HSM in the world, used in an
estimated 80% of all payment card transactions.
The payShield 9000 device is deployed as an external peripheral for mainframes and
servers running card issuing and payment processing software applications for the
electronic payments industry—delivering high assurance protection for Automated
Teller Machine (ATM) and Point of Sale (POS) credit and debit card transactions.
9. Thales payShield 9000
The cryptographic functionality and management features of payShield 9000 meet or
exceed the card application and security audit requirements of the major
international card schemes, including American Express, Discover, JCB, MasterCard,
UnionPay, and Visa.
10. Thales payShield 9000 Standard
functions
• Verifying and generating Personal Identification Numbers (PINs) such as those
used with bank accounts and credit cards.
• Generating encrypted card values such as Card Verification Values (CVVs) for the
plastic card industry.
• PIN solicitation, to obtain a new PIN from a card holder (against a reference
number).
• Generating keys for use in Electronic Funds Transfer Point of Sale (EFTPOS)
systems.
• Key management in non-EFTPOS systems.
• Generating and verifying Message Authorization Codes (MACs) for messages
transferred via telecommunications networks.
17. HSM Smartcard
The smartcard is used in conjunction with
the HSM 8000 and payShield 9000 to
securely store:
Local Master Key components;
HSM configuration details;
Remote Manager key material
19. Security Management Controls
Operational State - Security Officer Keylocks
No Keys - Online – Live Operation
1 Key holder - Offline – Config. and Maintenance
1 and 2 Keys Holder - Secure- Key Load, Config. Alarms
20. Connecting to the Console Terminal
The console is connected to one of the USB port on the console, using the USB-to-
Serial converter cable supplied with the payShield 9000.
The USB ports on the HSM have a hierarchy, and it is important that no serial
devices are attached to a USB port with a higher priority than the Console.
The port hierarchy (from highest to lowest) is:
Front left port
Front right port
Rear port labeled “1”
Rear port labeled “2”
Rear port labeled “3”
If a Console is being attached to a payShield 9000 that has already been in use, it
must not be attached to a USB port which has been configured for a printer.
21. View the License
An HSM license is an electronic file which when loaded into a payShield 9000
HSM, determines the features available to the user. The license is associated with
a particular unit's serial number and is therefore not transferable between units.
The license will affect such areas as the communication interfaces and the
cryptographic algorithms available
VR Command is used to view the HSM License information.
22. Base Versions payShield 9000
• 1.1a
• 1.1b
• 1.2a
• 1.4c
• 1.4d
• 2.2a (Obsolete because of Open SSL bug)
• 2.2b
28. LMK – Local Mater Key
The local master key is the master key for your HSM, used to protect all other
keys in your system.
Often be hierarchy of keys.
LMK
TMK or ZMK
TPK or ZPK
Data
33. Ethernet TCP Port
Host commands sent via TCP/IP
have been directed to the HSM's
Well-Known Port, and this
continues to be supported.
However, host commands directed
to [the Well-Known Port +1] will
automatically use LMK Id 00; host
commands directed to [the Well-
Known Port +2] will automatically
use LMK Id 01
34. Configure HSM Settings
What is it?
• Configuration of sets security parameter and some
processing parameters
• Pay Shield 9000 must be in secure state
• Requires reloading of LMK for security sensitive changes
35. Configure HSM Settings
PIN length: 04
Encrypted PIN length: 05
Echo: OFF
Atalla ZMK variant support: OFF
Transaction key support: RACAL
User storage key length: SINGLE
Select clear PINs: NO
Enable ZMK translate command: YES
Enable X9.17 for import: YES
Enable X9.17 for export: YES
Solicitation batch size: 1024
Single-DES: DISABLED
Prevent Single-DES keys masquerading as double or triple-length keys: NO
ZMK length: DOUBLE
Decimalization tables: PLAINTEXT
Decimalization table checks: DISABLED
36. Configure HSM Settings Continue …
PIN encryption algorithm: A
Card/password authorisation (local): C
Authorised State required when Importing DES key under RSA key: YES
Minimum HMAC key length in bytes: 10
Enable PKCS#11 import and export for HMAC keys: YES
Enable ANSI X9.17 import and export for HMAC keys: YES
Enable ZEK encryption of all printable ASCII chars: YES
Enable ZEK encryption of "Base94" ASCII chars: YES
Enable ZEK encryption of "Base64" ASCII chars: YES
Enable ZEK encryption of "Hex-only" ASCII chars: YES
Restrict Key Check Values to 6 hex chars: YES
Enable multiple authorised activities: NO
Enable variable length PIN offset: NO
Enable weak PIN checking: NO
Enable Pin Block Format 34 as output format for PIN Translations to ZPK: YES
Default LMK identifier: 00
37. Configure HSM Settings Continue …
Management LMK identifier: 00
Use HSM clock for date/time validation: NO
Additional padding to disguise key length: NO
Key export and import in trusted format only: NO
Protect MULTOS Cipher Data Checksums: NO
Document
QS Console Command to view the HSM Settings
38. Configure HSM Host
CH Console Command to configure the HSM Host.
From version 2.2b H1 and H2 host port are active. And
Version lower 2.2b H1 host is active.
Document
39. Configure HSM PIN Printer
CP command is to configure the PIN Mailer Printer. And
QP command is to view the settings.
Document
40. Printer Communication
Serial Printer
The payShield 9000 HSM can communicate with a printer via an asynchronous
serial connection by employing a USB-to-serial converter cable (supplied by
Thales). The USB cable end should be inserted into one of the 4 USB ports on the
rear panel of the HSM; the serial cable end should be connected to the printer.
The console (CP command) or HSM Manager (Edit > Printer Interface menu) can
then be used to select the appropriate configuration for the port.
Parallel Printer
The payShield 9000 HSM can communicate with a printer via an industry-standard
IEEE 1284 parallel connection by employing a USB-to-parallel converter
cable (supplied by Thales). The USB cable end should be inserted into one of the
4 USB ports on the rear panel of the HSM; the parallel cable end should be
connected to the printer. The console (CP command) or HSM Manager (Edit >
Printer Interface menu) can then be used to select the appropriate configuration
for the port.
41. Configure Console Port
To set the baud rate and word format for the console port. The
new settings come into effect immediately after the command has
completed. The default settings for the Console Port are: 9600
baud, eight data bits, no parity and one stop bit.
CC command is to configure the console port and QC is to view
the console port configuration.
Inputs:
Console baud rate.
Console word format.
Console parity.
Console flow control.
Document
42. Configure Management Port
To configure the Management port, which is an Ethernet port used only for
management of the HSM. If connection to the host is via Ethernet then the
Ethernet host port is used for that purpose. The Management Ethernet port is
used to update the HSM's internal software, updating licensing information,
and for enabling management of a HSM via the Local or Remote HSM
Manager.
CM command is to configure the management port and QM is to view the
management port configuration.
Document
43. Save Configuration Security Settings
Command SS to save the configuration security settings
• Save configure security settings to smartcard
• Card needss to be correctly formatted (not formatted
for LMK)
• Saves just settings form configure commands.
RS Command to past configuration settings to HSM
46. LHM File Menu
Connect – establish a connection with an HSM.
Disconnect – terminate an established connection with an HSM.
Login – login using one or two smartcards, to access Operator or Security
Officer functions.
Logout – terminate the current role, and return to Guest.
Load Settings – load HSM settings from a previously saved file.
Save Settings – save HSM settings to a selected file.
Load Firmware – download a different version of firmware into the HSM.
Load Licence – download a different licence into the HSM.
Exit – disconnects you from the HSM and closes down the HSM Manager
application
47. LHM Edit Menu
General Settings – to view/modify general HSM settings.
Advanced Settings – to view/modify important system settings.
Initial Settings – to view/modify sensitive security settings.
Host Interface – to view/modify host communications settings.
Printer Interface – to view/modify serial and parallel printer communications
settings.
Management Interface – to view/modify management communications
settings.
Host Commands – to view/enable/disable individual or groups of host
commands.
PIN Blocks – to view/enable/disable individual PIN block formats.
Auditing – to view/modify the list of audited events.
HSM Date/Time – to view/set the HSM’s internal clock.
Authorize – to view/set the HSM’s authorized state/activities.
48. LHM View Menu
Logs – to view/erase the HSM’s internal error and audit logs.
HSM Information – to view the HSM information (firmware, licenses, etc.).
Remote Details – to view remote management configuration details.
49. LHM LMKs Menu
Generate Keys – to generate a new LMK onto smart cards.
Install LMK – to load a new LMK from smart cards into the HSM.
Install ‘Old’ LMK – to load an old LMK from smart cards into the “key change
storage” area.
Copy LMK Component Card – to create a copy of an existing LMK component
card.
Create Authorizing Officer Card – to create an LMK Authorizing Officer
smartcard from an existing LMK Component Card.
Uninstall LMK – to uninstall an LMK from the HSM.
50. LHM Keys Menu
Generate Keys – to generate specific keys under the LMK.
Key Import – to import keys from a different cryptographic zone.
Key Export – to export keys to a different cryptographic zone.
Generate Components – to generate new key components.
Encrypt Components – to encrypt supplied key components using the LMK.
Form Key from Components – to form keys from supplied key components.
51. LHM Tools Menu
Smartcard – to perform smart card management functions.
Diagnostics – to perform network management diagnostic functions.
Utilities – to perform general utility functions, including:
− Calculate Key Check Value
− Encrypt Decimalization Table
− Translate Decimalization Table
− Generate MAC on Issuer Proprietary Bitmap (for CAP/DPA)
− Generate CVV/CVC
− Generate VISA PVV
Utilisation and Health Check Data (payShield 9000 only) – to view and manage
the HSM’s utilization and health check data:
− Configure Statistics
− Health Check Data
− HSM Loading Value Host Command Statistics
− Reset Statistics
52. LHM Tools Menu
SNMP (payShield 9000 only) – to configure the SNMP interfaces:
− Display – show SNMP Communities/Users
− Add – add SNMP Communities/Users
− Delete – remove SNMP Communities/Users
> Secure Host Communications (payShield 9000 only):
− Generate Certificate Signing Request
− Export HSM CA Certificate
− Import Signed Certificate
− Generate HMK
− Recover HMK
− Change HMK Passphrase
− View Certificates
− Delete Certificates
> Reset Fraud Detection – to restore operation after fraud detection.
> Return to Factory Settings – to remove all settings that have been made since
the HSM was shipped from the factory
53. Audit and Health Check
Alarms
Utilization Statistics
Health Checks
Error Log
Audit Log
54. Alarms
CL Command to configure the alarms:
Secure> CL
Please make a selection. The current setting is in parentheses.
Motion alarm [Low/Med/High/ofF] (OFF): H
Save ALARM settings to smart card? [Y/N]: n
QL Command to view the alarms configuration:
Online> QL
Temperature alarm enabled
Motion alarm enabled high sensitivity
Online>
Alarms will log at Audit log and Error log
60. Permanent HSM Decommissioning
Permanent decommissioning may become
necessary when an HSM reaches the end of its
normal operational life. For example it could be
replaced by a newer model or by a higher speed
model, or the application to which it provides
security services is to be discontinued.