This document provides an overview of Thales Payment HSMs (hardware security modules). It discusses Thales' history in payment HSMs and the features of their current payShield 9000 model. Key points covered include how Thales HSMs work using a command/response API, examples of common commands, physical interfaces, local master keys, hardware and software options, and certifications. Useful collateral materials for learning more about Thales Payment HSMs are also listed.
3. Our pedigree <
Created first Payment HSM – for Visa
Market leader outside of US
HP Atalla is market leader in US – but weak elsewhere
We are well known & respected
Introduction to Thales Payment HSMs – March 2011
70% of world’s payments are protected by Thales HSMs
Atalla claim a similar thing!
But that’s OK … each payment goes through multiple HSMs
Over 12,000 units sold
All major card applications work with Thales payment HSMs
2
4. A history lesson <
payShield 9000 (300)
Introduction to Thales Payment HSMs – March 2011
HSM 8000 (5,500)
RG7000 (7,000)
We’ll be talking only
about payShield 9000
RG6000 (3,000)
1988 1995 2003 2009 ???
3
6. How does a Thales HSM work? <
Attaches to a computer (“host”) as a peripheral
Command/Response API (Application Programming Interface):
Host sends a command to HSM
Asking for a function to be performed
HSM sends response back to the host
Confirmation/error code, results, …
Introduction to Thales Payment HSMs – March 2011
These are simple messages sent by standard communications
E.g. Ethernet
Command requesting a function
Response
HSM
Host Computer
5
7. Command/Response API – Pro’s and Con’s <
With Command/Response, nothing is installed on host
So our HSMs work with any host
No need to keep up with changes to Operating System
A single command performs a complex function
Introduction to Thales Payment HSMs – March 2011
We have about 300 available commands
Down sides:
Functionality limited to what we offer
Less of a problem for payment card systems
“Gaps” can be filled by Custom Software
Some customers like standard APIs - PKCS #11, CAPI
6
8. Reminder from last session - Card Payment Processing <
Authorisation
Issuer
Switch
PIN Block format C, Key C
PIN Block
Introduction to Thales Payment HSMs – March 2011
Format B,
Key B
PIN Block format A, Key A
Acquirer
Transaction
7
9. Examples of commands for transaction processing <
CA – convert a PIN Block from (format x, Terminal PIN key) to
(format y, Zone PIN Key)
DA - Verify a Terminal PIN using the IBM (or Diebold, Visa,
Comparison) method
Introduction to Thales Payment HSMs – March 2011
CY – verify a Visa (or Mastercard, …) Card Verification Value
DU – (For PIN change by customer) Verify an IBM PIN Offset
and, if successful, generate the PIN Offset of the customer-
selected PIN using the IBM 3624 method. The current and new
PINs are supplied in an encrypted form.
8
10. Introduction to Thales Payment HSMs – March 2011 Thales API supported by the major industry software <
9
11. Physical Host interfaces <
payShield 9000:
Dual Gigabit Ethernet ports (TCP/IP & UDP) (from v1.1)
Asynchronous
FICON (new IBM fibre optic) - in development
Introduction to Thales Payment HSMs – March 2011
HSM 8000:
Single 100Mbit Ethernet port (TCP/IP & UDP)
Asynchronous
ESCON (obsolete IBM fibre optic)
SNA/SDLC (obsolete IBM network)
10
13. What the customer buys <
Hardware
Base software package *
Optional Licences
Remote Management
Custom software
Introduction to Thales Payment HSMs – March 2011
Accessories
Cabinets, spare keys, rack-mount
kits
Professional services
Support
* Base software licence for HSM 8000
12
14. Layout of the payShield 9000 <
Cover detector 4 USB ports
microswitches 4 Ethernet ports
Secure Crypto
Smart card reader
Sub-system
(TSPP)
Erase Button
Left
Introduction to Thales Payment HSMs – March 2011
Keylock
LEDs
Main board
Dual Power
2 USB ports
Supply Units
Restart Button
Tamper Labels go here
Right Keylock
13
15. Local Master Keys - LMKs <
The crucial secret
Stored in the Secure Cryptographic Module (TSPP)
No person has whole LMK – only components
Always deleted when the HSM is tampered
Encrypts all the operational keys used by the HSM
Outside of the HSM, operational keys are never in the clear
Introduction to Thales Payment HSMs – March 2011
2 types:
Variant – older, less secure, used by nearly all customers
Key Block – new, more secure, little used – yet
Multiple LMKs
HSM can have up to 10 LMKs
Managed by different security teams
Allows multiple clients/applications on one HSM
Makes refreshing of LMKs easier
Unique to Thales payment HSMs
14
16. Hardware Options <
Range of performance modules
20, 50, 220, 800, 1500* tps (transactions per second)
Can be upgraded in the field
Dual Power Supply Unit (PSU) *
Introduction to Thales Payment HSMs – March 2011
Must be ordered at time of purchase
Not hot swap: lets customer plan replacement of dead PSU
Power Cord type
* Not available on HSM 8000
15
17. About performance … <
Rated Performance relates to CA command (PIN Block
Translation)
Most other commands run at same speed
Some commands run slower (e.g. RSA Key Generation)
May depend on key length and payload
All commands run faster on higher performance HSM
Introduction to Thales Payment HSMs – March 2011
Dual ports do not give additional performance
Multiple threads/connections needed for full throughput
Up to 64 threads per Ethernet port (128 total)
Maximum performance by 4-8 ports
Depends on HSM model and command
16
18. Software licenses – Base packages <
Each payShield 9000 must have one – and only one – Base Package
Packages
HSM9- HSM9- HSM9- HSM9-
PAC001 PAC010 PAC020 PAC030
Introduction to Thales Payment HSMs – March 2011
HSM 8000 Transaction Magnetic EMV
base Processing Stripe Issuers
equivalent Issuers
HSM 8000 has only HSM8-LIC001 base licence
17
19. Software licenses – optional items <
Sales Order Code License Description
HSM9-LIC002 RSA license
HSM9-LIC003 AS2805 license
HSM9-LIC004 Europay Security Platform (ESP) license
HSM9-LIC005 User Authentication (HMAC/CAP/DPA) license
HSM9-LIC006 X9 TR-31 license
HSM9-LIC008 Data Protection license
HSM9-LIC009 Remote Management license
HSM9-LIC011 Magnetic Stripe Contactless Card Data Preparation license
Introduction to Thales Payment HSMs – March 2011
HSM9-LIC012 LMK x 2 license
HSM9-LIC013 LMK x 5 license
HSM9-LIC014 WebPIN license
HSM9-LIC016 EMV-based Card Data Preparation license
KSM9-LIC020 Korean Algorithm license
HSM9-LIC021 LMK x 10 license
HSM9-LIC024 Magnetic Stripe Issuing license
HSM9-LIC025 Magnetic Stripe Transaction Processing license
HSM9-LIC026 EMV Transaction Processing license
HSM9-LIC027 PIN and Key Printing license
HSM9-LIC028 Visa Cash Processing license
HSM9-LIC029 Legacy Functions license
18
20. Custom software <
Allows customer to have whatever functionality they need
Customer pays for development once
Software can be installed on multiple HSMs for free, but …
Customer must buy base Package or License
Introduction to Thales Payment HSMs – March 2011
Custom software is built for a specific base version (e.g. 1.0)
To work with a later base version (e.g. 1.1), the custom software
must be ported
HSM 8000 custom software can be ported to payShield 9000
Fixed prices for porting from HSM 8000 v2 & v3
19
21. Local & Remote HSM Manager <
Local HSM Manager
Provided as part of the base product – no charge
Since HSM 8000 v3.1a & payShield 9000 v1.0a
Replaces the Console (80x24 character terminal)
Provides Graphical User Interface (GUI)
Introduction to Thales Payment HSMs – March 2011
Locked-down bootable Linux CD
Runs on most PC hardware
Remote HSM Manager
Similar to Local HSM Manager, but …
Optional – must be purchased
Allows HSM to be managed across a TCP/IP network
20
22. Remote HSM Manager <
Bootable CD with Linux OS &
Remote Management App (RMA)
Administrator smart
card readers – simulate
physical keys
Introduction to Thales Payment HSMs – March 2011
Operator smart card WAN
reader – simulates
Standard
Authorising Officer
PC or Laptop Ethernet
card in Local Mngr Management
port
21
23. Remote HSM Manager <
Benefits:
Modern graphical user interface (GUI)
Fits in with organisation’s structure
Avoids time & cost of travel
Gets around restrictions on data centre access
Introduction to Thales Payment HSMs – March 2011
Updates and management changes can be done quickly
What the Customer buys:
1 Remote Management System Pack
HSM9-LIC009 for each HSM
Optional: additional System Packs, smart cards, card readers
22
24. Introduction to Thales Payment HSMs – March 2011
23
Remote (and Local) HSM Manager GUI <
25. Main certifications <
payShield 9000:
FIPS 140-2 Level 3 (TSPP crypto module only)
PCI HSM (in progress)
APCA (in progress)
MEPS (Cartes Bancaires) (future)
Introduction to Thales Payment HSMs – March 2011
HSM 8000:
FIPS 140-2 Level 3 (SGSS crypto module only)
APCA
MEPS (Cartes Bancaires)
HSM 8000 will not be PCI HSM-certified
24