SlideShare a Scribd company logo

Information Security Systems Title Generator

Eugene Sushchenko
Eugene Sushchenko

This document provides an overview of Thales Payment HSMs (hardware security modules). It discusses Thales' history in payment HSMs and the features of their current payShield 9000 model. Key points covered include how Thales HSMs work using a command/response API, examples of common commands, physical interfaces, local master keys, hardware and software options, and certifications. Useful collateral materials for learning more about Thales Payment HSMs are also listed.

1 of 29
Download to read offline
Information Security Systems > Thales Payment HSMs Bernard Foot Product Manager
Information Security Systems > The Family – past & present
Our pedigree < Created first Payment HSM – for Visa Market leader outside of US HP Atalla is market leader in US – but weak elsewhere We are well known & respected Introduction to Thales Payment HSMs – March 2011 70% of world’s payments are protected by Thales HSMs Atalla claim a similar thing! But that’s OK … each payment goes through multiple HSMs Over 12,000 units sold All major card applications work with Thales payment HSMs 2
A history lesson < payShield 9000 (300) Introduction to Thales Payment HSMs – March 2011 HSM 8000 (5,500) RG7000 (7,000) We’ll be talking only about payShield 9000 RG6000 (3,000) 1988 1995 2003 2009 ??? 3
Information Security Systems > How a Thales Payment HSM works
How does a Thales HSM work? < Attaches to a computer (“host”) as a peripheral Command/Response API (Application Programming Interface): Host sends a command to HSM Asking for a function to be performed HSM sends response back to the host Confirmation/error code, results, … Introduction to Thales Payment HSMs – March 2011 These are simple messages sent by standard communications E.g. Ethernet Command requesting a function Response HSM Host Computer 5
Command/Response API – Pro’s and Con’s < With Command/Response, nothing is installed on host So our HSMs work with any host No need to keep up with changes to Operating System A single command performs a complex function Introduction to Thales Payment HSMs – March 2011 We have about 300 available commands Down sides: Functionality limited to what we offer Less of a problem for payment card systems “Gaps” can be filled by Custom Software Some customers like standard APIs - PKCS #11, CAPI 6
Reminder from last session - Card Payment Processing < Authorisation Issuer Switch PIN Block format C, Key C PIN Block Introduction to Thales Payment HSMs – March 2011 Format B, Key B PIN Block format A, Key A Acquirer Transaction 7
Examples of commands for transaction processing < CA – convert a PIN Block from (format x, Terminal PIN key) to (format y, Zone PIN Key) DA - Verify a Terminal PIN using the IBM (or Diebold, Visa, Comparison) method Introduction to Thales Payment HSMs – March 2011 CY – verify a Visa (or Mastercard, …) Card Verification Value DU – (For PIN change by customer) Verify an IBM PIN Offset and, if successful, generate the PIN Offset of the customer- selected PIN using the IBM 3624 method. The current and new PINs are supplied in an encrypted form. 8
Introduction to Thales Payment HSMs – March 2011 Thales API supported by the major industry software < 9
Physical Host interfaces < payShield 9000: Dual Gigabit Ethernet ports (TCP/IP & UDP) (from v1.1) Asynchronous FICON (new IBM fibre optic) - in development Introduction to Thales Payment HSMs – March 2011 HSM 8000: Single 100Mbit Ethernet port (TCP/IP & UDP) Asynchronous ESCON (obsolete IBM fibre optic) SNA/SDLC (obsolete IBM network) 10
Information Security Systems > A bit about the payShield 9000 …
What the customer buys < Hardware Base software package * Optional Licences Remote Management Custom software Introduction to Thales Payment HSMs – March 2011 Accessories Cabinets, spare keys, rack-mount kits Professional services Support * Base software licence for HSM 8000 12
Layout of the payShield 9000 < Cover detector 4 USB ports microswitches 4 Ethernet ports Secure Crypto Smart card reader Sub-system (TSPP) Erase Button Left Introduction to Thales Payment HSMs – March 2011 Keylock LEDs Main board Dual Power 2 USB ports Supply Units Restart Button Tamper Labels go here Right Keylock 13
Local Master Keys - LMKs < The crucial secret Stored in the Secure Cryptographic Module (TSPP) No person has whole LMK – only components Always deleted when the HSM is tampered Encrypts all the operational keys used by the HSM Outside of the HSM, operational keys are never in the clear Introduction to Thales Payment HSMs – March 2011 2 types: Variant – older, less secure, used by nearly all customers Key Block – new, more secure, little used – yet Multiple LMKs HSM can have up to 10 LMKs Managed by different security teams Allows multiple clients/applications on one HSM Makes refreshing of LMKs easier Unique to Thales payment HSMs 14
Hardware Options < Range of performance modules 20, 50, 220, 800, 1500* tps (transactions per second) Can be upgraded in the field Dual Power Supply Unit (PSU) * Introduction to Thales Payment HSMs – March 2011 Must be ordered at time of purchase Not hot swap: lets customer plan replacement of dead PSU Power Cord type * Not available on HSM 8000 15
About performance … < Rated Performance relates to CA command (PIN Block Translation) Most other commands run at same speed Some commands run slower (e.g. RSA Key Generation) May depend on key length and payload All commands run faster on higher performance HSM Introduction to Thales Payment HSMs – March 2011 Dual ports do not give additional performance Multiple threads/connections needed for full throughput Up to 64 threads per Ethernet port (128 total) Maximum performance by 4-8 ports Depends on HSM model and command 16
Software licenses – Base packages < Each payShield 9000 must have one – and only one – Base Package Packages HSM9- HSM9- HSM9- HSM9- PAC001 PAC010 PAC020 PAC030 Introduction to Thales Payment HSMs – March 2011 HSM 8000 Transaction Magnetic EMV base Processing Stripe Issuers equivalent Issuers HSM 8000 has only HSM8-LIC001 base licence 17
Software licenses – optional items < Sales Order Code License Description HSM9-LIC002 RSA license HSM9-LIC003 AS2805 license HSM9-LIC004 Europay Security Platform (ESP) license HSM9-LIC005 User Authentication (HMAC/CAP/DPA) license HSM9-LIC006 X9 TR-31 license HSM9-LIC008 Data Protection license HSM9-LIC009 Remote Management license HSM9-LIC011 Magnetic Stripe Contactless Card Data Preparation license Introduction to Thales Payment HSMs – March 2011 HSM9-LIC012 LMK x 2 license HSM9-LIC013 LMK x 5 license HSM9-LIC014 WebPIN license HSM9-LIC016 EMV-based Card Data Preparation license KSM9-LIC020 Korean Algorithm license HSM9-LIC021 LMK x 10 license HSM9-LIC024 Magnetic Stripe Issuing license HSM9-LIC025 Magnetic Stripe Transaction Processing license HSM9-LIC026 EMV Transaction Processing license HSM9-LIC027 PIN and Key Printing license HSM9-LIC028 Visa Cash Processing license HSM9-LIC029 Legacy Functions license 18
Custom software < Allows customer to have whatever functionality they need Customer pays for development once Software can be installed on multiple HSMs for free, but … Customer must buy base Package or License Introduction to Thales Payment HSMs – March 2011 Custom software is built for a specific base version (e.g. 1.0) To work with a later base version (e.g. 1.1), the custom software must be ported HSM 8000 custom software can be ported to payShield 9000 Fixed prices for porting from HSM 8000 v2 & v3 19
Local & Remote HSM Manager < Local HSM Manager Provided as part of the base product – no charge Since HSM 8000 v3.1a & payShield 9000 v1.0a Replaces the Console (80x24 character terminal) Provides Graphical User Interface (GUI) Introduction to Thales Payment HSMs – March 2011 Locked-down bootable Linux CD Runs on most PC hardware Remote HSM Manager Similar to Local HSM Manager, but … Optional – must be purchased Allows HSM to be managed across a TCP/IP network 20
Remote HSM Manager < Bootable CD with Linux OS & Remote Management App (RMA) Administrator smart card readers – simulate physical keys Introduction to Thales Payment HSMs – March 2011 Operator smart card WAN reader – simulates Standard Authorising Officer PC or Laptop Ethernet card in Local Mngr Management port 21
Remote HSM Manager < Benefits: Modern graphical user interface (GUI) Fits in with organisation’s structure Avoids time & cost of travel Gets around restrictions on data centre access Introduction to Thales Payment HSMs – March 2011 Updates and management changes can be done quickly What the Customer buys: 1 Remote Management System Pack HSM9-LIC009 for each HSM Optional: additional System Packs, smart cards, card readers 22
Introduction to Thales Payment HSMs – March 2011 23 Remote (and Local) HSM Manager GUI <
Main certifications < payShield 9000: FIPS 140-2 Level 3 (TSPP crypto module only) PCI HSM (in progress) APCA (in progress) MEPS (Cartes Bancaires) (future) Introduction to Thales Payment HSMs – March 2011 HSM 8000: FIPS 140-2 Level 3 (SGSS crypto module only) APCA MEPS (Cartes Bancaires) HSM 8000 will not be PCI HSM-certified 24
Information Security Systems > Some useful materials … (all available via your Thales representative)
Brochures < payShield 9000: Brochure Application Note Datasheet HSM 8000: Introduction to Thales Payment HSMs – March 2011 Brochure Application Note Datasheet 26
Application Notes < • Utilization & Health Check Reporting • Packages & Licenses • Software & License Update Procedure • Introduction of New Smartcards • Thales key Blocks • TR-31 Key Blocks Introduction to Thales Payment HSMs – March 2011 • Multiple LMKs • Remote HSM Manager • Remote Key Loading • Support for EMV PIN Change • Diagnostic Commands • Multiple Authorised States • Contactless Payments • Message Encryption 27
Thales Payment HSMs < Foundation for Secure Banking Services Introduction to Thales Payment HSMs – March 2011 bernard.foot@thales-esecurity.com 28

Recommended

Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Wpa3
Wpa3Wpa3
Wpa3Bhavya Dashora
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
UC4 SCHEDULING
UC4 SCHEDULINGUC4 SCHEDULING
UC4 SCHEDULINGroelspi
 

Recommended

Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Wpa3
Wpa3Wpa3
Wpa3Bhavya Dashora
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
UC4 SCHEDULING
UC4 SCHEDULINGUC4 SCHEDULING
UC4 SCHEDULINGroelspi
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 AuthenticationInformation Technology
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric CryptographyUTD Computer Security Group
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfinfosec train
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2Tushar Anand
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Chapter 5 Presentation
Chapter 5 PresentationChapter 5 Presentation
Chapter 5 PresentationAmy McMullin
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection SolutionGreg Stone
 
rsa-1
rsa-1rsa-1
rsa-1aniruddh Tyagi
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphersRoman Oliynykov
 
Advanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityAdvanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityNeel Chakraborty
 
Pay Shield9000 Vs Hsm8000 Compet V7
Pay Shield9000 Vs Hsm8000 Compet V7Pay Shield9000 Vs Hsm8000 Compet V7
Pay Shield9000 Vs Hsm8000 Compet V7Eugene Sushchenko
 
Next Generation Data Centers
Next Generation Data CentersNext Generation Data Centers
Next Generation Data CentersIMEX Research
 

More Related Content

What's hot

Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfinfosec train
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2Tushar Anand
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Chapter 5 Presentation
Chapter 5 PresentationChapter 5 Presentation
Chapter 5 PresentationAmy McMullin
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection SolutionGreg Stone
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphersRoman Oliynykov
 
Advanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityAdvanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityNeel Chakraborty
 

What's hot (20)

Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
Key management
Key managementKey management
Key management
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdf
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Chapter 5 Presentation
Chapter 5 PresentationChapter 5 Presentation
Chapter 5 Presentation
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection Solution
 
rsa-1
rsa-1rsa-1
rsa-1
 
Software security
Software securitySoftware security
Software security
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphers
 
Advanced Cryptography for Cloud Security
Advanced Cryptography for Cloud SecurityAdvanced Cryptography for Cloud Security
Advanced Cryptography for Cloud Security
 

Similar to Information Security Systems Title Generator

Pay Shield9000 Vs Hsm8000 Compet V7
Pay Shield9000 Vs Hsm8000 Compet V7Pay Shield9000 Vs Hsm8000 Compet V7
Pay Shield9000 Vs Hsm8000 Compet V7Eugene Sushchenko
 
Next Generation Data Centers
Next Generation Data CentersNext Generation Data Centers
Next Generation Data CentersIMEX Research
 
Nads 2012 itec2012 innovationshowcase 22 may 2012
Nads 2012 itec2012 innovationshowcase 22 may 2012 Nads 2012 itec2012 innovationshowcase 22 may 2012
Nads 2012 itec2012 innovationshowcase 22 may 2012 José Ramón Martínez Salio
 
How to Choose A SOA Gateway from Layer 7
How to Choose A SOA Gateway from Layer 7How to Choose A SOA Gateway from Layer 7
How to Choose A SOA Gateway from Layer 7CA API Management
 
Imex Research Virtualization Executive Summary On Slideshare
Imex Research Virtualization Executive Summary On SlideshareImex Research Virtualization Executive Summary On Slideshare
Imex Research Virtualization Executive Summary On SlideshareM. R. Pamidi, Ph. D.
 
ANZTRUC - elmtree v2.2 (1)
ANZTRUC - elmtree v2.2 (1)ANZTRUC - elmtree v2.2 (1)
ANZTRUC - elmtree v2.2 (1)Mal Everett
 
Mike Stolz Dramatic Scalability
Mike Stolz Dramatic ScalabilityMike Stolz Dramatic Scalability
Mike Stolz Dramatic Scalabilitydeimos
 
Next-Gen Data Center Virtualization: Studies in Implementation
Next-Gen Data Center Virtualization: Studies in ImplementationNext-Gen Data Center Virtualization: Studies in Implementation
Next-Gen Data Center Virtualization: Studies in ImplementationIMEX Research
 
SMS Overview 2012
SMS Overview 2012SMS Overview 2012
SMS Overview 2012hoellca
 
Architecting Next Generation Enterprise Network Storage
Architecting Next Generation Enterprise Network StorageArchitecting Next Generation Enterprise Network Storage
Architecting Next Generation Enterprise Network StorageIMEX Research
 
Wso2esb sap-jkh-v2.0
Wso2esb sap-jkh-v2.0Wso2esb sap-jkh-v2.0
Wso2esb sap-jkh-v2.0WSO2
 
WAS Support & Monitoring Tools
WAS Support & Monitoring ToolsWAS Support & Monitoring Tools
WAS Support & Monitoring ToolsRoyal Cyber Inc.
 
Intel Trusted eXecution Technology
Intel Trusted eXecution TechnologyIntel Trusted eXecution Technology
Intel Trusted eXecution TechnologyBibhu Biswal
 
Standardized Protocols for Decentralized Insurance
Standardized Protocols for Decentralized InsuranceStandardized Protocols for Decentralized Insurance
Standardized Protocols for Decentralized InsuranceChristoph Mussenbrock
 
Jobo 1 ims_tm_value_2012_q2
Jobo 1 ims_tm_value_2012_q2Jobo 1 ims_tm_value_2012_q2
Jobo 1 ims_tm_value_2012_q2Helene Lyon
 

Similar to Information Security Systems Title Generator (20)

Pay Shield9000 Vs Hsm8000 Compet V7
Pay Shield9000 Vs Hsm8000 Compet V7Pay Shield9000 Vs Hsm8000 Compet V7
Pay Shield9000 Vs Hsm8000 Compet V7
 
Next Generation Data Centers
Next Generation Data CentersNext Generation Data Centers
Next Generation Data Centers
 
Nads 2012
Nads 2012Nads 2012
Nads 2012
 
Nads 2012 itec2012 innovationshowcase 22 may 2012
Nads 2012 itec2012 innovationshowcase 22 may 2012 Nads 2012 itec2012 innovationshowcase 22 may 2012
Nads 2012 itec2012 innovationshowcase 22 may 2012
 
How to Choose A SOA Gateway from Layer 7
How to Choose A SOA Gateway from Layer 7How to Choose A SOA Gateway from Layer 7
How to Choose A SOA Gateway from Layer 7
 
Imex Research Virtualization Executive Summary On Slideshare
Imex Research Virtualization Executive Summary On SlideshareImex Research Virtualization Executive Summary On Slideshare
Imex Research Virtualization Executive Summary On Slideshare
 
ANZTRUC - elmtree v2.2 (1)
ANZTRUC - elmtree v2.2 (1)ANZTRUC - elmtree v2.2 (1)
ANZTRUC - elmtree v2.2 (1)
 
Mike Stolz Dramatic Scalability
Mike Stolz Dramatic ScalabilityMike Stolz Dramatic Scalability
Mike Stolz Dramatic Scalability
 
HSM Basic Training
HSM Basic TrainingHSM Basic Training
HSM Basic Training
 
Pres client server
Pres client serverPres client server
Pres client server
 
SmartOS
SmartOSSmartOS
SmartOS
 
Next-Gen Data Center Virtualization: Studies in Implementation
Next-Gen Data Center Virtualization: Studies in ImplementationNext-Gen Data Center Virtualization: Studies in Implementation
Next-Gen Data Center Virtualization: Studies in Implementation
 
SMS Overview 2012
SMS Overview 2012SMS Overview 2012
SMS Overview 2012
 
Fi Linkedin (1)
Fi Linkedin (1)Fi Linkedin (1)
Fi Linkedin (1)
 
Architecting Next Generation Enterprise Network Storage
Architecting Next Generation Enterprise Network StorageArchitecting Next Generation Enterprise Network Storage
Architecting Next Generation Enterprise Network Storage
 
Wso2esb sap-jkh-v2.0
Wso2esb sap-jkh-v2.0Wso2esb sap-jkh-v2.0
Wso2esb sap-jkh-v2.0
 
WAS Support & Monitoring Tools
WAS Support & Monitoring ToolsWAS Support & Monitoring Tools
WAS Support & Monitoring Tools
 
Intel Trusted eXecution Technology
Intel Trusted eXecution TechnologyIntel Trusted eXecution Technology
Intel Trusted eXecution Technology
 
Standardized Protocols for Decentralized Insurance
Standardized Protocols for Decentralized InsuranceStandardized Protocols for Decentralized Insurance
Standardized Protocols for Decentralized Insurance
 
Jobo 1 ims_tm_value_2012_q2
Jobo 1 ims_tm_value_2012_q2Jobo 1 ims_tm_value_2012_q2
Jobo 1 ims_tm_value_2012_q2
 

More from Eugene Sushchenko

Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Eugene Sushchenko
 

More from Eugene Sushchenko (7)

Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5
 
Psg Ru
Psg RuPsg Ru
Psg Ru
 
Protectserver External Ru
Protectserver External RuProtectserver External Ru
Protectserver External Ru
 
Secure File Exchange.Ru
Secure File Exchange.RuSecure File Exchange.Ru
Secure File Exchange.Ru
 
Key Factory.Ru
Key Factory.RuKey Factory.Ru
Key Factory.Ru
 
Secure Messaging.Ru
Secure Messaging.RuSecure Messaging.Ru
Secure Messaging.Ru
 
Virtual Private Networks.Ru
Virtual Private Networks.RuVirtual Private Networks.Ru
Virtual Private Networks.Ru
 

Information Security Systems Title Generator

  • 1. Information Security Systems > Thales Payment HSMs Bernard Foot Product Manager
  • 2. Information Security Systems > The Family – past & present
  • 3. Our pedigree < Created first Payment HSM – for Visa Market leader outside of US HP Atalla is market leader in US – but weak elsewhere We are well known & respected Introduction to Thales Payment HSMs – March 2011 70% of world’s payments are protected by Thales HSMs Atalla claim a similar thing! But that’s OK … each payment goes through multiple HSMs Over 12,000 units sold All major card applications work with Thales payment HSMs 2
  • 4. A history lesson < payShield 9000 (300) Introduction to Thales Payment HSMs – March 2011 HSM 8000 (5,500) RG7000 (7,000) We’ll be talking only about payShield 9000 RG6000 (3,000) 1988 1995 2003 2009 ??? 3
  • 5. Information Security Systems > How a Thales Payment HSM works
  • 6. How does a Thales HSM work? < Attaches to a computer (“host”) as a peripheral Command/Response API (Application Programming Interface): Host sends a command to HSM Asking for a function to be performed HSM sends response back to the host Confirmation/error code, results, … Introduction to Thales Payment HSMs – March 2011 These are simple messages sent by standard communications E.g. Ethernet Command requesting a function Response HSM Host Computer 5
  • 7. Command/Response API – Pro’s and Con’s < With Command/Response, nothing is installed on host So our HSMs work with any host No need to keep up with changes to Operating System A single command performs a complex function Introduction to Thales Payment HSMs – March 2011 We have about 300 available commands Down sides: Functionality limited to what we offer Less of a problem for payment card systems “Gaps” can be filled by Custom Software Some customers like standard APIs - PKCS #11, CAPI 6
  • 8. Reminder from last session - Card Payment Processing < Authorisation Issuer Switch PIN Block format C, Key C PIN Block Introduction to Thales Payment HSMs – March 2011 Format B, Key B PIN Block format A, Key A Acquirer Transaction 7
  • 9. Examples of commands for transaction processing < CA – convert a PIN Block from (format x, Terminal PIN key) to (format y, Zone PIN Key) DA - Verify a Terminal PIN using the IBM (or Diebold, Visa, Comparison) method Introduction to Thales Payment HSMs – March 2011 CY – verify a Visa (or Mastercard, …) Card Verification Value DU – (For PIN change by customer) Verify an IBM PIN Offset and, if successful, generate the PIN Offset of the customer- selected PIN using the IBM 3624 method. The current and new PINs are supplied in an encrypted form. 8
  • 10. Introduction to Thales Payment HSMs – March 2011 Thales API supported by the major industry software < 9
  • 11. Physical Host interfaces < payShield 9000: Dual Gigabit Ethernet ports (TCP/IP & UDP) (from v1.1) Asynchronous FICON (new IBM fibre optic) - in development Introduction to Thales Payment HSMs – March 2011 HSM 8000: Single 100Mbit Ethernet port (TCP/IP & UDP) Asynchronous ESCON (obsolete IBM fibre optic) SNA/SDLC (obsolete IBM network) 10
  • 12. Information Security Systems > A bit about the payShield 9000 …
  • 13. What the customer buys < Hardware Base software package * Optional Licences Remote Management Custom software Introduction to Thales Payment HSMs – March 2011 Accessories Cabinets, spare keys, rack-mount kits Professional services Support * Base software licence for HSM 8000 12
  • 14. Layout of the payShield 9000 < Cover detector 4 USB ports microswitches 4 Ethernet ports Secure Crypto Smart card reader Sub-system (TSPP) Erase Button Left Introduction to Thales Payment HSMs – March 2011 Keylock LEDs Main board Dual Power 2 USB ports Supply Units Restart Button Tamper Labels go here Right Keylock 13
  • 15. Local Master Keys - LMKs < The crucial secret Stored in the Secure Cryptographic Module (TSPP) No person has whole LMK – only components Always deleted when the HSM is tampered Encrypts all the operational keys used by the HSM Outside of the HSM, operational keys are never in the clear Introduction to Thales Payment HSMs – March 2011 2 types: Variant – older, less secure, used by nearly all customers Key Block – new, more secure, little used – yet Multiple LMKs HSM can have up to 10 LMKs Managed by different security teams Allows multiple clients/applications on one HSM Makes refreshing of LMKs easier Unique to Thales payment HSMs 14
  • 16. Hardware Options < Range of performance modules 20, 50, 220, 800, 1500* tps (transactions per second) Can be upgraded in the field Dual Power Supply Unit (PSU) * Introduction to Thales Payment HSMs – March 2011 Must be ordered at time of purchase Not hot swap: lets customer plan replacement of dead PSU Power Cord type * Not available on HSM 8000 15
  • 17. About performance … < Rated Performance relates to CA command (PIN Block Translation) Most other commands run at same speed Some commands run slower (e.g. RSA Key Generation) May depend on key length and payload All commands run faster on higher performance HSM Introduction to Thales Payment HSMs – March 2011 Dual ports do not give additional performance Multiple threads/connections needed for full throughput Up to 64 threads per Ethernet port (128 total) Maximum performance by 4-8 ports Depends on HSM model and command 16
  • 18. Software licenses – Base packages < Each payShield 9000 must have one – and only one – Base Package Packages HSM9- HSM9- HSM9- HSM9- PAC001 PAC010 PAC020 PAC030 Introduction to Thales Payment HSMs – March 2011 HSM 8000 Transaction Magnetic EMV base Processing Stripe Issuers equivalent Issuers HSM 8000 has only HSM8-LIC001 base licence 17
  • 19. Software licenses – optional items < Sales Order Code License Description HSM9-LIC002 RSA license HSM9-LIC003 AS2805 license HSM9-LIC004 Europay Security Platform (ESP) license HSM9-LIC005 User Authentication (HMAC/CAP/DPA) license HSM9-LIC006 X9 TR-31 license HSM9-LIC008 Data Protection license HSM9-LIC009 Remote Management license HSM9-LIC011 Magnetic Stripe Contactless Card Data Preparation license Introduction to Thales Payment HSMs – March 2011 HSM9-LIC012 LMK x 2 license HSM9-LIC013 LMK x 5 license HSM9-LIC014 WebPIN license HSM9-LIC016 EMV-based Card Data Preparation license KSM9-LIC020 Korean Algorithm license HSM9-LIC021 LMK x 10 license HSM9-LIC024 Magnetic Stripe Issuing license HSM9-LIC025 Magnetic Stripe Transaction Processing license HSM9-LIC026 EMV Transaction Processing license HSM9-LIC027 PIN and Key Printing license HSM9-LIC028 Visa Cash Processing license HSM9-LIC029 Legacy Functions license 18
  • 20. Custom software < Allows customer to have whatever functionality they need Customer pays for development once Software can be installed on multiple HSMs for free, but … Customer must buy base Package or License Introduction to Thales Payment HSMs – March 2011 Custom software is built for a specific base version (e.g. 1.0) To work with a later base version (e.g. 1.1), the custom software must be ported HSM 8000 custom software can be ported to payShield 9000 Fixed prices for porting from HSM 8000 v2 & v3 19
  • 21. Local & Remote HSM Manager < Local HSM Manager Provided as part of the base product – no charge Since HSM 8000 v3.1a & payShield 9000 v1.0a Replaces the Console (80x24 character terminal) Provides Graphical User Interface (GUI) Introduction to Thales Payment HSMs – March 2011 Locked-down bootable Linux CD Runs on most PC hardware Remote HSM Manager Similar to Local HSM Manager, but … Optional – must be purchased Allows HSM to be managed across a TCP/IP network 20
  • 22. Remote HSM Manager < Bootable CD with Linux OS & Remote Management App (RMA) Administrator smart card readers – simulate physical keys Introduction to Thales Payment HSMs – March 2011 Operator smart card WAN reader – simulates Standard Authorising Officer PC or Laptop Ethernet card in Local Mngr Management port 21
  • 23. Remote HSM Manager < Benefits: Modern graphical user interface (GUI) Fits in with organisation’s structure Avoids time & cost of travel Gets around restrictions on data centre access Introduction to Thales Payment HSMs – March 2011 Updates and management changes can be done quickly What the Customer buys: 1 Remote Management System Pack HSM9-LIC009 for each HSM Optional: additional System Packs, smart cards, card readers 22
  • 24. Introduction to Thales Payment HSMs – March 2011 23 Remote (and Local) HSM Manager GUI <
  • 25. Main certifications < payShield 9000: FIPS 140-2 Level 3 (TSPP crypto module only) PCI HSM (in progress) APCA (in progress) MEPS (Cartes Bancaires) (future) Introduction to Thales Payment HSMs – March 2011 HSM 8000: FIPS 140-2 Level 3 (SGSS crypto module only) APCA MEPS (Cartes Bancaires) HSM 8000 will not be PCI HSM-certified 24
  • 26. Information Security Systems > Some useful materials … (all available via your Thales representative)
  • 27. Brochures < payShield 9000: Brochure Application Note Datasheet HSM 8000: Introduction to Thales Payment HSMs – March 2011 Brochure Application Note Datasheet 26
  • 28. Application Notes < • Utilization & Health Check Reporting • Packages & Licenses • Software & License Update Procedure • Introduction of New Smartcards • Thales key Blocks • TR-31 Key Blocks Introduction to Thales Payment HSMs – March 2011 • Multiple LMKs • Remote HSM Manager • Remote Key Loading • Support for EMV PIN Change • Diagnostic Commands • Multiple Authorised States • Contactless Payments • Message Encryption 27
  • 29. Thales Payment HSMs < Foundation for Secure Banking Services Introduction to Thales Payment HSMs – March 2011 bernard.foot@thales-esecurity.com 28