3S Group's advanced technology Type 2 Cryptographic Support Server (T2CSS)T2CSS provides a high-performance server system by off-loading cryptographic processing from the host system. It provides hardware based security services to applications or provides network security on the Internet.

T2CSS Cryptographic Service Provider Hardware boards loaded with firmware

 Features

• Government and commercial algorithms (SkipJack, KEA, DES, 3DES, SHA-1, MD5, DSA, D-H and others) in hardware
• Multiple cryptographic processor design optimized for significant performance
• Scaleable and flexible design - one or more cryptographic processors per board and multiple boards in a system
• Data confidentiality, data integrity, key management, digital signature and time-stamp services
• FORTEZZA Cryptographic Interface (CI) and PKCS #11 Application Programming Interface (API) support
  
  

  Benefits

• Secures Government and commercial information systems at the application or network layers
• Provides security without degrading performance or requiring costly upgrades
• Supports concurrently a mix of server applications such as E-Commerce, web, database and others
• Provides high-assurance security solutions
• Security Manager manages sessions and tokens
• Layered architecture is adaptable to other CAPIs
• Virtual token support is adaptable to different formats
• Ideal for Virtual Private Network (VPN) infrastructure components, and banking and finance applications
  
  

Hardware Description

• Multiple cryptoprocessors
• Multiple IPSec coprocessors
• Optimized for performance

The board limits and controls access to the multiple cryptographic processors as the bus master. Multiple internal DMA channels transfer data across the host system bus and to the cryptographic processors. Dual-ported RAM interface facilitates independent reads/writes between each cryptographic processor and the on-board control processor. Each cryptoprocessor has dedicated hardware for computing the FORTEZZA SkipJack, DES, and 3DES (single and two key) encryption algorithms (several chaining modes), Key Exchange Algorithm (KEA), Digital Signature Algorithm (DSA), Secure Hash Algorithm (SHA-1), Message Digest (MD5) and other algorithms.

Each cryptographic processor is also equipped with a full 1024-bit (extendible to 2048 bits in firmware) exponentiator to facilitate key operations such as in RSA algorithms, a digital non-deterministic randomizer, and a key cache for high speed cryptographic context switching.

• Key ManagementUser keys and certificates generated and stored in virtual crypto tokens
• Cryptograhically sensitive materials protected with keys on the board

On board flash memory retains trusted keys and certificates and the firmware code which is digitally signed and verified upon initialization. An identifier unique to each board is programmed in a dedicated programmable memory chip (based on Dallas Semiconductor's I-Button technology) which serves as a 'signature' unique to an organization or a company. A time-of-day clock on the board provides time/date stamping preventing replay attacks. The cryptographic mechanisms comply with the FIPS PUB 140-1 level 2 standard.

Authentication and Access Control

• Session/connection management
• Multiple applications or sessions access the board concurrently constrained only by the computer hardware resoures
• Virtual crypto token management
• Security administration and auditing

User will access the keys and certificates in the virtual token via a Personal Identification Number (PIN). Role-based access controls define the level of access given to users: Site Security Officer (SSO) or Administrator; or User requesting security services from the board. Access to security-critical cryptographic functions are restricted to the SSO or Administrator.

Key and Certificate Management

• User keys and certificates generated and stored in virtual crypto tokens
• Cryptograhically sensitive materials protected with keys on the board

Trusted keys and certificates are either loaded into or generated, and protected on the board. This minimizes the possibility of compromise common to software based security solutions. User keys and certificates stored in virtual cryptographic tokens contain a minimum 10 key registers and 48 certificate slots. Virtual tokens, when they are held in the host environment, are cryptographically protected with keys that are generated and resident only on the board, thereby providing the full benefit of a hardware based security solution. Large numbers of virtual tokens can be stored securely in the host environment.

Interface to Government and commercial certificate authorities is provided and the CSP is public key infrastructure (PKI) enabled.

Software Description

• Session/connection management Multiple applications or sessions access the board concurrently constrained only by the computer hardware resoures.
• Virtual crypto token management
• Security administration and auditing

The Security Manager is the interface (via the CAPI) between the users (or server applications) and security services such as strong authentication, certificate management, access control and directory access.

The Security Manager stores and retrieves individual users' virtual tokens, containing the users' keys and certificates. A user can own more than one token. Each instantiation of the virtual token on the board is unique and provides the user with a "physical" implementation of a cryptographic card. The Security Manager manages an unlimited number of concurrent sessions or connections, constrained only by the computer hardware resources. The Security Manager also performs security administration and auditing.

CAPIs

• FORTEZZA Cryptographic Interface (CI) and PKCS #11
• API Extensible to handle extension and special function calls

Algorithms

• Government and commercial algorithms (SkipJack,   KEA, D-H, DES, 3DES, SHA-1, MD5, DSA, RC4)
• Algorithm-agile design will support others such as RSA
  
  Request Product Information