netHSM ™

NETWORK-CONNECTED HARDWARE SECURITY MODULE (HSM)

REDEFINING THE ROI FOR CRYPTOGRAPHIC HARDWARE

As organizations use cryptographic hardware to secure multiple points of risk within their IT
DATA SHEET

infrastructure, it is important that a choice of deployment options is available. The netHSM is

a network-attached, shareable, Hardware Security Module (HSM) that enables new and
expanded HSM deployment strategies to emerge. Compatible with nCipher's range of directly-
connected, dedicated HSMs, the netHSM promotes a cost-effective, enterprise-wide, security
solution that is secure, shareable, scalable and interoperable.
PRODUCT

The netHSM acts as a network-attached resource for

secure cryptographic processing, providing an
alternative deployment scenario to the traditional
approach of dedicated HSMs on individual servers. By
allowing multiple servers to securely access a single
HSM to perform cryptographic functions, overall
equipment costs can be reduced and system
management simplified. Whilst dedicated HSMs are
SHAREABLE SECURITY RESOURCE appropriate for security applications and servers that
demand guaranteed availability and/or processing
The netHSM is a platform for providing cryptographic power, many deployments encompass multiple
services to enhance the security of a variety of servers, either in a single site or across a wide
applications - from PKI and authentication systems to geographic area, where a shareable, network-
Web services and SSL protected communications. connected HSM is a perfect solution.

FEATURE BENEFIT
SHAREABLE CRYPTOGRAPHIC RESOURCE Provides flexible security for multiple server and multi-site installations,
lowering the overall cost of deploying cryptographic hardware
FULLY FIPS 140-2 LEVEL 3 VALIDATED The netHSM has a proven and fully FIPS-validated security boundary
SECURITY BOUNDARY meeting cryptographic best practice for hardware key protection
HIGH CAPACITY The netHSM allows unlimited key storage and support for up to 20 servers
COMPATIBILITY WITH EXISTING nCIPHER HSM Seamless integration with existing nCipher deployments allowing
DEPLOYMENT retention of initial investments
SECURE USER INTERFACE The integrated secure user interface requires no external
devices or servers for initialization, locking down security
FUNCTIONAL SEPARATION THROUGH Keys can be isolated from one another through logical separation
FINE-GRAINED CONTROL OF KEYS ensuring that access is restricted to authorized users or servers
HIGH PERFORMANCE: OPTIONS UP TO 2000 Performance for 1024 bit keys extends to 2000 TPS in 1U form
TPS / 1U factor, minimizing expensive rack space requirements
FULL FAILOVER AND LOAD BALANCING netHSM can be deployed in high-availability systems.The interoperability
of all nCipher HSMs allows failover and load balancing between any
combination of netHSMs and dedicated HSMs
FULL RANGE OF APIs / WIDE APPLICATION Simple integration with applications and proven interoperability
SUPPORT with existing nCipher APIs
SECURE EXECUTION ENGINE (SEE)™ SUPPORT Sensitive application software can be executed within FIPS certified
hardware
ELLIPTIC CURVE CRYPTOGRAPHY SUPPORT Provides developers with hardware key protection for the main ECC
curves
ROHS COMPLIANT As of July 1, 2006 this product complies with the Restriction of Hazardous
Substances (RoHS) directive (2002/95/EC) of the European Parliament
NETWORK CONNECTED HARDWARE SECURITY MODULE (HSM)

netHSM ™

Secure by design Manageability

Because the security of all cryptographic processing As networks expand, security teams are typically
is only as strong as the security of the underpinning responsible for the security of multiple servers, often
cryptographic keys, securing the keys against attack geographically dispersed across a number of distinct
with a FIPS-validated hardware module is essential. sites. While dedicated HSMs provide excellent
nCipher's netHSM has been designed from the security, there is often significant management and
ground up to provide; administration overhead associated with servicing
• FIPS 140-2 Level 3 validated protection for remote locations. By centralizing the hardware
cryptographic key material security within a single netHSM, a central security
• Encrypted network transport team can have complete access to all cryptographic
• Strong authentication of servers that use the keys and functions while providing the same FIPS-
netHSM for key operations level security to servers worldwide.
• Resilience of the device from network attack
• Strongly enforced mechanisms to ensure the To tightly control access to an HSM, nCipher
integrity of internal system software provides a smartcard-based authorization system for
• A secure and integrated user interface use by groups of operators and security
administrators. The netHSM also allows many
management functions to be accessed remotely.
Smartcards can be presented locally at any server
with a dedicated HSM and commands are
transported over a secure connection. This allows
efficient deployment of netHSMs in unattended
data-centers or in geographically dispersed locations.
Flexible deployment
High performance
netHSM performs cryptographic processing on
behalf of remotely connected servers. By offloading
cryptographic functions from the remote servers,
overall server capacity is increased. The netHSM can
perform up to 2000 x 1024 bit signing operations
per second. The netHSM is a 1U high, 19” wide
rack-mounted unit, offering high performance with
a low impact on valuable rack space.

Shareable cryptographic hardware for large or

geographically dispersed installations can reduce
hardware costs, management costs and footprint
costs, increasing the return on your security
investment

Allows multiple servers to securely access a single HSM

NETWORK CONNECTED HARDWARE SECURITY MODULE (HSM)

INTEROPERABLE AND FLEXIBLE PLATFORM

All nCipher HSMs use a common key management Future-proof

framework, nCipher's Security World, making the nCipher's Security World provides the industry-
netHSM completely compatible and interoperable leading model for managing keys by providing fine-
with nCipher's dedicated HSMs. As a result, nCipher grained access control. It avoids the need to isolate
HSMs can be configured in any combination to meet applications through inflexible internal partitions
an organization's management, security and which limit the number of keys and servers that can
budgetary needs. be secured. netHSM allows limitless key storage and
allows up to 20 servers to be supported.
Flexibility in configuration allows an organization to
protect existing investment, reconfigure and netHSM configurations will be defined by business
reallocate hardware as necessary and easily extend needs and security policy not by technology
security to meet new business needs to maximize limitations, increasing the return on your security
return on your security investment investment

Uniform integration Building an enterprise-wide cryptographic policy

For years, nCipher customers have used nCipher Many organizations begin using hardware-protected
toolkits to integrate our dedicated HSMs into either cryptography on a single server, such as on a Web
customized or commercial security applications. server utilizing SSL. For this application a dedicated
Because netHSM is compatible with nCipher’s HSM attached to a Web server is the most cost-
complete range of dedicated HSMs, not only are the effective solution. However, as the organization's
same integration toolkits used, but the same use of cryptography grows to support an expanding
integration code can be utilized, to quickly and on-line presence or the emergence of Web services,
efficiently integrate netHSM into existing security a netHSM can be added to secure multiple servers
applications. in multiple locations. The netHSM can work in
conjunction with existing installations of dedicated
Rapid integration and deployment allows an HSMs.
organization to efficiently meet regulatory
compliance, increasing return on your security The ability to start small and then expand,
investment maintaining the investment in original equipment,
increases the return on security Investment
SCALABLE CRYPTOGRAPHIC
 netHSM ™
NETWORK CONNECTED HARDWARE SECURITY MODULE (HSM)

INDEPENDENTLY VALIDATED Hardware protected remote server authentication

SECURITY To further extend system security, the netHSM
optionally supports the ability to strengthen the
Cryptographic keys are the backbone of all authentication of remote servers to the netHSM. By
cryptographic operations. However, failure to protect supporting hardware tokens at the requesting server,
and manage these keys risks shattering an entire the keys used for authenticating the servers can be
layer of security. Many organizations make the secured. This protects against illegitimate key use
mistake of relying on 'soft security', leaving keys and promotes end-to-end security.
unprotected on general purpose servers, vulnerable
to attack. Wherever cryptography is used to protect netHSM and customized security
sensitive data, organizations must deploy 'hard nCipher's line of toolkits enables custom security
security' controls to manage risk. Central to strong applications to take full advantage of the key
cryptographic security is the protection of keys management, hardware protection and high speed
within a Hardware Security Module (HSM). cryptographic processing provided by the netHSM.
Utilizing nCipher's CodeSafe™ toolkit, an organization
The netHSM protects cryptographic keys in a highly can not only secure cryptographic keys but also
secure hardware environment, enabling them to be sensitive applications and data using nCipher’s Secure
effectively managed and safely stored. The netHSM Execution Engine™ (SEE) technology.
FIPS security boundary has received an independent
FIPS 140-2 Level 3 validation, the de facto security Securing both keys and application software within
benchmark for cryptographic modules. a FIPS-validated security boundary protects against
attacks and can allow secure deployment of new
In addition to the independent FIPS approval that applications, increasing the return on your security
covers the protection of keys, nCipher has investment.
commissioned 3rd party testing of the 'network'
properties of the netHSM to validate the resilience
of the product from network-based attack.

PRODUCT SPECIFICATIONS

PRODUCT CONNECTIVITY NUMBER FIPS 140-2 SEE ECC

OF 1024 VALIDATION READINESS SUPPORT
BIT RSA
SIGNATURES
PER SECOND*

netHSM 500 10/100 Ethernet 500 Level 3 Yes Yes

netHSM 2000 10/100 Ethernet 2000 Level 3 Yes Yes

*The performance figures quoted have been measured on real systems by nCipher. However, actual system performance depends on application software
version, server platform type and other factors.

Full product specifications can be viewed at

www.ncipher.com/cryptographic_hardware/hardware_security_modules/10/nethsm/

ABOUT NCIPHER
nCipher protects critical enterprise data for many of the world's most security-conscious organizations. Delivering solutions
in the fields of identity management, data protection, enterprise key management and cryptographic hardware, nCipher
NCDS/netHSM/MARCH2006

enables businesses to identify who can access data, to protect data in transit and at rest, and to comply with the growing
number of privacy-driven regulations. nCipher is listed on the London Stock Exchange (LSE:NCH).

Every effort has been made to ensure the information included in this datasheet is true and correct at the time of going to press. However, the products described herein are subject to continuous
development and improvement, and the right is reserved to change their specification at any time. ©2006 nCipher Corporation Ltd. CodeSafe, netHSM, Security World and SEE are trademarks or registered
trademarks of nCipher Corporation Ltd. All other trademarks contained herein are the property of their respective owners.

nCipher Inc. nCipher Corporation Ltd. nCipher Corporation Ltd. Visit our Web site at
92 Montvale Avenue, Suite 4500 Jupiter House, Station Rd. 15th Floor, Cerulean Tower,
Stoneham, MA 02180 USA Cambridge, CBI 2JD UK 26-1 Sakuragaoka-cho, Shibuya-ku, www.ncipher.com – today!
Tel: +1 (781) 994 4000 Tel: +44 (0) 1223 723600 Tokyo 150 8512 Japan
[email protected] [email protected] Tel: +81 3 5456 5484
[email protected]

Identify. Protect. Comply.