i4p’s TRIDENT Multi-party HSM is the first physical Hardware Security Module on the market designed to apply Secure Multi-party Computation (SMPC) for Cryptographic Key Management.
The core of the solution is the unique and patent-pending technology that has never been used in HSM modules before.
PRODUCT OVERVIEW
This revolutionary design is the intellectual property of the founders of i4p, the leading cryptography professionals of the region.
Due to the SMPC capability, TRIDENT Multi-party HSM can generate, sign and encrypt RSA key pairs in a distributed manner. When configured in the most secure SMPC cluster mode, the secret key will never exist as a whole, on any device, neither at the moment of generation, storage or computing. Every device in the cluster merely stores one part of the key. When configured for the faster (so-called trusted dealer) method, one of the devices generates the key, splits it and then securely distributes the key parts to the other devices in the cluster before irrevocably erasing the whole key.
The signing or decrypting functions are executed on all or, depending on how the cluster is configured, in n-out-of-k devices separately, as the participating devices each use only that part of the key that they are entrusted with to store and protect. The end result of this unique procedure is nevertheless a standard RSA signing or decrypting operation, guaranteeing full compatibility with existing cryptographic services.
Multi-party Computation
The TRIDENT Multi-party HSM system can generate signing and encryption RSA key pairs in a truly revolutionary and distributed manner. When configured for the most secure mode, no appliance will ever see a secret key as a whole, as they generate, store and use merely parts of the secret. When configured for using the faster (called the trusted dealer) method, one of the appliances generates the secrets, splits them and securely distributes the parts to the other appliances before securely erasing the generated key.
The signature or decryption functions are executed on all or – if configured that way – on n-out-of-k appliances separately, as the appliances taking part in the process use only the parts of the secrets they store and protect. The result of this unique procedure will always be a standard RSA signing or decrypting operation.
High availability architecture
Due to its distributed architecture, the TRIDENT Multi-party HSM meets the most demanding availability and load balance requirements. If deployed in geographically dispersed datacenters it is as disaster tolerant as any IT service can be. If placed close to each other together they achieve the highest speed. Regardless of the chosen architecture, the system provides service as one. Any of the appliances is capable of communicating with the outside world so extremely high availability and load balance can be achieved.
TRIDENT Multi-party HSM deploys simply into existing TCP/IP network infrastructures and smoothly communicates with other network devices.
The HSM crypto functionality can be utilized using the industry-standard PKCS#11 library, OpenSSL and the proprietary CMAPI interface of the HSM.
Common Criteria Certified
TRIDENT HSM has successfully achieved Common Criteria EAL 4+ certification (Evaluation Assurance Level EAL 4 augmented by AVA_VAN.5 and ALC_FLR.3 based on ISO/IEC 18045:2008) meeting the requirements of both the Protection Profile for Cryptographic Module for Trust Services (EN 419221-5) and the Protection Profile for QSCD for Server Signing (EN 419241-2) with strict conformance.
eIDAS compatibility
TRIDENT Multi-party HSM’s underlying Crypto Module is a Qualified Signature (and Seal) Creation Device (QSCD) under European Union Regulation 910/2014 on Electronic Identification and Trust Services (eIDAS). Thus, the TRIDENT Multi-party HSM enables Trust Providers to offer both Qualified and non-Qualified Remote Electronic Signature and Remote Electronic Seal services in the most secure way a user of trust services of this kind can require.
Multifactor authentication
TRIDENT Multi-party HSM enables both local and remote users to use multifactor authentication. Besides passwords, the Time-based One-Time Password (TOTP) mechanism according to RFC 6238 can be enabled for any administrators and users. The necessary TOTP codes can be generated using any standard application, such as the Google Authenticator running on a smartphone.
Upload local applications/Protected environment
TRIDENT Multi-party HSM’s integrated Tamper Detection Module with multiple sensors that monitor the environment for maximal security even when the appliance is not powered. The sensitivity of the TDM sensors can be configured to fit to the unique operating environment of the appliance. Also, TRIDENT Multi-party HSM allows local client applications (LCAs) to be installed into its protected environment. LCAs run in protected containers to ensure that they are isolated from other LCAs and from the HSM core. LCAs are created using the industry-standard Linux Container Framework.
Easy integration
TRIDENT Multi-party HSM deploys simply into existing TCP/IP network infrastructures and communicates with other network devices smoothly. The HSM crypto functionality can be utilized using the industry-standard PKCS#11 library, OpenSSL and the proprietary CMAPI interface of the HSM. TRIDENT Multi-party HSM can also communicate directly with security access modules (eg. MIFARE[3] SAM AV2) to enable quick and secure integration into ticketing ecosystems.TRIDENT HSM has successfully achieved Common Criteria EAL 4+ certification (Evaluation Assurance Level EAL 4 augmented by AVA_VAN.5 and ALC_FLR.3 based on ISO/IEC 18045:2008) meeting the requirements of both the Protection Profile for Cryptographic Module for Trust Services (EN 419221-5) and the Protection Profile for QSCD for Server Signing (EN 419241-2) with strict conformance.
CRYPTOGRAPHIC APIs
CERTIFICATIONS
CRYPTOGRAPHY
PHYSICAL CHARACTERISTICS
* PKCS #11 Cryptographic Token Interface Profiles, an OASIS Standard
** OpenSSL is a registered trademark owned by OpenSSL Software Foundation
Our Partner Program was specifically designed to naturally reward the investments you make in selling our solutions, based on your sales performance
An easy-to-integrate HSM provides multiple functions for different use cases, offering an ideal solution for data protection challenges.
The first eIDAS listed Remote Signature Solution with the Signature Activation Module (SAM) coming from the same vendor as the underlying Crypto Module (CM).
A Timestamp Server that ensures the tamper-proof creation and authenticity of timestamps for any purposes, with the reliability provided by the high level of security.
A Signature Formatting Server that is used for higher level signature formatting and a self-contained, fully functional module.
Contact us by filling out our online form
or send us an e-mail at info@i4p.com
Do you need support? For i4p support requests, please send
an e-mail to support@i4p.com or call +36 1 700 1230.
For press and media inquiries,
please send an e-mail to pr@i4p.com
Download this ebook to find out: