Entrust nShield Connect XC/5c
A family of advanced network HSMs with high-speed support for 8192 bits keys.
Entrust has regularly and consistently unveiled successive generations of general-purpose cryptographic modules. They pay tribute to the same original assumptions made for the first modules two decades ago, but are expanded with additional features and, of course, have increasingly higher performance. Also unchanged is the assumption of the need for the highest level of security, which is confirmed by the relevant security certificates.
Currently, the range includes the Connect XC series and the latest 5c line. The main changes, in addition to the obvious large increase in device performance, achieved by using new processors and much more memory, is the ability to expand the devices without replacing it. This is realized by purchasing and activating an appropriate license, similar to client licenses. There is also greater support for elliptic curve-based cryptography (ECC), which is gaining in popularity and practical significance. Of course, the devices still allow the storage of an unlimited number of keys. Compatibility with Security World’s legacy environment has been preserved, allowing already existing systems to be expanded and easily scaled up later.
Main features of the devices:
- Security and isolation of sensitive cryptographic operations and key assignment for critical applications in the organization
- Reduce compliance costs (one network module for multiple applications)
- Simplification of cryptographic key management
Protect sensitive data by ensuring that it is processed in a secure device environment - Support business continuity and minimize service unavailability time with dual hot-swap power supplies and redundant, easily replaceable fans
- Backward compatibility
- Full remote management and monitoring capability
Hardware security for applications
The nShield Connect XC / 5c allow you to provide hardware-based information protection for critical applications and systems such as PKI public key infrastructure, databases, application and web servers. Using standard cryptographic interfaces, the device can be integrated into any software implementing one of a wide range of supported software interfaces. Secure code execution when processing sensitive data on the HSM platform prevents Trojan software attacks and other attacks on the confidentiality of that data.
The nShield Connect XC / 5c are tamper-resistant and responsive (temper-responsive) devices. If tampering attempts are detected, the devices stop performing all cryptographic operations, alert the operator to the incident, and finally restore the factory default state with sensitive key data removed. The tamper detection function can be disabled on demand. If an alarm is already triggered then keys and meta-data can be restored using Security World data from a remote file system and cards from a set of administrative cards.
The devices also provide a second layer of tamper protection. Inside the devices is an HSM nShield PCI Express card that provides tamper protection at the level specified in the requirements for FIPS certification (for Connect XC: FIPS 140-2 level 3, for 5s FIPS 140-3 level 3 – pending certification).
Ensuring high availability
The devices are designed to ensure high availability and business continuity of processes. The nShield Connect XC / 5s have duplicated fan modules and power supplies – hot-swap components that can be easily replaced in the event of a failure without the need to send the unit to a service center.
Management
All devices in the nShield lineup use Security World for management, reducing device configuration and administration time to a minimum. Security World provides secure support for remote data center operations, disaster recovery including complete hardware replacement, and key sharing between several HSM devices. Keys and meta information can be automatically restored without the need for additional hardware or systems, reducing the overall cost of operations.
Performance
Performance is measured in transactions/signatures per second (TPS):
RSA performance | Base | Mid | High |
---|---|---|---|
Connect XC | 430 - 2048 bit 100 - 4096 bit | 3500 - 2048 bit 850 - 4096 bit | 8600 - 2048 bit 2025 - 4096 bit |
5c | 670 - 2048 bit 135 - 4096 bit 19 - 8192 bit | 3949 - 2048 bit 814 - 4096 bit 115 - 8192 bit | 13614 - 2048 bit 2200 - 4096 bit 309 - 8192 bit |
Note: performance may depend on the operating system, applications, local network structure and other factors.
Supported cryptographic algorithms | |
---|---|
Symmetric algorithms | AES, AES-GCM, Arcfour, ARIA, Camellia, CAST, MD5 HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, SHA-224 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC, Tiger HMAC, 3DES |
Asymmetric algorithms | RSA, Diffie-Hellman,ECMQV, DSA, El-Gamal, KCDSA, ECDSA (including NIST, Brainpool secp256k1 curves), ECDH, Edwards (Ed25519, Ed25519ph) |
HASH algorithms | MD5, SHA-1, SHA-2, (224, 256, 384, 512 bit), HAS-160, RIPEMD160, SHA-3 (224, 256, 384, 512 bit) |
Technical specification | |
---|---|
Physical characteristics | Standard 1U 19in. rack mount, dimensions: 43.4 x 430 x 705mm (1.7 x 16.9 x 27.8in) Power consumption: up to 2.0A at 110V AC, 60Hz | 1.0A at 220V AC, 50Hz |
Supported OS* | Windows and Linux operating systems including distributions from Red Hat, SUSE, and major cloud service providers running as virtual machines or in containers |
API | PKCS#11 Microsoft CryptoAPI/CNG Java JCE OpenSSL nCore Web Services |
Certifications &Compliances (depens on model type) | Connect XC: FIPS 140-2 level 3 5c: FIPS 140-3 level 3 Common Criteria EAL4+ UQSCD UL, CE, FCC, UKCA, RCM, Canada ICES ROHS, WEEE |