Entrust nShield Connect XC/5c

A family of advanced network HSMs with high-speed support for 8192 bits keys.

Entrust has regularly and consistently unveiled successive generations of general-purpose cryptographic modules. They pay tribute to the same original assumptions made for the first modules two decades ago, but are expanded with additional features and, of course, have increasingly higher performance. Also unchanged is the assumption of the need for the highest level of security, which is confirmed by the relevant security certificates.

Currently, the range includes the Connect XC series and the latest 5c line. The main changes, in addition to the obvious large increase in device performance, achieved by using new processors and much more memory, is the ability to expand the devices without replacing it. This is realized by purchasing and activating an appropriate license, similar to client licenses. There is also greater support for elliptic curve-based cryptography (ECC), which is gaining in popularity and practical significance. Of course, the devices still allow the storage of an unlimited number of keys. Compatibility with Security World’s legacy environment has been preserved, allowing already existing systems to be expanded and easily scaled up later.

Main features of the devices:

  • Security and isolation of sensitive cryptographic operations and key assignment for critical applications in the organization
  • Reduce compliance costs (one network module for multiple applications)
  • Simplification of cryptographic key management
    Protect sensitive data by ensuring that it is processed in a secure device environment
  • Support business continuity and minimize service unavailability time with dual hot-swap power supplies and redundant, easily replaceable fans
  • Backward compatibility
  • Full remote management and monitoring capability

Hardware security for applications

The nShield Connect XC / 5c allow you to provide hardware-based information protection for critical applications and systems such as PKI public key infrastructure, databases, application and web servers. Using standard cryptographic interfaces, the device can be integrated into any software implementing one of a wide range of supported software interfaces. Secure code execution when processing sensitive data on the HSM platform prevents Trojan software attacks and other attacks on the confidentiality of that data.

The nShield Connect XC / 5c are tamper-resistant and responsive (temper-responsive) devices. If tampering attempts are detected, the devices stop performing all cryptographic operations, alert the operator to the incident, and finally restore the factory default state with sensitive key data removed. The tamper detection function can be disabled on demand. If an alarm is already triggered then keys and meta-data can be restored using Security World data from a remote file system and cards from a set of administrative cards.

The devices also provide a second layer of tamper protection. Inside the devices is an HSM nShield PCI Express card that provides tamper protection at the level specified in the requirements for FIPS certification (for Connect XC: FIPS 140-2 level 3, for 5s FIPS 140-3 level 3 – pending certification).

Ensuring high availability

The devices are designed to ensure high availability and business continuity of processes. The nShield Connect XC / 5s have duplicated fan modules and power supplies – hot-swap components that can be easily replaced in the event of a failure without the need to send the unit to a service center.

In addition, the design of the devices includes redundant fans that can be easily replaced in the case of failure without the need to send the device to a service center.

In addition, in order to ensure high availability, nShield Connect devices can operate in a cluster configuration, which allows the load to be evenly distributed among individual devices (Load Balancing).

Management

All devices in the nShield lineup use Security World for management, reducing device configuration and administration time to a minimum. Security World provides secure support for remote data center operations, disaster recovery including complete hardware replacement, and key sharing between several HSM devices. Keys and meta information can be automatically restored without the need for additional hardware or systems, reducing the overall cost of operations.

Datasheet

Performance

Performance is measured in transactions/signatures per second (TPS):

RSA performanceBaseMidHigh
Connect XC430 - 2048 bit
100 - 4096 bit
3500 - 2048 bit
850 - 4096 bit
8600 - 2048 bit
2025 - 4096 bit
5c670 - 2048 bit
135 - 4096 bit
19 - 8192 bit
3949 - 2048 bit
814 - 4096 bit
115 - 8192 bit
13614 - 2048 bit
2200 - 4096 bit
309 - 8192 bit
Note: performance may depend on the operating system, applications, local network structure and other factors.
Supported cryptographic algorithms
Symmetric algorithmsAES, AES-GCM, Arcfour, ARIA, Camellia, CAST, MD5 HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, SHA-224 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC, Tiger HMAC, 3DES
Asymmetric algorithmsRSA, Diffie-Hellman,ECMQV, DSA, El-Gamal, KCDSA, ECDSA (including NIST, Brainpool secp256k1 curves), ECDH, Edwards (Ed25519, Ed25519ph)
HASH algorithmsMD5, SHA-1, SHA-2, (224, 256, 384, 512 bit), HAS-160, RIPEMD160, SHA-3 (224, 256, 384, 512 bit)
Technical specification
Physical characteristicsStandard 1U 19in. rack mount, dimensions: 43.4 x 430 x 705mm (1.7 x 16.9 x 27.8in)
Power consumption: up to 2.0A at 110V AC, 60Hz | 1.0A at 220V AC, 50Hz
Supported OS*Windows and Linux operating systems including distributions from Red Hat, SUSE, and major cloud service providers running as virtual machines or in containers
APIPKCS#11
Microsoft CryptoAPI/CNG
Java JCE
OpenSSL
nCore
Web Services
Certifications &Compliances (depens on model type)Connect XC: FIPS 140-2 level 3
5c: FIPS 140-3 level 3 - (pending)
Common Criteria EAL4+
UQSCD
UL, CE, FCC, UKCA, RCM, Canada ICES
ROHS, WEEE
* Contact us in order to obtain detailed information regarding support for a specific OS version.