The trusted security provider to your trusted security provider

Transcription

1 1 R

2 ABOUT CRYPTSOFT The trusted security provider to your trusted security provider CRYPTSOFT is a privately held Australian company that operates worldwide in the enterprise key management security market. Cryptsoft s Key Management Interoperability Protocol (KMIP) and PKCS#11 software development kits (SDKs) are the market s preferred OEM solutions. Cryptsoft s solutions have been selected by prominent global companies for interoperable enterprise key management and encryption technology in their storage, infrastructure & security and cloud products. Cryptsoft is committed to the development of standards based security software and is an OASIS Foundational Sponsor, SNIA and SSIF Voting Member. CRYPTSOFT S valued customers include: SALES.COM

3 I DIDN T KNOW YOU DID THAT? KMIP adoption KMIP embedded in major enterprise products STORAGE INFRASTRUCTURE & SECURITY CLOUD Disk Arrays, Flash Storage Arrays NAS Appliances Tape Libraries, Virtual Tape Libraries Encrypting Switches Storage Key Managers Storage Controllers Storage Operating Systems Key Managers Hardware Security odules Encryption Gateways Virtualization Managers Virtual Storage Controllers Network Computing Appliances Secure Application Development Key Managers Compliance Platforms Information Managers Enterprise Gateways and Security Enterprise Authentication Endpoint Security Financial Services Applications Banking Applications SALES.COM

4 Selecting a KMIP Vendor Questions to ask vendors KMIP is an established OASIS standard but not all vendors are suitable to deliver your critical business needs. The following are questions that customers need to ask vendors of KMIP products to ensure that they get a secure, flexible and standards compliant KMIP product that will meet their current and future needs. Open Standards KMIP Support Question Does the vendor participate in open key management standards? Does the vendor offer an open standard in their currently shipping servers? Does the vendor offer an open standard in their key management clients? Does the vendor actually use the open standard in their integrations? Does the vendor offer support for OASIS? KMIP 1.0? KMIP 1.1? KMIP 1.2? KMIP 1.3? KMIP 1.4? Are all KMIP Profiles Supported? Other Ability to support your development? Does the vendor provide an SDK for application integration? Which programming languages are supported: - ANSI C? - C++? - C-Sharp (C#)? - Java? - Python? Are these supported on multiple platforms? Is there support for standard Web integration? Is source for the SDK provided or able to be purchased? Interoperability Audit/ Analytics/ Compliance Does the vendor participate in open interoperability demonstrations? Is all claimed KMIP functionality support independently verified? Are independent testing reports available? Can a customer easily repeat the claimed interoperability testing? Are interoperability servers internet available for testing? Are Standard secure Web Proxies supported for navigation of gateways/ firewalls? Are all operations on a KMIP server able to be recorded for: - Audit? - Analytics? - Compliance? Can third-party clients be monitored? SALES.COM

5 Key Management SDKs Complete vendor-independent key management solution Cryptsoft s Key Management SDKs enable rapid addition of interoperable key management functionality to your existing products. Providing both Client and Server SDKs, Cryptsoft KMIP SDKs have been integrated into the majority of all KMIP products on the market today, eliminating the need for rework to interact with another vendor s endpoint. Key Features Full OASIS KMIP compliance Versions: 1.0, 1.1, 1.2, 1.3*, 1.4 Guaranteed interoperability With all released KMIP products Cross-Language Support Clients in C, Java, C-Sharp, C++ and Python Servers in C and Java As the security market s preferred KMIP vendor, Cryptsoft has the technology and the relationships to ensure your product delivers its maximum potential. Using the Cryptsoft SDKs in ANSI C, Java, C-Sharp, C++ and Python, you can support KMIP key management protocols with a single, consistent interface and provide your customers with a complete vendor-independent key management solution. Clients Servers KMIP KEY MANAGEMENT INTEROPERABILITY PROTOCOL SALES.COM

6 KMIP Key Management Interoperability SDKs Test Suite Complete vendor-independent key management solution Client SDK Products KMIP C Client SDK KMIP Java Client SDK KMIP C-Sharp Client SDK KMIP C++ Client SDK KMIP Python Client SDK KMIP C Client Layered Protocol SDKs for Proprietary Protocols KMIP C Client PKCS11 Adapter KMIP C Client Oracle TDE & Microsoft BitLocker KMIP C Client Layered Protocol SDK KMIP C Interoperability Test Suite KMIP Java Interoperability Test Suite Online Test Service (XML/JSON) Server SDK Products KMIP C Server SDK KMIP Java Server SDK KMIP Alert Server SDK KMIP Server VM Subscription (Annual - C or Java) KMIP Server Administration Interface (for C or Java Server SDK) KMIP C Proxy Servers for Proprietary Protocols KMIP C Server Integration Modules (PKCS11, HSM, RNG) KMIP C Server OTP Server Module KMIP C Server Integration Module (Audit/Analytics/Compliance) Features Comprehensive example code Source licence option Supports KMIP v1.0, v1.1, v1.2, and v1.3*, 1.4 Supports proprietary key management protocols (optional plugins to C SDK) Supported Hardware Security Modules and Random Number Generators ID Quantique - Quantis USB (RNG) [Vendor] ID Quantique - Quantis PCI (RNG) [Vendor] ID Quantique - Quantis PCIe (RNG) [Vendor] Feitian - epass [PKCS#11] Oracle - SCA6000 [PKCS#11] SafeNet - Luna SA4/SA5 (RNG/HSM) [PKCS#11] SafeNet - Luna CA (RNG/HSM) [PKCS#11] SafeNet - Luna PCI (RNG/HSM) [PKCS#11] SafeNet - Protect Server (RNG/HSM) [PKCS#11] Thales e-security - nshield Connect (RNG/HSM) [PKCS#11] Thales e-security - nshield Edge (RNG/HSM) [PKCS#11] Thales e-security - nshield Solo (RNG/HSM) [PKCS#11] Utimaco CryptoServer CSe10 PCIe/LAN (RNG/HSM) [PKCS#11] Utimaco CryptoServer CSe100 PCIe/LAN (RNG/HSM) [PKCS#11] Supported One Time Password Devices Android [OATH-TOTP] [Soft Token] Cryptsoft [OATH-TOTP] Feitian [OATH-HOTP/TOTP] Apple [OATH-TOTP] [Soft Token] Mi-Token [OATH-TOTP] [Soft Token] RSA Security SecurID [SecurID] Litheware Tombé [OATH-HOTP] [YubiKey] Yubico [OATH-HOTP/TOTP] [YubiKey] Supported Databases Oracle MySQL Oracle Database Microsoft SQL Server SQLite IBM DB2 PostgreSQL Embedded (lightweight) HSQLDB java SALES.COM

7 KMIP Client SDKs C, C++, C#, Java, Python A complete range of vendor-independent key management solutions Cryptsoft s Key Management Interoperability Protocol (KMIP) SDKs let you rapidly add interoperable, standards-based, enterprise key management capability to your existing applications. Reduce time to market, KMIP-enable your solution within days, not months, using our comprehensive collection of example code provided by the market leader in key management SDKs. From specialised embedded systems through to scalable, whole of enterprise solutions, your KMIP SDK license is backed by a global support network, offering a total key management solution. Key Features Full OASIS KMIP compliance Versions: 1.0, 1.1, 1.2, 1.3*, 1.4 Guaranteed interoperability With all released KMIP server products Extensive range of supported platforms Custom platform ports on request Available as a binary SDK Source license option Comprehensive example code Custom examples available - rapid integration Supported on over 35 different platforms Including Linux, Windows, Embedded KMIP KEY MANAGEMENT INTEROPERABILITY PROTOCOL KMIP Server SDKs c java KMIP Client SDK KMIP Client SDKs ckmip c++ cserver # java SDKpython SALES.COM

8 KMIP Client SDKs C, C++, C#, Java, Python KMIP Client Examples Simple Protocol Format Parsing TTLV, HEX, BIN, JSON, XML Simple Servers Query, Notify, Put Simple Clients Locate Objects, Create and Return Objects Locating Managed Objects Simple, Extended, IBM TKLM/SKLM, XML KMIP Standard Operations Create, Register, Destroy, Get, Get Attribute List, Get Attributes, Create Key Pair, Re-key, Re-key Key Pair 1.1, Archive, Recover, Activate, Derive Key Creating Keys Simple, Advanced, Extensions Supported KMIP Profiles Advanced Cryptographic Client 1.2 Advanced Symmetric Key Foundry Client Asymmetric Key Lifecycle Client Baseline Client Basic Baseline Client TLS v1.2 Basic Cryptographic Client 1.2 Supported KMIP Operations Activate Add Attribute Archive Cancel Certify Check Create Create Key Pair Create Split Key 1.2 Decrypt 1.2 Delete Attribute Derive Key Destroy Discover Versions 1.1 Managing Attributes Add, Modify, Delete Attribute Linear Tape Open (LTO) LTO-4 Key Management, LTO-5/6 Key Management, KAD, AKAD, UKAD naming, Generic LTO-4 Random Number Generator (RNG) 1.2 Retrieve Server RNG, Seed Server RNG Server Cryptographic Operations 1.2 Encrypt, Decrypt, Sign, Signature Verify MAC, MAC Verify, Hash Determine Capabilities Server SDK Version, Discover Protocol Versions 1.1, Query Server Basic, Query Server Extensions 1.1, Query Advanced Capabilities 1.3 Basic Symmetric Key Foundry Client HTTPS Client Intermediate Symmetric Key Foundry Client JSON Client Opaque Managed Object Store Client RNG Cryptographic Client 1.2 Encrypt 1.2 Get Get Attribute List Get Attributes Get Usage Allocation Hash 1.2 Join Split Key 1.2 Locate MAC 1.2 MAC Verify 1.2 Modify Attribute Notify Obtain Lease Poll Split Key (Multi-Party Controls) 1.2 Create Split Key, Join Split Key Cryptsoft Vendor Extensions SQL Insert, SQL Update, SQL Delete Generic Multi-protocol Key Handling c c++ Get Key, Put Key, Del Key Request/Response Handling Recording, Replaying, Batching, Bulk Data Loading Client Credential Handling Password-protected TLS Credentials Device Credentials, IBM TKLM/SKLM Storage Array With SED Client Suite-B MinLOS_128 Client Suite-B MinLOS_192 Client Symmetric Key Lifecycle Client Tape Library Client XML Client Put Register Register Query Re-certify Recover Re-key Re-key Key Pair 1.1 Revoke RNG Retrieve 1.2 RNG Seed 1.2 Sign 1.2 Signature Verify 1.2 Validate KMIP Object Types Certificate Opaque Object PGP Key Private Key Public Key Secret Key Supported Encodings TTLV HTTPS/TTLV HTTPS/JSON HTTPS/XML Split Key Symmetric Key Template Supported KMIP Servers Supported Cryptographic Providers OpenSSL 1.0.x OpenSSL FIPS 2.0 OpenSSL (option) Sun/Oracle JCE IBM JCE RSA BSAFE MES 3.x, 4.x (option) RSA BSAFE Share-C (option) RSA BSAFE Crypto-J Bouncy Castle JCE SALES.COM

9 KMIP Server SDKs C and Java A complete range of vendor-independent key management solutions Cryptsoft s Key Management Interoperability Protocol (KMIP) SDKs let you rapidly add interoperable, standards-based, enterprise key management capability to your existing applications. Reduce time to market, KMIP-enable your solution within days, not months, using our comprehensive collection of example code provided by the market leader in key management SDKs. From specialised embedded systems through to scalable, whole of enterprise solutions, your KMIP SDK license is backed by a global support network, offering a total key management solution. Key Features Full OASIS KMIP compliance Versions: 1.0, 1.1, 1.2, 1.3*, 1.4 Guaranteed interoperability With all released KMIP server products Extensive range of supported platforms Custom platform ports on request Available as a binary SDK Source license option Comprehensive example code Custom examples available - rapid integration Supported on over 35 different platforms Including Linux, Windows, Embedded KMIP KEY MANAGEMENT INTEROPERABILITY PROTOCOL KMIP Server SDKs c java KMIP Client SDK KMIP Client SDKs ckmip c++ cserver # java SDKpython SALES.COM

10 KMIP Server SDKs C and Java KMIP Server Examples Simple Protocol Format Parsing Managing Attributes TTLV, HEX, BIN, JSON, XML Add, Modify, Delete Attribute Simple Clients Operations Random Number Generator (RNG) 1.2 Locate Objects, Create and Return Objects Retrieve Server RNG, Seed Server RNG Locating Managed Objects Split Key (Multi-Party Controls) 1.2 Simple, Extended, IBM TKLM/SKLM, Create Split Key, Join Split Key XML Creating Keys KMIP Standard Operations Simple, Advanced, Extensions Create, Register, Destroy, Get, Get Attribute Determine Capabilities List, Get Attributes, Create Key Pair, Rekey, Re-key Key Pair 1.1, Archive, Recover, Versions 1.1, Query Server Basic, Query Server SDK Version, Discover Protocol Activate, Derive Key Server Extensions 1.1, Server Cryptographic Operations 1.2 Query Advanced Capabilities 1.3 Encrypt, Decrypt, Sign, Signature Verify, MAC, MAC Verify, Hash Supported KMIP Profiles Advanced Cryptographic Server 1.2 Advanced Symmetric Key Foundry Server Asymmetric Key Lifecycle Server Baseline Server Basic Baseline Server TLS v1.2 Basic Cryptographic Server 1.2 Basic Symmetric Key Foundry Server HTTPS Server Intermediate Symmetric Key Foundry Server JSON Server Opaque Managed Object Store Server RNG Cryptographic Server 1.2 Cryptsoft Vendor Extensions SQL Insert, SQL Update, SQL Delete Request/Response Handling Recording, Replaying, Batching, Bulk Data Loading Administration Create, Modify, Delete Users, Partitions, Groups, Manage Group Privileges, Serialize, Deserialize Managed Objects Database Schema Management and Migration Fixture Loading, SQL Replay Simple Servers Query, Notify, Put JCE Examples Key Store Provider Storage Array With SED Server Suite-B MinLOS_128 Server Suite-B MinLOS_192 Server Symmetric Key Lifecycle Server Tape Library Server XML Server Supported KMIP Operations Activate Add Attribute Archive Cancel Certify Check Create Create Key Pair Create Split Key 1.2 Decrypt 1.2 Delete Attribute Derive Key Destroy Discover Versions 1.1 Encrypt 1.2 Get Get Attribute List Get Attributes Get Usage Allocation Hash 1.2 Join Split Key 1.2 Locate MAC 1.2 MAC Verify 1.2 Modify Attribute Notify Obtain Lease Poll Put Register Register Query Re-certify Recover Re-Key Re-key Key Pair 1.1 Revoke RNG Retrieve 1.2 RNG Seed 1.2 Sign 1.2 Signature Verify 1.2 Validate Supported Databases Supported Cryptographic Providers Supported Encodings HSQLDB SQLite3 MySQL 5.x Oracle 11.x, 12.x SQL Server IBM DB2 9 & 10 PostgreSQL 8 & 9 Supported KMIP Clients OpenSSL 1.0.x OpenSSL (option) OpenSSL FIPS 2.0 Sun/Oracle JCE IBM JCE RSA BSAFE Crypto-J Bouncy Castle JCE TTLV HTTPS/TTLV HTTPS/JSON HTTPS/XML SALES.COM

11 KMIP C Server Optional Modules Audit, Analytics and Compliance for KMIP Cryptsoft s KMIP C Server Integration Module lets you rapidly add Auditing, Analytics or Compliance features to your KMIP solution. Designed as a component for Cryptsoft s KMIP C Server SDK this allows configurable data collection features for all KMIP compliant key operations allowing your enterprise to Analyze, Audit or ensure the compliance of your key management solution. Cryptsoft s KMIP C Server Integration Module allows all operations from KMIP Servers and Clients that perform key operations on the KMIP server to be recorded and subsequently be interrogated by the Audit, Analytics or Compliance functions in real-time or processed in batch mode to inform operations staff of the performance characteristics of the solution. Key Features Full OASIS KMIP compliance Versions: 1.0, 1.1, 1.2, 1.3*, 1.4 Guaranteed interoperability With all released KMIP server products Extensive range of supported platforms Custom platform ports on request Comprehensive example code Custom examples available - rapid integration Supported on over 35 different platforms Including Linux, Windows, Embedded KMIP Clients or Servers that request key operations from a KMIP Server with the KMIP C Server Integration Module operating do not require special features enabled to enable these enhanced features allowing vendor-independent Audit, Analytics or compliance management without replacing existing end points. Clients KMIP KEY MANAGEMENT INTEROPERABILITY PROTOCOL SALES.COM

12 KMIP C Server Optional Modules Audit, Analytics and Compliance for KMIP The Audit option allows for the systematic and independent examination of records of key operations in an organization to ascertain to what degree the operational reports present a true and fair view of the security of key operations. Server Performance The Analytics option allows for the discovery and communication of meaningful patterns within the audited key operations. This option is available in real-time on the KMIP Server Administration Interface or may be extracted as a scheduled or adhoc data extract for analysis using client tools. Compliance monitors the KMIP operations in a KMIP server to determine whether the key operations undertaken in the enterprise meets stated company policy, and will raise alerts when a threshold of noncompliant operations is performed or acted upon by the server. Invalid Key Requests Supported KMIP Operations Activate Add Attribute Archive Cancel Certify Check Create Create Key Pair Create Split Key 1.2 Decrypt 1.2 Delete Attribute Derive Key Destroy Discover Versions 1.1 Encrypt 1.2 Get Get Attribute List Get Attributes Get Usage Allocation Hash 1.2 Join Split Key 1.2 Year 1 Year 2 Locate MAC 1.2 MAC Verify 1.2 Modify Attribute Notify Obtain Lease Poll Year 3 Put Register Register Query Re-certify Recover Re-Key Re-key Key Pair 1.1 Year 4 Year 5 Revoke RNG Retrieve 1.2 RNG Seed 1.2 Sign 1.2 Signature Verify 1.2 Validate Supported Databases HSQLDB SQLite3 MySQL 5.x Oracle 11.x, 12.x SQL Server IBM DB2 9 & 10 PostgreSQL 8 & 9 SALES.COM

13 # Test ID % & SKFF-M-1-10 SKFF-M-2-10 SKFF-M-3-10 SKFF-M-4-10 SKFF-M-5-10 SKFF-M-6-10 SKFF-M-7-10 SKFF-M-8-10 SKFF-M-9-10 SKFF-M % 25% 5% 12% 15% 20% 18% 5% 20% 10% KMIP Interoperability Test Suite Complete verification solution Cryptsoft s Key Management Interoperability Protocol Test Suites (KXUC) let you rapidly confirm the interoperability status of your product. Reduce time to market and release with the confidence provided by data driven testing. Backed by a global support network, Cryptsoft s KMIP SDKs offer a total key management solution. Key Features Full OASIS KMIP compliance Versions: 1.0, 1.1, 1.2, 1.3*, 1.4 Available as a binary SDK or as a service Source license option Comprehensive test cases KMIP Test Cases and KMIP Profile Test Cases KMIP TEST CASES KMIP PROFILES Define Analyse KXUC C KXUC Java KXUC Web KXUC Cloud Transform Execute Test Report SALES.COM

14 KMIP Interoperability Test Suite Complete verification solution TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC-NP-1-10 TC-NP-2-10 TC-ECC-1-10 TC-ECC-2-10 KMIP v1.0 TC-ECC-3-10 SKFF-M-1-10 SKFF-M-2-10 SKFF-M-3-10 SKFF-M-4-10 SKFF-M-5-10 SKFF-M-6-10 SKFF-M-7-10 SKFF-M-8-10 SKFF-M-9-10 SKFF-M SKFF-M SKFF-M SKFF-O-1-10 SKFF-O-2-10 SKFF-O-3-10 SKFF-O-4-10 SKFF-O-5-10 SKFF-O-6-10 SKLC-M-1-10 SKLC-M-2-10 SKLC-M-3-10 SKLC-O-1-10 AKLC-M-1-10 AKLC-M-2-10 AKLC-M-3-10 AKLC-O-1-10 OMOS-M-1-10 SASED-M-1-10 SASED-M-2-10 SASED-M-3-10 TL-M-1-10 TL-M-2-10 TL-M-3-10 MSGENC-HTTPS-M-1-10 MSGENC-JSON-M-1-10 MSGENC-XML-M-1-10 SUITEB-128-M-1-10 SUITEB-192-M-1-10 TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC KMIP v1.1 TC TC TC TC-NP-1-11 TC-NP-2-11 TC-ECC-1-11 TC-ECC-2-11 TC-ECC-3-11 SKFF-M-1-11 SKFF-M-2-11 SKFF-M-3-11 SKFF-M-4-11 SKFF-M-5-11 SKFF-M-6-11 SKFF-M-7-11 SKFF-M-8-11 SKFF-M-9-11 SKFF-M SKFF-M SKFF-M SKFF-O-1-11 SKFF-O-2-11 SKFF-O-3-11 SKFF-O-4-11 SKFF-O-5-11 SKFF-O-6-11 SKLC-M-1-11 SKLC-M-2-11 SKLC-M-3-11 SKLC-O-1-11 AKLC-M-1-11 AKLC-M-2-11 AKLC-M-3-11 AKLC-O-1-11 OMOS-M-1-11 OMOS-O-1-11 SASED-M-1-11 SASED-M-2-11 SASED-M-3-11 TL-M-1-11 TL-M-2-11 TL-M-3-11 MSGENC-HTTPS-M-1-11 MSGENC-JSON-M-1-11 MSGENC-XML-M-1-11 SUITEB-128-M-1-11 SUITEB-192-M-1-11 TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC-NP-1-12 TC-NP-2-12 TC-ECC-1-12 TC-ECC-2-12 TC-ECC-3-12 TC-PGP-1-12 TC-MDO-1-12 TC-MDO-2-12 TC-MDO-3-12 TC-SJ-1-12 TC-SJ-2-12 KMIP v1.2 TC-SJ-3-12 TC-SJ-4-12 SKFF-M-1-12 SKFF-M-2-12 SKFF-M-3-12 SKFF-M-4-12 SKFF-M-5-12 SKFF-M-6-12 SKFF-M-7-12 SKFF-M-8-12 SKFF-M-9-12 SKFF-M SKFF-M SKFF-M SKFF-O-1-12 SKFF-O-2-12 SKFF-O-3-12 SKFF-O-4-12 SKFF-O-5-12 SKFF-O-6-12 SKLC-M-1-12 SKLC-M-2-12 SKLC-M-3-12 SKLC-O-1-12 AKLC-M-1-12 AKLC-M-2-12 AKLC-M-3-12 AKLC-O-1-12 OMOS-M-1-12 OMOS-O-1-12 SASED-M-1-12 SASED-M-2-12 SASED-M-3-12 TL-M-1-12 TL-M-2-12 TL-M-3-12 MSGENC-HTTPS-M-1-12 MSGENC-JSON-M-1-12 MSGENC-XML-M-1-12 SUITEB-128-M-1-12 SUITEB-192-M-1-12 CS-BC-M-1-12 CS-BC-M-2-12 CS-BC-M-3-12 CS-BC-M-4-12 CS-BC-M-5-12 CS-BC-M-7-12 CS-BC-M-8-12 CS-BC-M-9-12 CS-BC-M CS-BC-M CS-BC-M CS-BC-M CS-BC-M CS-RNG-M-1-12 CS-RNG-O-1-12 CS-RNG-O-2-12 CS-RNG-O-3-12 CS-RNG-O-4-12 CS-AC-M-1-12 CS-AC-M-2-12 CS-AC-M-3-12 CS-AC-M-4-12 CS-AC-M-5-12 CS-AC-M-6-12 CS-AC-M-7-12 CS-AC-M-8-12 TC-CREG-2-13 TC-OFFSET-1-13 TC-OFFSET-2-13 TC-OTP-1-13 TC-OTP-2-13 TC-OTP-3-13 TC-Q-CAP-2-13 TC-Q-CREG-1-13 TC-Q-PROF-2-13 TC-Q-RNGS-2-13 TC-Q-VAL-1-13 TC-Q-S2C-1-13 KMIP v1.3 TC-Q-S2C-2-13 TC-Q-S2C-PROF-2-13 TC-STREAM-HASH-1-13 TC-STREAM-HASH-3-13 TC-RNG-ATTR-1-13 TC-RNG-ATTR-2-13 TC-STREAM-ENC-1-13 TC-STREAM-ENC-2-13 TC-STREAM-ENCDEC-1-13 KMIP v1.4 TC-PKCS TC-Q-CAP-3-14 TC-WRAP-1-14 TC-WRAP-2-14 TC-WRAP-3-14 SALES.COM

15 OTP Authentication Tokens Wirelessly programmable OTP tokens Cryptsoft and Feitian have collaborated to deliver a wirelessly programmable OATH compliant One- Time-Password (OTP) authentication token that is supported by Cryptsoft s OASIS Key Management Interoperability Protocol (KMIP) products. Cryptsoft s OTP solution is based on open standards and allows the enterprise to manage the full lifecycle of the seed records that underpin the security in an OTP solution. This ensures that only the enterprise has access to the seed records, and the enterprise has full control over the provisioning, usage, and de-provisioning of tokens. Key Features Strong two-factor authenticator Unique password generated each time OATH compliant time-based TOTP device Easy to integrate with third party systems Single-button OTP hardware token 6 or 8 character LCD OASIS KMIP integration Client authentication and seed provisioning OTP KMIP PKCS11 CR OTP KMIP PKCS11 CR-101 KMIP KEY MANAGEMENT INTEROPERABILITY PROTOCOL OTP with manufacturing test seed OTP Token wirelessly programmed with new seed from KMIP Server Enterprise Key Management Server SALES.COM

16 OTP Authentication Tokens Wirelessly programmable OTP tokens Time based One Time Password (TOTP) tokens provide users with a secure and reliable hardware device to integrate standards-based hardware two-factor authentication. Two-factor authentication with TOTP combines something you know (your password) with something you have (a unique number sequence generated by a hardware device). Both of these factors are required to authenticate which substantially improves the security properties when compared to a single factor authentication solution. The non-predictable six or eight digit token output is derived from both the secret seed record and the on-board real time clock (RTC). A single hardware token can be programmed for variable output (6 or 8 digits) and variable time intervals (30 or 60 seconds) ensuring a solution is easily tailored to your enterprise security context. Two (or more) tokens initialised with the same seed value can be used for person-to-person two-factor authentication entirely independent of any server infrastructure. The same seed record can also be loaded into software based TOTP solutions allowing for a mixed hardware and software deployment context. As tokens are now substantially more cost effective than in the past, each user can be issued with multiple tokens and replacement tokens in the case of token loss, enabling broader use of two-factor authentication within your enterprise. Algorithm Algorithm Class Hardware Input Hardware Display Hardware Serial Hardware Certificate Operating Temperature Storage Temperature Casing Physical Security Key Storage Data Retention Battery Lifecycle Endurance Humidity - OATH TOTP - Time-based - Built-in button Character LCD - Unique S/N - ROHS Compliant C to 50 C C to 70 C - Hard molded ABS - Tamper Evident - Static RAM - Lithium battery years - > 14,000 clicks - 5% to 90% SALES.COM

17 U2F Authentication Tokens FIDO compliant second factor authentication token Cryptsoft and Feitian have collaborated to deliver a Fast IDentity Online (FIDO) Universal Second Factor (U2F) authentication token that is supported by Cryptsoft s OASIS Key Management Interoperability Protocol (KMIP) products. Cryptsoft s U2F token meets the market demand for stronger privacy, security, and increased ease of use while avoiding the difficulties of using multiple usernames and passwords. Feitian s FIDO compliant authentication token brings the benefits of lower costs, stronger security, interoperability, and open standards, while also avoiding vendor lock-in and proprietary technology costs. Key Features One-Device-For-All One device secures multiple services, including services from Google, Yubico and Cryptsoft Privacy Service specific encryption keys No keys shared among service providers Security No phishing or man-in-the-middle attacks Easy to Use Just register once Press one button each time to authenticate No additional drivers or software required Wide Compatibility Works on Windows, Linux, OSX Universally identified as a USB HID device FIDO Alliance Compliant Second Factor Experience (U2F standards) Online Authorisation Request Local Device Authentication Success website Authenticated Login and Password Insert U2F Token, Press button Authenticated SALES.COM

18 U2F Authentication Tokens FIDO compliant second factor authentication token Why is FIDO Different? The FIDO U2F protocol uses standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second factor device or pressing a button. The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. U2F Registration Bank.com 1 4 website.com Lynn John D + Sue rence Rex Bryso 2 3 website Enter User Enter Password website john_d@ .com ******** User is prompted to choose an available FIDO authenticator that matches the online service s acceptance policy. User unlocks the FIDO authenticator using a fingerprint reader, a button on a second factor device, securely entered PIN or other method. User s device creates a new public/private key pair unique for the local device, online service and user s account. Public key is sent to the online service and associated with the user s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device. U2F Login Online service challenges the user to login with a previously registered device that matches the service s acceptance policy. Bank.com website Enter User Enter Password User unlocks the FIDO authenticator using the same method as at Registration time. 1 website.com 2 Device uses the user s account identifier provided by the service to select the correct key and sign the service s challenge. Lynn John D Sue website john_d@ .com ******** Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user. 4 Terence Rex Bryson 3 SALES.COM

19 The Cryptsoft Quality Management System is certified to ISO 9001:2008 Cryptsoft is an OASIS Foundational Sponsor and an active member and contributor to the KMIP and PKCS#11 technical committees KMIP STANDARD PKCS#11 STANDARD Cryptsoft is voting member of the Storage Networking Industry Association (SNIA) and the Storage Security Industry Forum (SSIF)

20 R SALES.COM 1