Entrust nShield 5C
Deliver cryptographic key services to applications distributed across servers and virtual machines with Entrust crypto-agile, highly scalable, next-generation hardware security modules (HSMs).
Entrust nShield 5c HSMs
nShield 5c HSMs are security appliances that deliver cryptographic services to applications across the network, in the cloud, and in hybrid environments. The hardened, tamper-resistant, FIPS 140-3 level 3 certified* platforms perform such functions as encryption, digital signing, and key generation and protection. With their comprehensive capabilities, flexible hybrid deployments, quantum crypto-agility, and 100% compatibility with existing nShield HSM deployments and APIs, these HSMs can support an extensive range of applications, including certificate authorities, code signing, and more.
*FIPS 140-3 Validated, Certificate #4745
High-performance, scalable HSMs that save you time and money
The new nShield 5c models offer enterprises a reduction in total cost of ownership, eliminating costly repeat trips to the data center and reducing the overhead of managing and configuring HSM estates. 功能包括:
- Centralized, remote visualization and management console supporting HSM administration and Security World management
- A serial console supporting provider/tenant deployment models through strong role separation, delineating tasks such as changing network settings from controlling cryptographic actions
- Remote presentation of physical tokens to authorize administration tasks and cryptographic key usage
- Seamless interoperation with all other variants and versions of the nShield HSM family
These features reduce the demands on highly specialized and trained resources, provide enterprises with efficiency gains, and ensure control over the HSMs resides in the hands of the security professionals.
nShield 5c Benefits
强大的架构
Build and grow your HSM estate using Security World, Entrust's unified ecosystem that delivers scalability, load balancing, seamless failover, and disaster recovery.
更快的数据处理
获得业界最高的加密交易速率。 是注重吞吐量环境的理想选择。
保护敏感的业务和应用逻辑
在 nShield 的边界内执行代码,保护您的应用程序及其处理的数据。
技术规格
通过认证的硬件解决方案
Entrust nShield HSMs have earned a broad set of certifications. These certifications help our customers to demonstrate compliance while also helping to give them the assurance that they meet stringent industry standards.
安全合规性
- FIPS 140-3 Level 3
- 根据荷兰 NSCIB 计划,对 EN 419 221-5 保护配置文件进行 eIDAS 和通用标准 EAL4 + AVA_VAN.5 以及 ALC_FLR.2 认证
- Can form the basis of an EN 419 241-2 certified remote signing system for eIDAS
- 符合 BSI AIS 31 生成真实和确定性随机数的要求
安全和环境标准合规性
- UL, CE, FCC, UKCA, RCM, Canada ICES, RoHS, WEEE, REACH
高交易速率
nShield HSM 具有较高的椭圆曲线加密 (ECC) 和 RSA 交易速率。
nShield 5c Models | Base | Mid | 高 |
---|---|---|---|
RSA 签名性能 (tps)(使用 NIST 推荐密钥长度) | |||
2048 位 | 670 | 3,949 | 13,614 |
4096 位 | 135 | 814 | 2,200 |
8192 位 | 19 | 115 | 309 |
ECC 主曲线签名性能 (tps) (使用 NIST 推荐密钥长度) | |||
256 位 | 2,085 | 7,553 | 21,826 |
521 位 | 1,010 | 5,977 | 16,164 |
Key generation (keys/sec) | |||
RSA 2048 bit | 7 | 20 | 23 |
ECDSA P-256 bit | 1,040 | 3,580 | 3,494 |
ECDSA P-521 bit | 518 | 2,480 | 2,724 |
Key agreement performance (transactions/sec) | |||
ECDH P-256 bit | 2,085 | 7,550 | 21,436 |
客户端许可证 | |||
包括 | 3 | 3 | 3 |
Maximum | 10 | 20 | 无限制1 |
1Requires enterprise client license.
支持的加密算法
- Full NIST Suite B implementation
- 非对称算法: RSA, Diffie-Hellman, ECMQV, DSA, El- Gamal, KCDSA, ECDSA (including NIST, Brainpool & secp256k1 curves), ECDH, Edwards (Ed25519, Ed25519ph)
- 对称算法: AES, AES-GCM, Arcfour, ARIA, Camellia, MD5 HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, SHA-224 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC, Tiger HMAC, 3DES
- 哈希/消息摘要: MD5, SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160, RIPEMD160, SHA-3 (224, 256, 384, 512 bit)
- Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs
- Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11, and nCore APIs
- TUAK & MILENAGE algorithm support for mutual authentication and key generation (3GPP)
- NIST short-listed post-quantum cryptographic algorithms supported using the nShield Post Quantum SDK with CodeSafe
nShield HSMs offer support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use South Korean algorithms, optional activation licenses are needed.
支持的平台
Windows and Linux operating systems including distributions from Red Hat, SUSE, and major cloud service providers running as virtual machines or in containers.
可靠性
使用 Telcordia SR-332 “电子设备可靠性预测程序” MTBF 标准在 25°C 的工作温度下进行计算
- nShield 5c HSM: 107,845 小时
选项和配件
性能评级和选项
To meet the performance needs of your application, Entrust provides a variety of nShield 5c models as shown in the Technical Specifications tab. You can select among the performance models shown, and can also purchase in-field upgrades on nShield 5 HSM models from lower performance models to higher models.
客户端许可证
nShield 5c HSMs ship with three client licenses, each allowing a connection to an IP address. 您还可以购买其他许可证。 The maximum number of client licenses supported varies by nShield 5c model as shown in the table below.
Max # client licenses per nShield 5c Model
- Base: 10 licenses
- Mid: 20 licenses
- High: Unlimited*
注意 * 需要激活企业客户端许可证
软件选项包
Entrust 提供一系列可与 nShield HSM 一起使用的选项包。
nShield Monitor 系统
nShield Monitor 是一个监控平台,可帮助您获得 nShield HSM 运行状态的全天候可见性。 借助该解决方案,安全团队可以高效地检查 HSM 状态,迅速发现可能会危及任务关键型基础设施的任何潜在的安全、配置或使用问题。
远程管理模块
nShield 远程管理支持操作人员从办公地点远程管理分布式 nShield HSM(包括添加应用程序、升级固件、检查运行状态、重新启动等),从而减少差旅时间并节约了成本。 远程管理套件包含设置和使用该工具所需的硬件和软件。
Cloud Disaster Recovery
Increase redundancy and reliability of on-premises deployments.
- Subscription-based service
- Adds off-site HSM resources
- 操作方便、经济高效
CodeSafe
CodeSafe 是一个功能强大且安全的环境,允许您在 nShield HSM 的安全边界内执行应用程序。 应用程序包括与银行、智能计量、身份验证代理、数字签名代理和自定义加密流程相关的加密技术和高价值业务逻辑。 CodeSafe is available with FIPS Level 3 certified nShield HSMs
CipherTools
CipherTools 是一套包含教程、参考文档、示例程序和其他库的工具包。 借助此工具包,开发人员可以充分利用 nShield HSM 的高级集成功能。 除了为标准 API 提供支持外,该工具包还支持您使用 nShield HSM 运行自定义应用程序。 CipherTools 开发人员工具包包含在 Security World 软件的 ISO/DVD 中,免费向您提供。
KCDSA 激活
With the KCDSA activation license, you can use the Korean Certificate-based Digital Signature Algorithm (KCSDA) as well as HAS-160, SEED, and ARIA algorithms on nShield HSMs.
滑轨
Entrust offers optional slide rails that let users mount nShield 5c in a 19" rack without a shelf. 我们建议客户使用我们提供的滑轨,因为其他制造商的零件可能会不兼容。
键盘
Many functions of nShield 5c HSMs can easily be executed using the touch wheel at the front of the unit. 但 Entrust 仍为客户提供了 USB 键盘选项,它可以帮助您获得更好的使用体验。
现场可更换零件
nShield 5c features parts that operators can replace in the field, with minimal downtime. These parts include dual, hot-swap power supplies and field-replaceable fan tray (requires nShield 5c to be put into standby).