|
|
 |
 |
LYNKS Series II Hardware Security Modules
The LYNKS Series II Hardware Security Module (HSM) offers a high-security solution for client, server and embedded security applications. The LYNKS Series II HSM, with upgraded flash memory and FPGA capabilities, supports new, stronger and faster cryptographic algorithms, including elliptic curve cryptography with EC-DH and ECMQV key establishment, AES, and the SHA-2 algorithms that exceed the U.S. Government's Suite B standard. Available in either PCMCIA or stackable USB models, the new LYNKS Series II HSM provides the strongest and most economical future-proof protection for sensitive data.
The LYNKS Series II HSM provides security-critical capabilities for PKI-based identity management, data security, data integrity, and nonrepudiation. With SPYRUS En-Sign™ security device management software, the LYNKS HSM provides support for standard cryptographic application interfaces such as the Microsoft® Windows® Cryptographic API and the PKCS #11 interface. Custom application integration is enabled through the SPYRUS developer toolkits
The LYNKS Series II HSM incorporates the latest cryptographic algorithms. SPYRUS received the first patent license for elliptic curve cryptography issued by the National Security Agency (NSA) under the terms of the NSA Field of Use patent license. The license covers 26 individual U.S., Canadian, and European patents and patent applications. The Field of Use includes elliptic curve cryptography in the prime field GF(p), using 256-bit or longer keys in implementations that are FIPS 140-2 compliant, among other requirements. Typical applications are those that involve federal, state, and local governments, including interoperation with foreign governments. |
|
|
|
The LYNKS Series II HSM cryptographic support includes elliptic curve cryptography (ECC) using the highest-strength P-256, P-384, and P-521 curves. P-521 keys are equivalent to a 15,360-bit RSA key in strength, but ECC operations are much faster than RSA. The ECDSA digital signature standard and the ECMQV and EC Diffie-Hellman key establishment schemes are supported in accordance with NIST SP 800-56A Key Establishment guidelines. The LYNKS Series II HSM also supports AES-128/194/256 symmetric key algorithms and SHA-224/256/384/512 hash functions, as well as RSA-1024/2048/4096 and triple-DES. RSA key generation complies with the stringent X9.31 specification.
SPYRUS is the first company under this license to incorporate this patented technology in all of its hardware and software products.
Features and Benefits
- Tamper-Proof Security
The LYNKS HSM features either an ultrasonically welded or an overmolded case for tamper evidence.
- Future-Proof Design
The LYNKS Series II HSM is designed to be extensible and future-proof. High-speed FPGAs maximize performance, and custom algorithms and/or features, potentially including classified algorithms, can be added through a trusted firmware update process.
Applications
- Certificate and Registration Authorities
The LYNKS CA HSM provides secure off-line storage of a Root Certificate Authority private key, including Microsoft Windows Certificate Services in Windows 2000 and Windows Server 2003 Enterprise Edition. The LYNKS CA HSM uses the unique master key stored in the cryptographic engine to encrypt private data and private keys, making attacks almost impossible.
The LYNKS RA HSM fully supports the SPYRUS Signal Identity Manager™, which complements the Windows Server 2003 Certificate Services by adding Registration Authority (RA) support, secure key generation, HSM-based key archiving and recovery, token management and auditing capabilities.
- Secure Document Retention
High-strength encryption and digital signatures for technical nonrepudiation.
- Electronic Notary
Digitally sign legal documents, including forensic evidence.
- Code Signing
For executable code and macros. Compatible with Windows .NET Security Framework.
- Secure Master Key Storage
Supports applications that use software encryption for high-speed file encryption and streaming media, while still maintaining the master keys in a secure HSM. This can protect against the theft or surreptitious cloning of a server file system, including backup or archived files. In this way, SSL private keys and secure disk encryption applications can also be protected.
- Trusted, Auditable Time Stamp (custom option)
Documents and transactions can be securely timestamped using the on-board time-of-epoch clock and a trusted timestamp key used only for this purpose. The time-of-epoch clock within the cryptographic enclosure can never be altered, but it allows calibration against primary standards, with the digitally signed results recorded for a precise, auditable UTC time.
Specifications
| Cryptographic Algorithms |
- ECDSA 256, 384, 521 key generation, sign and verify operations
- ECMQV 256,384,521 key establishment methods
- EC Diffie-Hellman 256,384,521 key establishment methods
- RSA 1024/2048/4096 X9.31 key generation; 512/1024/2048 sign and decrypt
- SHA-1 and SHA-224/256/394/512 hash algorithms
- AES-128/192/256 ECB, CBC, Counter mode, and AES key wrap
- DES, two & three-key triple-DES with ECB, CBC
- DSA 1024
- KEA key exchange: 1024-bit exchanges with 80-bit SKIPJACK keys
- SKIPJACK 80-bit key
|
| Interfaces |
- PCMCIA 2.1 Compliant
- USB 1.1 Compliant & USB 2.0 Compatible
|
| Security Certifications |
- Designed for FIPS 140-2 Level 3 validation
|
| Electrical |
- Operating voltage: Vcc = 5VDC ± 5%
- Power consumption: <1 W average
- Lithium battery
|
| Environmental |
- Operating temperature: 0°C to 55°C
- Storage temperature: -20°C to 65°C
- Humidity: 90%, non-condensing
- PCMCIA 2.1 specifications for vibration, shock, bending, torque & drop
|
| Standards Compliance |
- Microsoft WHQL certified drivers
- Microsoft CryptoAPI, PKCS #11 Interoperability
- FIPS PUB 186 Digital Signature Standard, FIPS PUB 185 SKIPJACK, FIPS PUB 180-2 Secure Hash Algorithm, FIPS PUB 46 DES Standard, FIPS PUB 197 AES standard
- FCC part 15, subpart J, class B certified
|
Model Numbers
| Product Name |
Model Number |
| LYNKS Series II HSM |
PC600 – PCMCIA Interface
PC800 – USB Interface
RES416C – LYNKS CA HSM (PCMCIA)
RES417C – LYNKS CA HSM (USB)
RES416R – LYNKS RA HSM (PCMCIA)
RES417R – LYNKS RA HSM (USB)
*Note: The LYNKS CA and RA HSMs can support multi-party key generation, secure key generation, and secure key archiving. The LYNKS CA and RA HSMs include Rosetta CSI software.
|
|
|
