TRIDENT HSM
first and only Secure Multi-party Computation capable HSM
[email protected] www.i4p.com
TRIDENT
MULTI-PARTY CRYPTO MODULE
LONG STORY SHORT
i4p’s TRIDENT HSM is the first physical Hardware Security Module on the market, designed to apply Secure
Multi-party Computation (SMPC) for Cryptographic Key Management. It can generate and use key pairs in a
revolutionary distributed manner. When configured in the most secure SMPC cluster mode, the secret key will
never exist as a whole, on any device, neither at the moment of generation, storage or computing. Every device
in the cluster merely stores one part of the key. When configured for the faster (so-called trusted dealer)
method, one of the devices generates the key, splits it and then securely distributes the key parts to the other
devices in the cluster before irrevocably erasing the whole key.
The signing or decrypting functions are executed on all or, depending on how the cluster is configured, on n-
out-of-k devices separately, as the participating devices each use only that part of the key that they are
entrusted with to store and protect. The end result of this unique procedure is nevertheless a standard ECC or
RSA signing or decrypting operation, guaranteeing full compatibility with existing cryptographic services.
� TRIDENT HSM
TRIDENT HSM DATASHEET
DATASHEET
HIGH
+36 1 700AVAILABILITY
1200 ARCHITECTURE
[email protected] www.i4p.com CRYPTOGRAPHIC APIs PHYSICAL INTERFACES
Due to its distributed architecture, the TRIDENT HSM can meet § PKCS#11* § Triple gigabit Ethernet port
even the most demanding availability and load balance § OpenSSL** § Dual USB port
requirements. When deployed in remote data centers, if § Microsoft CSP/CNG-KSP § VGA display port
§ Apple CTK § Tamper detection I/O
necessary on different continents, it's as disaster-proof as an IT
§ JCA/JCE Cryptographic Framework
service can be, while still maintaining high signing speeds. Any § CMAPI (C++/Java, proprietary) CERTIFICATIONS
of the clustered devices is independently capable of § CC EAL4+
communicating with the outside world guaranteeing high § eIDAS listing
availability and optimal load balance. CRYPTOGRAPHY
§ Multi-party asymmetric algorithms: RSA, ECC
§ Non-distributed asymmetric algorithms: RSA, ECC
EASY INTEGRATION § Multi-party symmetric algorithms: AES
§ Other non-distributed algorithms: AES, ARIA, Ascon, SHA256, SHA384,
i4p’s TRIDENT HSM integrates seamlessly into existing TCP/IP SHA512, Balloon, SHAKE, TDES, DES, SHA1, HMAC, CMAC etc.
network infrastructures and smoothly communicates with other § Post-Quantum algorithms: SPHINCS+, Kyber, NTRU, XMSS
network devices. The HSM crypto functionality can be utilized MULTI-FACTOR AUTHENTICATION
§ Encryption/decryption scheme: PKCS#1, ECIES
using the industry standard PKCS#11 library, OpenSSL, JavaTRIDENT HSM§ enables SAM key management: MIFARE*** SAM AV2
both local and remote users to use multi-factor
Cryptography Extension (JCE), Microsoft Windows authentication. Besides PHYSICALpasswords, the Time-based One-Time Password (TOTP)
CHARACTERISTICS
Cryptographic Service Provider (CSP and CNG) or i4p's mechanism according the RFC 6238 can be enabled for any administrators
proprietary CMAPI interface. It can also communicate directlyand users. The §necessary
Format: Standard 1.5U 19” rack mount chassis
TOTP codes can be generated using any standard
§ Dimensions: 19” x 21” x 2.58” (482.6mm x 533.4mm x 65.7mm)
with security access modules (e.g. MIFARE SAM AV2) to enableapplication, such as the Google Authenticator running on a smartphone.
quick and secure integration into ticketing ecosystems. § Weight: 19lb (8.5kg)
§ Input Voltage: 24V DC (PSU 100–240V, 50–60Hz)
§ Power Consumption: 120W maximum, 50W typical
EASY INTEGRATION
PROTECTED ENVIRONMENT *** PKCS #11 Cryptographic Token Interface Profiles, an OASIS Standard
TRIDENT HSM*** deploys simply
OpenSSL into existing
is a registered TCP/IP
trademark network
owned infrastructures
by OpenSSL Software and
Foundation
Every TRIDENT HSM comes equipped with an integrated Tampercommunicates *** MIFARE
with is a registered
other network trademark
devices ofsmoothly.
NXP B.V. The HSM crypto
Detection Module (TDM) with multiple sensors that constantlyfunctionality can be utilized using the industry standard PKCS#11 library,
monitor the environment even when the device is not powered.OpenSSL and the proprietary CMAPI interface of the HSM. TRIDENT HSM can
The sensitivity of the TDM sensors can be configured to fit uniquealso communicate directly with security access modules (eg. MIFARE SAM AV2)
MULTI-FACTOR AUTHENTICATION
operating environments. Also, the TRIDENT HSM allows for to enable quick and secure integration into ticketing ecosystems.
unlimited local client applications (LCAs) to be installed into its Both local and remote users and administrators can (and we
protected environment. LCAs run in secure containers to ensure that recommend should) use Multi-factor Authentication to access the
they are isolated from other LCAs as well as from the HSM core. HSM. Time-based One-time Password (TOTP) authentication
LCAs are created using the industry standard Linux Container according to RFC 6238 can be enabled for any administrators
Framework. and users. Standard applications, like Google Authenticator,
can be used to generate the TOTP codes.
EIDAS COMPATIBILITY
The TRIDENT HSM has successfully attained its certification as a COMMON CRITERIA CERTIFIED
Qualified Signature and Seal Creation Device (QSCD) under EU The TRIDENT HSM has successfully attained Common Criteria
Regulation 910/2014 on Electronic Identification and Trust Services
EAL4+ certification (Evaluation Assurance Level EAL 4
(eIDAS). Thus, it enables Trust Providers to offer both Qualified and
augmented by AVA_VAN.5 and ALC_FLR.3 based on
non-Qualified services, whether it is to generate, validate and
preserve electronic signatures and seals, digital certificates and to ISO/IEC 18045:2008) both under the Protection Profile for
satisfy the requirements of PSD2 (Open Banking), GDPR (Data Cryptographic Module for Trust Services (EN 419221-5) as
Protection) and other current or future directives. All of this with an well as under the Protection Profile for QSCD for Server
unparalleled high level of security. Signing (EN 419241-2) with strict conformance.
v3.1.3.2024a
