REALSEC presents the new public key suite, Cryptosec OpenKey
REALSEC, a company that develops encryption solutions, digital signature, PKI, and Timestamp for Banking and Payment Methods, Government and Defense, and the Business sector; presents its new high performance public key infrastructure, Cryptosec OpenKey.
The Cryptosec OpenKey product suite permits any entity an easy, fast and secure way to create a public key infrastructure following the existing model, covering the digital signature lifecycle from the creation to the termination, offering a complete service to end applications that use this technology: inquiry on the certificate status and document and/or operation timestamps, such as digital signature.
The Cryptosec OpenKey suite is comprised of the products: Cryptosec CA (Certification Authority), Cryptosec RA (Registration Authority), Crypstosec VA (Validation Authority) and Cryptosec TSA (Timestamp Authority). All of them are made up of appliance format hardware that includes in its interior a cryptographic engine and secure key storage referred to as HSM Cryptosec PCI, whose FIP 140-2 Level 3 and Common Criteria EAL 4+ international certifications are shared by all the solutions that make up this product suite. This also includes the middleware component, Cryptosec OpenKey Connector, to integrate different applications with the suite.
The certification authority, Cryptosec CA, is an appliance composed of cryptographic hardware whose function is the creation of digital certificates within a completely reliable PKI public key structure. The configuration is done through a user-friendly interface via HTTPS with operator certificate requirements. After configuring the Cryptosec CA device as root CA or subordinate CA, access is given to a menu in which the certification authority is created and it is then possible to configure the system. This connection is authenticated and 100% secure. Both the custody of the certification authority keys as well as the operation of signing the certificate petitions and the certificate revocation list, or CRL; take place in the HSM integrated in the Cryptosec CA appliance. This, in addition to ensuring the key protection, speeds up the generation process.
Cryptosec RA registration authority is intended to register the certification requests received from the end users. Through a Web interface protected by HTTPS, users connect and perform their certification requests, which are stored in the registration authority, so that an operator verifies them before they are sent to the CA. This action is protected and authenticated and once the registration authority receives the certificate, it is then sent to the end user. Cryptosec RA can be set up through an HTTPS secure Web interface where different policies on certification and registration can be configured. The certificates and CRL’s can be published periodically in different systems.
The function of this appliance is that of validation authority, generating responses to requests from clients regarding the revocation status of a specific certificate. It is configured, as with all the products in the Suite, through a Web interface that is protected by HTTPS. A digital certificate is present whose keys reside in the protected cryptographic hardware housed in its interior, and the system is prepared to respond to requests on the status of revocation certificates. The certificate revocation information is recovered from the database created by the Cryptosec CA system, or from the certificate revocation lists which this system publishes. It is also able to reply to requests for the certificate revocation status issued from different CA’s.
For Cryptosec VA, as well as for other products in the Cryptosec OpenKey product suite; there is a service that allows you to synchronize the clock via NTP Protocol.
Finally, the job of the Cryptosec TSA timestamp authority is the production of timestamps that certify; securely and quickly, the exact time when the action was taken. The configuration is through an interface via HTTPS and its function, among others, is to generate an asymmetric key in the integrated HSM; in order to subsequently provide the system with a digital certificate and establish values with which the timestamps will be generated. In addition, the system’s own clock has a synchronizer with an external source via NTP protocol, although any synchronization device of the system (GPS, cesium clock, etc.) can be adapted according to client needs. Client access to the Cryptosec TSA authority is done via HTTP and following the rfc3161 standard; the same medium by which the generated stamp is returned. Timestamps are signed in the HSM embedded in the Cryptosec TSA.
Cryptosec TSA allows for a high availability or load balancing configuration by introducing an undetermined number of elements in the system with the requirement being an external balancer of HTTP protocol.
In the four products that make up the Cryptosec OpenKey Suite, both the configuration and all of the data generated are stored in an internal database or outside of the device
More information click HERE
Source: Hay Canal