Optional features
nShield HSMs support a range of optional features that provide additional functionality which must be enabled before the HSM can perform certain actions and use particular mechanisms.
Some features, such as speed ratings, can be ordered when you purchase a unit and will have been enabled in the factory.
All features can be enabled after purchase by means of a feature certificate that is supplied by Entrust, obtainable from your Entrust account manager. Feature certificates are supplied as a file made available for download or requested as a smart (Activator) card, to be delivered by post.
Persistence of features
Most features are static and remain enabled even if the HSM is initialized.
On a network-attached HSM, client licenses are dynamic and need to be reapplied if the HSM is initialized.
For nShield Connect and Solo HSMs the Feature SEE Activation (Restricted) is a dynamic feature and must be reapplied if the HSM is initialized.
All other features are static.
nShield 5s Features that have been set in the factory will persist if the module is returned to factory state as described in return to factory state. Features that have been set with a feature certificate will be lost if the unit is returned to factory state and must be enabled again by re-applying the certificate when the HSM is returned to service. |
Enabling features
See Enable features on a network-attached HSM and Enable features on PCIe and USB HSMs for help enabling features.
After you have enabled features on a PCIe or USB HSM, you must clear the module to make them available.
Clear the module by running the command nopclearfail --clear --all
, or by pressing the module’s Clear button on pre-nShield 5s models.
If you are enabling the Remote Operator feature, you must enable it on the HSM that is to be used as the unattended HSM. |
For information about Remote Operator, see Remote Operator.
Available optional features
This section lists the features that can be added to the HSM. For details of all available features, contact Sales.
Elliptic Curve
Cryptography based on elliptic curves relies on the mathematics of random elliptic curve elements. It offers better performance for an equivalent key length than either RSA or Diffie-Hellman public key systems. Using RSA or Diffie-Hellman to protect 128-bit AES keys requires a key of at least 3072 bits. The equivalent key size for elliptic curves is only 256 bits. Using a smaller key reduces storage and transmission requirements.
Elliptic curve cryptography is endorsed by the US National Security Agency and NIST (the National Institute of Standards and Technology), and by standardization bodies including ANSI, IEEE and ISO.
nShield modules incorporate hardware that supports elliptic curve operations for ECDH (Elliptic curve Diffie-Hellman) and ECDSA (Elliptic Curve Digital Signature Algorithm) keys.
Elliptic Curve activation
Prior to V13.5 firmware, all nShield HSMs require specific activation to utilize the elliptic curve features. HSMs use an activator smart card to enable this feature. Additionally it is possible to activate the elliptic curve feature without a physical smart card. In this case the certificate details can be provided by email and entered locally.
From firmware V13.5, elliptic curve support is always enabled.
Contact Sales if you require an EC activation.
nShield modules with elliptic curve activation support MQV (Menezes-Qu-Vanstone) modes.
Elliptic Curve support on the nShield product line
The following table details the range of nShield HSMs and the level of elliptic curve support that they offer.
HSM module type | Elliptic Curve support | Elliptic Curve offload acceleration3 | ||
---|---|---|---|---|
Named curves2 |
Custom curves1, 5 |
Named curves2 |
Custom curves1, 5 |
|
nShield Edge |
Yes |
Yes |
No |
No |
nShield Solo 500 and 6000 nShield 500, 1500, and 6000 |
Yes |
Yes |
No |
No |
nShield Solo 500+, 6000+ nShield 6000+ |
Yes |
Yes |
Yes, Prime curves and twisted Brainpool curves are accelerated4. |
Yes |
nShield Solo XC |
Yes |
Yes |
Yes, Prime curves and both twisted and non-twisted Brainpool curves are accelerated4. |
Yes |
nShield 5s |
Yes |
Yes |
Yes, Prime curves and both twisted and non-twisted Brainpool curves are accelerated. |
Yes |
1Accessed via nCore, PKCS#11 and JCE APIs.
2Both Prime and Binary named curves are supported. Refer to Named Curves, below, which lists the most commonly supported elliptic curves.
3Offload acceleration refers to offloading the elliptic curve operation from the main CPU for dedicated EC hardware acceleration.
4Binary curves are supported, but are not hardware offload accelerated.
5Brainpool curves are supported as named curves via nCore, PKCS#11 and JCE only.
nShield software / API support required to use elliptic curve functions
Security World Software for nShield | CodeSafe | |
---|---|---|
Elliptic curve supported / API |
Microsoft CNG, PKCS#11, Java Cryptographic Engine (JCE)1. |
Microsoft CNG, PKCS#11, Java Cryptographic Engine (JCE)1. |
1Java elliptic curve functionality is fully supported by the nShield security provider, nCipherKM. There is also the option to use the Sun/IBM PKCS #11 Provider with nCipherKM configured to use the nShield PKCS#11 library.
PCIe and USB HSMs: To demonstrate the accelerated performance of elliptic signing and verify operations, run the perfcheck utility.
Named Curves
This table lists the supported named curves that are pre-coded in nShield module firmware.
Supported named curves | |||
---|---|---|---|
ANSIB163v1 |
BrainpoolP160r1 |
NISTP192 |
SECP160r1 |
ANSIB191v1 |
BrainpoolP160t1 |
NISTP224 |
SECP256k1 |
BrainpoolP192r1 |
NISTP256 |
||
BrainpoolP192t1 |
NISTP384 |
||
BrainpoolP224r1 |
NISTP521 |
||
BrainpoolP224t1 |
NISTB163 |
||
BrainpoolP256r1 |
NISTB233 |
||
BrainpoolP256t1 |
NISTB283 |
||
BrainpoolP320r1 |
NISTB409 |
||
BrainpoolP320t1 |
NISTB571 |
||
BrainpoolP384r1 |
NISTK163 |
||
BrainpoolP384t1 |
NISTK233 |
||
BrainpoolP512r1 |
NISTK283 |
||
BrainpoolP512t1 |
NISTK409 |
||
NISTK571 |
Custom curves
nShield modules also allow the entry of custom elliptic curves which are not pre-coded in firmware. If the curve is Prime, it may benefit from hardware acceleration if supported by the nShield HSM (see nShield software / API support required to use elliptic curve functions, above).
Custom curves are supported by nCore and PKCS #11 APIs.
Further information on using elliptic curves
For more information on how to use elliptic curves, see the following sections:
-
PKCS #11:
-
Mechanisms supported by PKCS #11: Mechanisms.
-
-
CNG (Windows):
-
Supported algorithms, including key exchange, for CNG: Supported Algorithms.
-
-
Symmetric and asymmetric algorithms: Cryptographic algorithms
-
Using
generatekey
options and parameters to generate ECDH and ECDSA keys: Key generation options and parameters
Java elliptic curve functionality is fully supported by the nShield security provider, nCipherKM. There is also the option to use the Sun/IBM PKCS #11 Provider with nCipherKM configured to use the PKCS #11 library. |
Secure Execution Engine (SEE)
The SEE is a unique secure execution environment. The SEE features available to you are:
nShield 5 HSMs: SEE Activation, CodeSafe 5 |
This feature enables the ability to run signed SEE applications within your HSM. To develop your own SEE applications, you must also purchase the CodeSafe SDK and obtain a CodeSafe developer id certificate from Entrust. For more information about how to develop SEE applications, see the CodeSafe 5 Developer Guide. |
nShield Connect and Solo HSMs: SEE Activation (EU+10) |
This SEE feature is provided with the CodeSafe developer product to enable you to develop and run SEE applications. The CodeSafe developer product is only available to customers in the Community General Export Area (CGEA, also known as EU+10). Contact Entrust to find out whether your country is currently within the CGEA. For more information about the SEE, see the CodeSafe Developer Guide. |
nShield Connect and Solo HSMs: SEE Activation (Restricted) |
This SEE feature is provided with specific products that include an SEE application. This feature enables you to run your specific SEE application and is available to customers in any part of the world. |
Remote Operator support
Many Entrust customers keep critical servers in a physically secure and remote location. The Security World infrastructure, however, often requires the physical presence of an operator to perform tasks such as inserting cards. Remote Operator enables these customers to remotely manage servers running Security World Software using a secure nShield communications protocol over IP networks.
The Remote Operator feature must be enabled on the module installed in the remote server. Remote Operator cannot be enabled remotely on an unattended module.
For more information about using Remote Operator, see Remote Operator.
For v12 and later, Entrust recommends that you use Remote Administration, which is more flexible than the Remote Operator functionality.
ISO smart card Support (ISS)
ISS, also called Foreign Token Open (FTO) allows data to be read to and written from ISO 7816 compliant smart cards in a manner prescribed by ISO7816-4. ISS allows you to develop and deploy a security system that can make full use of ISO 7816 compliant smart cards from any manufacturer.
Korean algorithms
This feature enables the following mechanisms:
-
Korean Certificate-based Digital Signature Algorithm (KCDSA), which is a signature mechanism.
KCDSA is used extensively in Korea as part of compliance with local regulations specified by the Korean government. For more information about the KCDSA, see the nCore API Documentation.
-
SEED, which is a block cipher.
-
ARIA, which is a block cipher.
-
HAS160, which is a hash function.
Fast RNG for ECDSA
Utilise a faster alternative for Random Number Generation (RNG) for Elliptic Curve Digital Signature Algorithm (ECDSA). This feature is applicable only for nShield Solo XC, nShield Connect XC, nShield 5s, and nShield 5c.
The faster performance, comparable with v12.40 performance, is achieved by the RNG part of ECDSA being done on the NXP C291 Crypto Coprocessor.
This implementation of ECDSA uses an RNG that is not within scope for the nShield HSM certifications and for this reason it will not be used when the HSM is in a fips-140-level-3 or common-criteria-cmts Security World (regardless of the feature bit setting).
Ordering additional features
When you have decided that you require a new feature, you can order it from Entrust. Before you call Entrust, collect information about your HSM as follows:
-
Make a note of the Electronic Serial Number:
-
Network-attached HSMs: Go to HSM > HSM information > Display details on the front panel.
-
PCIe and USB HSMs: Run the
enquiry
command.
-
You must provide the ESN number to order a new feature.
-
If possible, make a note of the serial number.
-
Network-attached HSMs: This is the unit serial number and is on the base of the unit.
-
PCIe HSMs: This is on the circuit board of the nShield module.
nShield 5s: You can also get the serial number of the nShield HSM with
hsmadmin info
:dbid : PLEXUS-01 psn : 48-U50071 mfgtime : 2022-02-17 12:14:26 GMT Standard Time
-
The serial number is the psn
in the extract of the printout above.
When your order has been processed, you will receive a Feature Enabling Certificate in one of the following ways:
-
Entrust e-mails you the Feature Enabling Certificate.
-
Entrust sends you a smart card that contains the Feature Enabling Certificate.
The Feature Enabling Certificate contains the information that you need to enable the features you have ordered.
For more information, including pricing of features, telephone or email your nearest Sales representative using the contact details from this guide, or contact Entrust nShield Support, https://nshieldsupport.entrust.com.