|
|
| |
| |
| |
 |
CKMULTISLOT is an alternate PKCS#11 library working
with Thales (nCipher line) HSM devices. It’s specifically designed
to support million of RSA keys by using encrypted blobs stored into
an external filesystem or database. |
| The original PKCS#11 implementation by Thales is indeed
suitable for a large number of applications, however when a company
needs to handle million of keys, each one protected with a different
PIN, a number of problems arise which prevent the system to work properly.
|
| Careful resources allocation and external database
storage are the two main factors on which the CKMULTISLOT hinges to
allow the management of a scalable number of slots/keys which aren’t
possible with the original PKCS#11 implementation. |
| |
 CKMULTISLOT
- An alternate PKCS#11 library for Thales HSM devices (pdf file) |
|
|
| |
| |
|
| |
| |
 |
1. Anonymous auditing |
| 2. Strong Authentication Services |
| 3. Extending of a system for remote digital signatures |
| 4. Digital Rights Management |
| 5. Database encryption |
| 6. Penetration Test |
| 7. Vulnerability Assessment |
| 8. Installation and setup of network security solutions |
| |
|
| |
 Download
Intrinsic brochure (pdf file) |
| |
| |
| Anonymous auditing |
Intrinsic designed an auditing system
for a Telco that needs to collect large-scale statistics on users without
violating their privacy. Its main purpose was to operate without knowing
real users’ names and that was obtained by replacing user IDs with dummy
labels. In this way the customer can gain knowledge of users preferences
and deliver a better service focusing on their specific needs without knowing
who they are.
This project requires the use of hardware security modules (HSM) that not
only protect cryptographic keys used for anonimization, but also allow the
execution of arbitrary code inside the device. It’s indeed important that
all the operations required to map IDs into labels are carried out inside
the secure perimeter and no partial results are exposed. Only the final
result is output to the external application that handles the information
coming from the network. |
| |
| Strong Authentication Services |
Deployment of security access systems
for a big customers which require VPN-SSL connections supported by a two-factor
authentication mechanism. In this way users outside the company can access
internal services by using a small key token (the size of a lighter) that
allows the central service to recognize who’s connecting and which permissions
he/she has.
Compared to the traditional password based systems, this infrastructure
delivers far better security. For each connection indeed, not only the canonical
credentials are required, but also the presence of the token: a physical
object that cannot be cloned or bypassed in any way. The user is then sure
that as long as the token is in his possession, no fraudulent access with
his/her credentials can take place. |
| |
| Extending of a system for remote
digital signatures |
|
A communication interface and its logic sublayer for hardware security
modules have been re-engineered in order for the device to handle million
of keys by using an external database instead of the internal memory as
storage for encrypted keys. In this way it has been possible to scale
up the system and deliver digital signature services to a huge number
of users without changing the application interface and therefore saving
money of code maintenance.
|
| |
| Digital Rights Management |
Design and implementation of short
signature cryptographic algorithms which can be used for software licensing
and DRM. With the help of hardware dongles it’s possible to create anti-duplication
systems which allow software houses to protect their intellectual rights
without long and complex procedures. The impact is also minimal for the
users.
While the dongle prevents application execution if not present, the short
signature schemes allow the user to selectively activate program features
with strings of 20-25 characters. These strings are supplied by the software
house for product activation and can be easily written on a CD label or
spoken over a phone line. |
| |
| Database encryption |
|
Design and analysis of encryption schemes for database which allow transparent
access to authorized users. One of the most important issues that big
companies face is the protection of its database, because it often contains
critical business information. However there’s often the need to keep
the applications that access the database untouched, for this not only
saves moneys but allows also the user to pursue known and reliable procedures.
For this reason the Datasecure appliance along with an analysis of the
context by one of our technicians is often an excellent solution for protecting
data in a safe and transparent way.
|
| |
| Penetration Test |
| The service consists in analyzing
the customer external network perimeter. In particular a port scan is perfomed
to detect misconfigured hosts and known vulnerabilities which might be exploited
by intruders to attack the system. In the preliminary phase the customer
can decide if he also want to include denial of service and brute force
attacks. Eventually a security report is compiled where all found vulnerabilities
are listed with suggestions on how to overcome the issues. This service
is performed remotely from Intrinsic labs. |
| |
| Vulnerability Assessment |
| The service consists in analyzing
the customer internal network. After understanding the network topology,
a detailed scan of all the internal hosts along with their operating system
and potential vulnerabilities is made. During the process wireless networks
and the security systems configurations are also scrutinized. Once the vulnerability
assessment is completed, a detailed Security Report is compiled with all
the vulnerabilities and issues detected. Included in the report are also
directions on how to modify the configurations to overcome potential problems. |
| |
| Installation and setup of network
security solutions |
| In each project involving security,
the implementation phase is as critical as the design. Since many products
in the realm of security and networking are very complex, it often happens
that the customer is unable to perform him/herself the deployment and configuration
of the system. Intrinsic offers installation and setup services for all
the solutions presented, thanks to its highly skilled technicians who can
cooperate with the customer in order to deploy and finetune the system for
optimal performance and security. |
| |
| |
