Solutions of EngageBlack

Overview

The Black•SER AES is an in-line Serial Data Encryptor with FIPS 140-2 Level 3 compliant cryptography and hardware. Serial data received on the DCE interface is encrypted using a 256 bit AES key and sent out the DTE interface. Serial data received on the DTE interface is decrypted using an 256 bit AES key and sent out the DCE interface.

BlackSERAESDiagram

Seamless Integration
Retrofit existing serial communications systems easily with the Black•SER AES's simple bump-in-the-wire design protects: meters, protective relays, programmable logic controllers (PLCs), remote terminal units (RTUs), and computers from unauthorized access, control, eavesdropping, and malicious attack by authenticating and encrypting all serial data communications.

The Black•SER AES securely boots up as a protocol agnostic asynchronous Serial Data Encryptor executing inside of a tamper reactive cryptographic boundary. All cryptographic functions, including private and public key generation are performed inside FIPS Level 3 protected hardware. The cryptographic algorithms are FIPS certified. Internally generated keys use a NIST certified hardware seeded random number generator to ensure key entropy.

Military Grade Tamper Reactive
Master key is secured within CPU Die Shield's Cryptographic Boundary. Dynamic fault detection with real time environmental and active tamper detection circuitry.
• Achieves Active Level 3+ Tamper
• Transport Safe

Secure and Effective Management
Management interface is accessed by a web browser GUI. Connection is establish via HTTPS operating in the web browser.

Key Management
The Black•SER AES core cryptography is based upon our FIPS approved Hardware Security Module. FIPs requires a sophisticated protection private key generation, exportation and importation.

Technical Specifications

Category	Specification
RS232 Interfaces	1 RS232 DCE (RJ50) 1 RS232 DTE (RJ50) Baud Rate: 1.2/2.4/4.8/9.6/19.2/38.4/57.6/115.2 Kilobits
Serial Protocols Supported	Asynchronous 8 bit: Modbus, DNP, IEC101, etc
LAN Network Interface	1 Ethernet 10/100 BaseT Copper TLS
Hardware	Hardware True Random Number Generator NIST SP 800-90 compliant DRBG Secure Boot Loader: PKI Authentication Memory Encryption And Integrity Check Real-Time Clock Tamper: Mechanical, Die-Shield, Temp & Voltage
Physical Characteristics	Rack, Wall and Din Rail Mounting Dimensions 102 x 153 x 26 mm (4 x 6 x 1in) Weight: 454 grams; 1 pound Temperature: operating -20 to 60°C, Humidity: operating 10 to 90% storage 0 to 95%
Certification	FIPS 140-2 Level 3 (Pending)
Cryptography	Symmetric algorithm: AES 256 bit
Management and Monitoring	Web GUI - run in Web Browser Syslog diagnostics support
Safety & Environmental Compliance	UL, CE, FCC, RoHS
Power	DB9 Connector: Dual Hot Standby 5 to 30 VDC Power consumption: 4W

Starting in 2006, Windows has mandated that all software running at the kernel level must have a digital signature. This is due to the ever-increasing threat of malware invading computers. Digital signatures allow customers to know where their software came from. Allowing peace of mind knowing that the software is from a reputable source. Knowing this, manufacturers are turning towards secure cryptographic keys and digital certificates to uniquely identify them as the manufacturer.

However, often keys are stored unsecurely and are at risk of a breach. The leading cause of breach of company’s cryptographic keys is caused by the keys being left in a vulnerable state, some of these states are:

Keys stored on servers in the clear with only password protection (key loggers and other tools can be used to defeat the password);
Keys stored in a manner where they can be misplaced or lost;
Encrypted keys and related information stored on servers that when compromised can lead to decrypting the key;
Use of private keys in server/software crypto operations that expose the unencrypted keys during these operations;

These vulnerabilities, when exploited can lead to a loss of said keys and unscrupulous people can then parade themselves around pretending to be your company often to release code that:

Turns customers devices into bots for large scale DDos attacks
Collects important user data (passwords, credit card information, etc)
Corrupts, or interfere with customers computers, affection functionality.

These and other attacks can have a significant detrimental effect on code developers and their customers, tarnishing brand reputation and impacting the bottom line.

Cryptographic key best practices dictate that a “clear text” private key should never be exposed; and if transferred, it must be encrypted. This means that key creation, storage, and use should take place in a secure environment, and use should be restricted to authorized personnel, or a quorum of authorized personnel.

These best practices can be achieved by introducing a highly secure and reliable Hardware Security Module (HSM), like the Engage BlackVault HSM into the key management process. An HSM is a specialized hardware device where keys are generated, stored, and used in a secure cryptographic boundary.

Unlike traditional HSMs, the BlackVault HSM incorporates a touch screen color display for ease of use and provides an integrated smart card reader, and secure Ethernet / USB ports. It’s also much more effective than software only solutions due to physical and logical barriers to attack, including deleting keys if tamper is detected. The BlackVault HSM, unlike USB and smart card tokens, provides multi-factor and Quorum authentication and supports network attached environments. It’s long battery life also allows for easy transport and offline storage in a secure room or safe.

The BlackVault HSM performs all cryptographic operations inside of a silicon-based FIPS Level 3 tamper reactive boundary, and private keys are never exposed. In addition, if there is an environmental, electrical, or physical breach; the cryptographic keys will be deleted (“zeroized”). Prior to back up, private keys are encrypted and the cryptographic material can be distributed across multiple smart cards for additional security.

The BlackVault HSM key generation and code signing capabilities are augmented with a powerful cryptographic engine that generates all the RSA and Elliptical Curve key types and sizes required for code signing. Along with that, the BlackVault HSM can also generate AES keys, as well as a variety of hash algorithms (SHA2, SHA1, MD5/MD2, etc.). Hardware generated entropy ensures truly random numbers are used in cryptographic operations.

The BlackVault HSM can also prevent code from being signed without approval from designated members of the DevOps team (QA, development, product management, etc.). Using the Quorum feature, each signatory is assigned a smart card and PIN. The code can’t be released (signed) until all required signatories are authenticated by inserting their smart card into the BlackVault HSM and entering their corresponding pin (multi-factor authentication).

The signing functionality of the BlackVault HSM not only allows for the signing of whole executables, but also is capable of signing hashes of any file type. Allowing multiple teams using different development environments, a singular solution for signing.

Using the BlackVault to digitally sign drivers ensures:

Private signing keys are secured with best practices FIPS Level 3 certified technology;
Crypto operations with the Private Key are performed in a FIPS Level 3 silicon cryptographic boundary;
Code signing and other sensitive operations require “M of N” quorum approval;
Keys can be securely backed up on a flash drive, or a BlackVault clone;
The risk of key theft or loss is removed;
HSM authentication can’t be compromised from intermediary software or devices due to the BlackVault’s integrated multi-factor single trust path authentication.

Certificate Management Solution That...

•	Is integrated into a purpose built CA appliance
•	Automates certificate enrollment and renewal
•	Supports advanced Suite B cryptographic algorithms
•	Encrypted transport using TLS
•	Is accessible via RESTful API

Got Quorum?

EST Overview

The BlackVault CA has integrated Enrollment over Secure Transport (EST), a protocol defined by the IETF (RFC 7030). This modern protocol created as a successor to SCEP, aims to give certificate provisioning in a manner that is more robust than SCEP, thus enabling efficient and agile usage of certificates in a large range of uses such as IOT, embedded systems, and networking equipment.

EST allows for networked end entity devices to have X509 certificates provisioned securely. This is achieved using TLS 1.1 for certificate transport and two different methods of authentication, HTTP basic authentication using existing users on the CA, or certificate based authentication using previously provisioned certificates.

The key advantages of EST are its ability to use elliptic curve cryptography, and its use of TLS to securely transport certificates. The BlackVault CA runs an EST Server, a straightforward, functional certificate management protocol which provides client and associated CA certificates to any PKI client that needs it.

The use of ECC is critical to the IOT as limitations on processor speed and memory are something that IOT devices encounter regularly. ECC coupled with secure enrollment and reenrollment through EST make this a winning combination that anyone creating IOT devices should use.

RESTful API

To make the BlackVault CA EST Server as easy to utilize as possible, there is an integrated Representational State Transfer (REST) API to automate and simplify secure client key enrollment and renewal integrated into its core functionality. Through the RESTful API you can enroll, and renew certificates programmatically. This RESTful interface can be accessed by any programming language, allowing you to automate, reduce time, and cost, as well as leverage economies of scale.

Harnessing the power of HTTP, REST is an efficient, lightweight, high performance interface that can be accessed by any device at a low bandwidth. This allows you to automate, reduce time, and cost, as well as leverage economies of scale. The REST API is a faster, more efficient alternative to SOAP and WSDL. REST is focused on accessing resources through a consistent single interface. REST does not require expensive tools to interact with, allowing the REST interface to be accessed by any tool using any programming language.

BlackVault CA

With this standalone platform, manage certificates without the complexity of installing and operating general purpose OSs and HSMs

Boots up as a CA application
Off-line and On-line operations supported
Supports root, subordinate, RA deployments
Crypto functions protected in FIPS Level 3 HSM
Multi-factor authentication and quorum

–►Learn More

BlackVault HSM

Enhance the security of a certificate authority (CA) and public key infrastructure (PKI) by integrating this easy to use and highly secure HSM platform into your certification authority environment

Supports all major crypto APIs
Easily integrates with CA environments
Multi-factor authentication and quorum
Compact and portable, long battery life
Intuitive touch screen interface simplifies use

–► Learn More

More about BlackVault and Certificate Authority

–► BlackVault

–► Engage Black News

–►	BlackVault HSM Safeguards Consumer Appliance and IoT Device Identities
–►	BlackVault Certificate Authority Adds Support for New Standard
–►	BlackVault CYNR Revolutionizes Secure Code and App Signing
–►	Engage Black Introduces BlackVault CA Security Appliance
–►	Engage Black Introduces BlackVault CYNR, Code and Document Signing Appliance

Overview

Technical Specifications

Category

Specification

Data Sheet Download

Product Inquiry