Hsm overview – Nortel Networks NN46120-104 User Manual

28

Introducing the ASA 310-FIPS

HSM Overview

The HSM card found on the ASA 310-FIPS model is an SSL accelerator,
just like the ordinary CryptoSwift card found on the regular ASA 410
model. In addition to cryptographic acceleration, the HSM card brings
extra security to sensitive operations and is designed to withstand physical
tampering.

•

The HSM card provides a secure storage area for cryptographic key
information. The storage area is secured by a constantly monitored
tamper detection circuit. If tampering is detected, the battery backup
power to memory circuits on the card is removed. Critical security
parameters, such as private keys that are in the storage area, will then
be destroyed and rendered useless to the intruder.

•

Any sensitive information that is transferred between two HSM cards
within the same ASA 310-FIPS, or between any number of HSM cards
within a cluster of ASA 310-FIPS devices, is encrypted using a shared
secret stored (also known as a wrap key) on the HSM card.

•

Some user operations require a two-phase authentication, which
involves using both hardware tokens (called iKeys) and an associated
password to provide an extra layer of security. For example, if the
ASA 310-FIPS is power cycled (as in the case of theft), no SSL traffic
is processed until the operator logs in to the HSM card using both an
iKey and the correct password.

•

All cryptographic requests, such as generating private keys or
performing encryption, are automatically routed to the HSM card by the
NVG application and performed on the HSM card only.

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.