Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process...
Transcript of Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process...
![Page 1: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/1.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 1
Hardening BIND using DNSSEC with HSMs
Viktor Wiebe
21st March 2019
![Page 2: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/2.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 2
▪ What is an HSM
▪ BIND
▪ DNSSEC
▪ Live Demo
▪ Initialize an PKCS#11 Slot
▪ Generate Keypair in HSM
▪ Generate Keypair referencing to a Key in the HSM
▪ Sign a Zonefile
Agenda
We keep your cryptographic keys safe.
![Page 3: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/3.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 3
What is an HSM?
![Page 4: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/4.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 4
What is an HSM?
An HSM is a
Hardware Security Module.
![Page 5: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/5.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 5
What is an HSM?
A device to generate,
store and manage
cryptographic keys safely.
![Page 6: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/6.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 6
What is an HSM?
An HSM is like a safe
deep inside your network…
![Page 7: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/7.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 7
What is an HSM?
… that store the key
to unlock your data.
![Page 8: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/8.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 8
What is an HSM?
Your data is encrypted
when you don’t need it.
![Page 9: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/9.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 9
What is an HSM?
When you need access,
the key unlocks the encryption
and your data is usable.
![Page 10: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/10.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 10
What is an HSM?
The key and sensitive data
never leave the safe
so the are always secure!
![Page 11: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/11.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 11
What is an HSM?
All done?
End your session
and your data gets locked up.
![Page 12: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/12.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 12
What is an HSM?
The weak link?
Your security is only as good
as your key’s hiding place.
![Page 13: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/13.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 13
What is an HSM?
▪ Secure Memory device to store vital data objects - Cryptographic Private/Secret Keys
▪ Hardware designed to detect attack and respond by deleting keys
▪ Dedicated hardware provides highly specialized Cryptographic processing engine
▪ FIPS 140-2 Level 3/4, CC
▪ Hardware device (as opposed to software service) enforces Separation of Duties away from Admin/System/Ops/IT personnel to dedicated Security team
![Page 14: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/14.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 14
Why are they used?
▪ HSMs provide secure store, and highly specialized processing environment for keys
▪ HSMs can hold 1000s keys and secure many applications on many servers
▪ HSMs often hold “Master Keys” that secure unlimited number of externally held keys
▪ User Application keys never “in clear” in HSM memory – secured by hierarchy of keys
▪ Regulations over holding of data often now mandate security (e.g. PCI DSS, GDPR)
▪ HSMs provide:
Increased Security
Dedicated Cryptographic Engine
Compliance with Security Regulations
![Page 15: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/15.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 15
How do they work?
▪ Provides security around keys – “innermost layer of an onion” (physical access, MofN, hierarchy of keys, attack detection)
▪ HSMs perform functions for applications:
Key generation, encryption and decryption, signing, hashing……
▪ Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering)
▪ Application integrated with HSM via client API running on server – crypto function calls/instructions forwarded by client to HSM for execution
▪ 3 main Crypto APIs – libraries of functions for programming language used by application:
PKCS#11 (C), Microsoft (CSP/CNG), Java/JCE
![Page 16: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/16.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 16
▪ Governments – National, Local, Regional orgs (EU, NATO)
▪ Banks and Financial Institutions (Stock Exchanges, Payments Processors)
▪ Utilities (Electricity, Telco's, ISPs)
▪ Transportation (Airlines)
▪ Healthcare (Hospitals)
▪ Education (Universities)
▪ Retail (Physical Stores and Online)
▪ Manufacturing (Automotive, Pharmaceutical, Oil/Mining)
▪ Official Agencies (Police)
▪ CAs (PKI – Trusted Root and Corporate)
▪ Internet/technology-related industries
▪ Gaming Industry
▪ And others …
Who buys them?
![Page 17: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/17.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 17
What applications are they used for?
▪ PKI
▪ Webservers - SSL
▪ DNSSec
▪ Time Stamping
▪ Document Signing
▪ Database encryption
▪ Code Signing
▪ ePassports
▪ ID Cards
▪ Manufacturing
▪ Smart Meters
▪ SIM Cards
▪ Bitcoin mining
▪ And many more…
![Page 18: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/18.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 18
BIND.
![Page 19: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/19.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 19
▪ BIND is by far the most popular and widely used DNS software on the Internet. It provides a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.
▪ BIND supports the full DNSSEC standard.
▪ BIND 9.14rc3
BIND
![Page 20: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/20.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 20
DNSSEC.
![Page 21: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/21.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 21
▪ DNSSEC is a suite of Internet Engineering Task Force (IETF)
▪ A set of extensions to DNS which provide to DNS clients (resolvers)
▪ origin authentication of DNS data
▪ authenticated denial of existence
▪ data integrity
▪ but not availability or confidentiality.
What is DNSSEC
DNSSEC
![Page 22: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/22.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 22
▪ It is imperative that private DNSSEC signing keys are kept secure.
▪ The public key can be made widely available
▪ If the private key is compromised, a rogue DNS server can masquerade as the real authoritative server for a signed zone.
▪ HSMs secure the DNS server
▪ Generation of keys
▪ Storing of the private key
▪ signing of zones is performed on a DNS server that is physically secure and whose access is restricted to essential personnel only.
What role does a HSM play in DNSSEC
DNSSEC and HSM
![Page 23: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/23.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 23
Chain of Trust
Top Level Domains
.com DNS Server
Root DNS Server
.org DNS Server
.net DNS Server
Local DNS Server
End User
What IP address iswww.example.com?
ISP DNS Server
I don‘t know, let me asksomeone who does.
Who owns the records forexample.com?
Who owns the records forexample.com?
Who owns the records forexample.com?
DNS Server forexample.com (1.2.3.4)
example.com is 1.2.3.5
ASK 1.2.3.4
ASK .com DNS Serverexample.com is 1.2.3.5
example.com is 1.2.3.5
www.example.com
![Page 24: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/24.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 24
▪ Ensure integrity of the DNSSEC validation process with independently certified HSMs (FIPS 140-2 Level 3 and Common Criteria EAL4+).
▪ Maintain a robust tamper-resistant hardware boundary and a proven, auditable mechanism to protect valuable signing keys.
▪ Enforce separation of duties through robust access controls to mitigate the threat of single “super users” and facilitate regulatory compliance.
▪ Achieve high availability and improved DNS server performance with secure key storage, backup and recovery, and powerful cryptographic acceleration.
Benefits
Why using DNSSec in combination with HSMs
![Page 25: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/25.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 25
Demo.
![Page 26: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/26.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 26
▪ Install requiered packages
▪ gcc, python, libssl-dev, libcap-dev, make
▪ copy utimaco PKCS#11 Library and config file
▪ Configure, compile and install Bind 9.14rc2
▪ ./configure --enable-native-pkcs11 --with-pkcs11=/usr/local/utimaco/libcs_pkcs11_R2.so --with-python=no
![Page 27: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/27.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 27
▪ Initialize PKCS#11 Slot
▪ Generate Keypair in HSM
▪ Generate KeyPair referencing to key in HSM
▪ Sign Zonefile
![Page 28: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/28.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 28
Initialize PKCS#11 Slot
>_Console
# ./p11tool2 Slot=0 Login=ADMIN,/path2file/ADMIN.key InitToken=1234
# ./p11tool2 Slot=0 LoginSO=1234 InitPin=5678
![Page 29: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/29.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 29
Generate Keypair in HSM
>_Console
# pkcs11-keygen -a RSASHA256 -b 2048 -l midgard-ksk
# pkcs11-keygen -a RSASHA256 -b 1024 -l midgard-zsk
![Page 30: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/30.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 30
Create PIN File for PKCS#11 Slot
>_Console
# echo -n "1234" > /usr/local/utimaco/slot0
![Page 31: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/31.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 31
Generate KeyPair referencing to key in HSM
>_Console
# dnssec-keyfromlabel -a RSASHA256 -l 'pkcs11:pin-
source=/usr/local/utimaco/slot0;object=midgard-ksk' -f KSK midgard.com
# dnssec-keyfromlabel -a RSASHA256 -l 'pkcs11:pin-
source=/usr/local/utimaco/slot0;object=midgard-zsk' midgard.com
![Page 32: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/32.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 32
and add created public key at the end
Edit Zonefile
>_Console
...
$include Kmidgard.com.+008+59459.key
$include Kmidgard.com.+008+20280.key
...
![Page 33: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/33.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 33
Sign Zonefile
>_Console
# dnssec-signzone -S -o midgard.com midgard.zone
![Page 34: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/34.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 34
Curious what you can do with our HSM?
Wanne try to integrate into your application?
![Page 35: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/35.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 35
![Page 36: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/36.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 36
Utimaco IS GmbH
Germanusstraße 452080 AachenGermanyTel +49 241 1696 200Fax +49 241 1696 199Email [email protected]
Utimaco Inc.
Suite 150910 E Hamilton AveCampbell, CA 95008United States of AmericaTel +1 844 884 6226Email [email protected]
Sales Engineer HSM
Thank you for your attention
Viktor Wiebe
![Page 37: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/37.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 37
Utimaco Technical Overview.
![Page 38: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/38.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 38
CryptoServer LAN v5
1U form factor
40% less power consumption
40% less heat dissipation
Hot-Plug fan & power supply replacement
![Page 39: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/39.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 39
CryptoServer Hardware Platforms
3DES, AES, RSA, DSA, DH, ECDSA, ECDH, ECIES, SHA-1, SHA-2 family, …
Between 16 and 3400 Between 17 and 90
FIPS 140-2 Level 3 / CC EAL 4+FIPS 140-2 Level 3 w/ Physical Security Level 4,
“DK” Approval, PCI-HSM
Physical Interface
Cryptographic Support
RSA 2048 signature
generation per second
Certifications
CryptoServer Se-Series Gen2 CryptoServer CSe-Series
Network attachedPCIe plug-in Network attachedPCIe plug-in
![Page 40: Hardening BIND using DNSSEC with HSMs · Application Server sends instruction to HSM to process data using specific key that never leaves HSM (apart from backup/clustering) Application](https://reader031.fdocuments.in/reader031/viewer/2022022119/5e21dbd4b82309557e484e9c/html5/thumbnails/40.jpg)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 40
CryptoServer Product Packages
CryptoServer Se-Series Gen2 CryptoServer CSe-Series
PKCS#11, JCE, MS CSP/CNG/SQL EKM, CXISecurityServer
TimestampServerRFC 3161, CTS API
RFC 3161, CTS API
Development Kit for CryptoServer Firmware DevelopmentCryptoServer SDK
Development Kit for Scripting HSM ExtensionsCryptoScript SDK
PaymentServer EFTPOS
QSCD compliant firmwareeIDAS