BlackVault HSM.TSA

The BlackVault HSM^.TSA is a Time Stamp Authority (TSA) product fully integrated with the network attached BlackVault HSM platform combining a cryptographically advanced HSM with creation and authenticity of timestamps. In response to the needs of customer with increasingly valuable digital signing practices and the need for enabling organizations to record when a digital item – ie. a document, piece of software or transaction – was signed. Time stamping is also crucial for stock trades, lottery ticket issuance and legal proceedings. In general time stamping is valuable for audit processes and record keeping as it provides proof whether the digital certificate was valid at the time it was used.

The BlackVault HSM^.TSA ensures the tamper proof creation and authenticity of the timestamped data for many applications. Verify at all times, if the timestamped data matches the exact same form at the point in time it was logged by the timestamp. The BlackVault HSM^.TSA complies with the RFC 3161 timestamp protocol. Administration clients initialize and administer the BlackVault HSM^.TSA via a web application interface. The BlackVault HSM^..TSA is designed to easily integrate into an existing infrastructure. The system is easy to set up which means it is both time and cost-efficient. All keys are generated and managed by Hardware Security Modules (HSMs), which means they are never exposed and cannot be tampered with. Administrators must log on to the HSM using smart cards with two-factor authentication with an “M of N” Quorum. Optionally you can enable TLS for additional security. Key sizes are configurable and easy to change via the web application. Timestamp operation are backed by NTP servers that are also configurable.

Its powerful features include a compact form factor, smart card reader, tamper reactive silicon die shield, long battery life, networked and off-line operation with Ethernet and USB ports, and much more. The TSA Server and the HSM PKCS#11 API have independent logins creating isolated access to their Signing Keys adding another layer of protection.

The BlackVault HSM^.TSA utilizes an intuitive iconic graphical user interface. A structured menu system facilitates straight forward configuration via remote management. The user interface presents Crypto Officers with a sequence of dialog boxes that lead through a series of well-defined steps to initiate the HSM and provision cards and keys.

Is a Powerful, easy to use, PKCS#11 CLI tool able to perform many different cryptographic operations that comes with every BlackVault HSM and works on Windows/Linux/MacOS both physical and virtualized. Some of the functions are:

Able to utilize AES, RSA EC, and DSA key types. Sign using various hashes including but not limited to SHA256, SHA384, and SHA512.

BlackVault easily integrates into a variety of applications, supporting numerous crypto APIs including PKCS#11, Java (JCE) and Microsoft CAPI / CNG, across a variety of operating systems. 

A SDK comes with a purchase of an HSM designed to help you integrate your application with the BlackVault through its PKCS#11 interface.

- Includes example code of Python and C++

Simple easy to use integration guides with step by step walkthroughs to get you up and running with a variety of applications including: 

• Authenticode

• Eclipse

• Android Dev Studio

• Java

• Microsoft Active Directory Certificate Services 

Its compact “hard drive” form-factor and redundant, battery-backed, solid state key storage allow BlackVault HSM^.TSA  to be moved to a secure room or safe without loss or compromise of root keys or other cryptographic material. Its small form factor with USB connection and power also supports mounting BlackVault HSM^.TSA  within application servers and other compact environments. 

The integrated smart card reader facilitates two-factor authentication, and advanced “M of N” Quorum approval.  This ensures that no single individual can authorize administrative or operational actions. 

Constantly updated configuration and operation information provide Security Administrators with the data to discover anomalous activity or failure of critical functions. Audit information can be sent to a trusted entity and is protected to prevent unauthorized access, modification, or deletion. 

BlackVault HSM^.TSA  cryptographic boundary is within the silicon of its secure CPU. This silicon die shield has dynamic fault detection with real-time environmental and tamper detection circuitry. It also avoids inadvertent tamper, making the BlackVault HSM^.TSA  safe to transport. When a tamper event is detected, the Cryptographic keys are zeroized (deleted). 

BlackVault HSM^.TSA  is an independently certified standards based network attached hsm (hardware security module) that performs key management and cryptographic operations for enterprises, certificate authorities, government, and a growing list of organizations requiring strong security for PKI, digital certificates, code signing, document signing, cryptographic key storage, data encryption, key generation and regulatory compliance in cloud companion, networked and off-line (air-gap) operations.