nsheild connect image

nShield Connect HSMs

nShield Connect HSMs are certified hardware security appliances that deliver cryptographic services to a variety of applications across the network. nShield HSM appliances are hardened, tamper-resistant platforms that perform such functions as encryption, digital signing, and key generation and protection. With their comprehensive capabilities, these HSMs can support an extensive range of applications, including certificate authorities, code signing and more.

Remote configuration eliminates costly trips to the data center

The latest nShield Connect XC models offer an optional serial port that allows enterprises to eliminate costly repeat trips to the data center. Remote Configuration capabilities include:

  • Initiating and changing an HSM’s network settings, e.g. IP address
  • Supporting provider/tenant deployment models where the nShield HSM appliance can be easily configured by the provider before passing control of the HSM to a tenant. Separation of roles ensures the cryptographic key material is not exposed to the provider.
  • Purging key material and decommissioning the nShield HSM appliance at the end of a usage cycle in preparation for its next deployment.

Technicians simply need to rack and cable the nShield HSM appliance and connect a serial concentrator in the data center to prepare the nShield Connect XC for full remote configuration and administration. This reduces the need for trained resources in the data center and provides customers more efficiency and control over their HSMs.

Beyond Security

nShield Connect Benefits

Icon

Powerful Architecture

Build and grow your HSM estate using Security World, Entrust's unified ecosystem that delivers scalability, seamless failover, and load balancing.

Icon

Faster Data Processing

Get some of the highest cryptographic transaction rates in the industry. Ideal for environments where throughput is critical.

Icon

Protection of sensitive business and application logic

Execute code within nShield boundaries, protecting your applications and the data they process.

Details

    Tech Specs

    Certified hardware solutions

    Entrust has earned a broad set of certifications for nShield products. These certifications help our customers to demonstrate compliance while also giving them the assurance that their nShield HSMs meet stringent industry standards.

    Security compliance

    • FIPS 140-2 Level 2 and Level 3
    • USGv6 accreditation
    • eIDAS and Common Criteria EAL4 + AVA_VAN.5 and ALC_FLR.2 certification against EN 419 221-5 Protection Profile, under the Dutch NSCIB scheme
      • Can form the basis of an EN 419 241-2 certified remote signing system for eIDAS.
      • Compliant with BSI AIS 31 for true and deterministic random number generation
    • Common Criteria EAL4+ (AVA_VAN.5) for nShield Connect+ models
    • Recognition of nShield Connect+ as a Qualified Signature Creation Device (QSCD)
    • ICP Brazil certification to NSC3 level

    Safety and environmental standards compliance

    • UL, CE, FCC, RCM, Canada ICES
    • RoHS2, WEEE

    High transaction rates

    nShield HSMs boast high elliptic curve cryptography (ECC) and RSA transaction rates. ECC, one of the most efficient cryptographic algorithms, is particularly favored where low power consumption is crucial, such as applications running on small sensors or mobile devices.

    nShield Connect Models 500+ XC Base 1500+ 6000+ XC Mid XC High
    RSA Signing Performance (tps) for NIST Recommended Key Lengths
    2048 bit 150 430 450 3000 3500 8600
    4096 bit 80 100 190 500 850 2025
    ECC Prime Curve Signing Performance (tps) for NIST Recommended Key Lengths
    256 bit 540 680 1260 2400 75121 144001

    Note 1: Performance indicated requires ECDSA fast RNG feature activation available free of charge on request from nCipher Support.

    Wide support for APIs, cryptographic algorithms and OSs

    Supported APIs

    • PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI/ CNG and Web Services (requires Web Services Option Pack)

    Supported Cryptographic Algorithms

    • Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph)
    • Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES
    • Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160
    • Full Suite B implementation with fully licensed ECC including Brainpool and custom curves

    nShield HSMs offers support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use ECC or South Korean algorithms, optional activation licenses are needed.

    Supported Platforms

    Windows and Linux operating systems including distributions from RedHat, SUSE and major cloud service providers running as virtual machines or in containers.

    Reliability

    Calculated at 25°C operating temperature using Telcordia SR-332 “Reliability Prediction Procedure for Electronic Equipment" MTBF Standard

    • Connect XC   107,384 hours
    • Connect+   99,284 hours

    Options and Accessories

    Performance ratings and options

    To meet the performance needs of your application, Entrust provides a variety of nShield Connect models as shown in the Technical Specifications tab. You can select among the performance models shown, and can also purchase in-field upgrades on XC models from lower performance models to higher models.

    Client licenses

    nShield Connect HSMs ship with three client licenses, each allowing a connection to an IP address. Additional licenses are available for purchase. The maximum number of client licenses supported varies by nShield Connect model as shown in the table below.

    Max # client licenses per nShield Connect Model

    XC Base/500+   10 licenses

    XC Mid/1500+   20 licenses

    XC High/6000+   Unlimited*

    Note* requires Enterprise Client License activation


    Software Options Pack

    Entrust offer a range of software option packs which can be used in conjunction with your nShield HSMs.

    Learn More

    nShield Monitor

    nShield Monitor is a monitoring platform that provides 24x7 visibility into the status of nShield HSMs. With this solution, security teams can efficiently inspect HSMs and find out immediately if any potential security, configuration or utilization issue may compromise their mission-critical infrastructure.

    Remote Administration Kits

    nShield Remote Administration lets operators manage distributed nShield HSMs—including adding applications, upgrading firmware, checking status, re-booting and more—from their office locations, reducing travel and saving money. Remote Administration Kits contain the hardware and software needed to set up and use the tool. These kits are available for nShield Solo and nShield Connect HSMs.

    CodeSafe

    CodeSafe is a powerful, secure environment that lets you execute applications within the secure boundaries of nShield HSMs. Applications include cryptography and high value business logic associated with banking, smart metering, authentication agents, digital signature agents and custom encryption processes. CodeSafe is available with FIPS 140-2 Level 3 certified nShield Solo and nShield Connect HSMs.

    CipherTools

    The CipherTools is a set of tutorials, reference documentation, sample programs and additional libraries. With this toolkit, developers can take full advantage of the advanced integration capabilities of nShield HSMs. In addition to offering support for standard APIs, the toolkit enables you to run custom applications with nShield HSMs. CipherTools Developer Toolkit is included free of charge in the standard Security World software ISO/DVD.

    nToken

    Security teams that want to strongly authenticate their nShield Connect HSMs clients can use nTokens PCIe cards to do hardware-based host identification and verification.

    Elliptic Curve Cryptography (ECC) activation

    The ECC activation license enables EC-DH, EC-DSA and EC-MQV to be used on an nShield HSMs.

    KCDSA activation

    With the KCDSA activation license, you can use the Korean Certificate-based Digital Signature Algorithm (KCSDA) as well as HAS-160, SEED and ARIA algorithms on an nShield HSMs.

    Slide rails

    Entrust offers optional slide rails that let users mount nShield Connect in a 19" rack without a shelf. Entrust recommends that customers use these slide rails exclusively as parts from other manufacturers may not be compatible.

    Keyboard

    Many functions of nShield Connect HSMs can easily be executed using the touch wheel at the front of the unit. Entrust offers an optional USB keyboard for even greater ease of use.

    Field replaceable parts

    nShield Connectfeatures parts that operators can replace in the field, with minimal downtime. These parts include dual, hot-swap power supplies and field-replaceable fan tray (requires nShield Connect to be put into standby).

    Related Products

    What our customers are saying...

    Square logo
    Square
    Verifone logo
    Verifone
    Memjet logo
    Memjet
    Polycom logo
    Polycom

    Square

    We have a long history together and we’re extremely comfortable continuing to rely on nCipher solutions for the core of our business. We have used nCipher HSMs for five years and they have always been exceptionally reliable. We’ve layered a lot of code on top of the HSM; it delivers the performance we need and has proven to be a rock-solid foundation.

    Neal Harris, Security Engineering Manager, Square, Inc

    Verifone

    As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected nCipher* HSMs to provide robust security, unmatched performance, and superior scalability across our payment security platforms…

    Joe Majka, Chief Security Officer, Verifone

    Memjet

    nCipher Security’s* nShield sales team provide excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breatdth, and quality of the product documentation gave us confidence that the solution was well though-out and supported.

    Robert Fairlie-Cuninghame, QAI Technical Lead/Architect, Memjet

    Polycom

    nCipher* provided the expertise needed to design and implement a tailored, secure VoIP solution.

    Marek Dutkiewicz, Polycom

    Contact a Specialist

    An HSM specialist will be in touch with options soon.