Entrust nShield 5C
Deliver cryptographic key services to applications distributed across servers and virtual machines with Entrust crypto-agile, highly scalable, next-generation hardware security modules (HSMs).
Entrust nShield 5c HSMs
nShield 5c HSMs are security appliances that deliver cryptographic services to applications across the network, in the cloud, and in hybrid environments. The hardened, tamper-resistant, FIPS 140-3 level 3 certified* platforms perform such functions as encryption, digital signing, and key generation and protection. With their comprehensive capabilities, flexible hybrid deployments, quantum crypto-agility, and 100% compatibility with existing nShield HSM deployments and APIs, these HSMs can support an extensive range of applications, including certificate authorities, code signing, and more.
*FIPS 140-3 Validated, Certificate #4745
High-performance, scalable HSMs that save you time and money
The new nShield 5c models offer enterprises a reduction in total cost of ownership, eliminating costly repeat trips to the data center and reducing the overhead of managing and configuring HSM estates. Features include:
- Centralized, remote visualization and management console supporting HSM administration and Security World management
- A serial console supporting provider/tenant deployment models through strong role separation, delineating tasks such as changing network settings from controlling cryptographic actions
- Remote presentation of physical tokens to authorize administration tasks and cryptographic key usage
- Seamless interoperation with all other variants and versions of the nShield HSM family
These features reduce the demands on highly specialized and trained resources, provide enterprises with efficiency gains, and ensure control over the HSMs resides in the hands of the security professionals.
nShield 5c Benefits
Powerful Architecture
Build and grow your HSM estate using Security World, Entrust's unified ecosystem that delivers scalability, load balancing, seamless failover, and disaster recovery.
Faster Data Processing
Get some of the highest cryptographic transaction rates in the industry. Ideal for environments where throughput is critical.
Protection of sensitive business and application logic
Execute code within nShield boundaries, protecting your applications and the data they process.
Tech Specs
Certified Hardware Solutions
Entrust nShield HSMs have earned a broad set of certifications. These certifications help our customers to demonstrate compliance while also helping to give them the assurance that they meet stringent industry standards.
Security Compliance
- FIPS 140-3 Level 3
- eIDAS and Common Criteria EAL4 + AVA_VAN.5 and ALC_FLR.2 certification against EN 419 221-5 Protection Profile, under the Dutch NSCIB scheme
- Can form the basis of an EN 419 241-2 certified remote signing system for eIDAS
- Compliant with BSI AIS 31 for true and deterministic random number generation
Safety and Environmental Standards Compliance
- UL, CE, FCC, UKCA, RCM, Canada ICES, RoHS, WEEE, REACH
High Transaction Rates
nShield HSMs boast high elliptic curve cryptography (ECC) and RSA transaction rates.
nShield 5c Models | Base | Mid | High |
---|---|---|---|
RSA signing performance (tps) for NIST recommended key lengths | |||
2048 bit | 670 | 3,949 | 13,614 |
4096 bit | 135 | 814 | 2,200 |
8192 bit | 19 | 115 | 309 |
ECC prime curve signing performance (tps) for NIST recommended key lengths | |||
256 bit | 2,085 | 7,553 | 21,826 |
521 bit | 1,010 | 5,977 | 16,164 |
Key generation (keys/sec) | |||
RSA 2048 bit | 7 | 20 | 23 |
ECDSA P-256 bit | 1,040 | 3,580 | 3,494 |
ECDSA P-521 bit | 518 | 2,480 | 2,724 |
Key agreement performance (transactions/sec) | |||
ECDH P-256 bit | 2,085 | 7,550 | 21,436 |
Client licenses | |||
Included | 3 | 3 | 3 |
Maximum | 10 | 20 | unlimited1 |
1Requires enterprise client license.
Supported Cryptographic Algorithms
- Full NIST Suite B implementation
- Asymmetric algorithms: RSA, Diffie-Hellman, ECMQV, DSA, El- Gamal, KCDSA, ECDSA (including NIST, Brainpool & secp256k1 curves), ECDH, Edwards (Ed25519, Ed25519ph)
- Symmetric algorithms: AES, AES-GCM, Arcfour, ARIA, Camellia, MD5 HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, SHA-224 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC, Tiger HMAC, 3DES
- Hash/message digest: MD5, SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160, RIPEMD160, SHA-3 (224, 256, 384, 512 bit)
- Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs
- Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11, and nCore APIs
- TUAK & MILENAGE algorithm support for mutual authentication and key generation (3GPP)
- NIST short-listed post-quantum cryptographic algorithms supported using the nShield Post Quantum SDK with CodeSafe
nShield HSMs offer support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use South Korean algorithms, optional activation licenses are needed.
Supported Platforms
Windows and Linux operating systems including distributions from Red Hat, SUSE, and major cloud service providers running as virtual machines or in containers.
Reliability
Calculated at 25°C operating temperature using Telcordia SR-332 “Reliability Prediction Procedure for Electronic Equipment" MTBF Standard
- nShield 5c HSM: 107,845 hours
Options and Accessories
Performance Ratings and Options
To meet the performance needs of your application, Entrust provides a variety of nShield 5c models as shown in the Technical Specifications tab. You can select among the performance models shown, and can also purchase in-field upgrades on nShield 5 HSM models from lower performance models to higher models.
Client Licenses
nShield 5c HSMs ship with three client licenses, each allowing a connection to an IP address. Additional licenses are available for purchase. The maximum number of client licenses supported varies by nShield 5c model as shown in the table below.
Max # client licenses per nShield 5c Model
- Base: 10 licenses
- Mid: 20 licenses
- High: Unlimited*
Note* requires Enterprise Client License activation
Software Options Pack
Entrust offer a range of software option packs which can be used in conjunction with your nShield HSMs.
nShield Monitor
nShield Monitor is a monitoring platform that provides 24x7 visibility into the status of nShield HSMs. With this solution, security teams can efficiently inspect HSMs and find out immediately if any potential security, configuration or utilization issue may compromise their mission-critical infrastructure.
Remote Administration Kits
nShield Remote Administration lets operators manage distributed nShield HSMs—including adding applications, upgrading firmware, checking status, re-booting and more—from their office locations, reducing travel and saving money. Remote Administration Kits contain the hardware and software needed to set up and use the tool.
Cloud Disaster Recovery
Increase redundancy and reliability of on-premises deployments.
- Subscription-based service
- Adds off-site HSM resources
- Convenient and cost-effective
CodeSafe
CodeSafe is a powerful, secure environment that lets you execute applications within the secure boundaries of nShield HSMs. Applications include cryptography and high value business logic associated with banking, smart metering, authentication agents, digital signature agents and custom encryption processes. CodeSafe is available with FIPS Level 3 certified nShield HSMs
CipherTools
The CipherTools is a set of tutorials, reference documentation, sample programs and additional libraries. With this toolkit, developers can take full advantage of the advanced integration capabilities of nShield HSMs. In addition to offering support for standard APIs, the toolkit enables you to run custom applications with nShield HSMs. CipherTools Developer Toolkit is included free of charge in the standard Security World software ISO/DVD.
KCDSA Activation
With the KCDSA activation license, you can use the Korean Certificate-based Digital Signature Algorithm (KCSDA) as well as HAS-160, SEED, and ARIA algorithms on nShield HSMs.
Slide Rails
Entrust offers optional slide rails that let users mount nShield 5c in a 19" rack without a shelf. Entrust recommends that customers use these slide rails exclusively as parts from other manufacturers may not be compatible.
Keyboard
Many functions of nShield 5c HSMs can easily be executed using the touch wheel at the front of the unit. Entrust offers an optional USB keyboard for even greater ease of use.
Field Replaceable Parts
nShield 5c features parts that operators can replace in the field, with minimal downtime. These parts include dual, hot-swap power supplies and field-replaceable fan tray (requires nShield 5c to be put into standby).