Entrust nShield 5s
Deliver cryptographic key services to applications hosted on individual servers and virtual machines with PCI-Express (PCIe) card-based, crypto-agile, highly scalable, next-generation hardware security modules (HSMs)
Entrust nShield 5s HSMs
nShield 5s HSMs are PCIe cards that perform encryption, digital signing, and key generation for an extensive range of commercial and custom-built applications, including certificate authorities, code signing, and more. With their comprehensive capabilities and quantum crypto-agility, they are 100% compatible with existing nShield HSM deployments and APIs, and they are highly secure, with FIPS 140-3 Level 3 certification*.
*FIPS 140-3 Validated, Certificate #4745
Models
The nShield 5s HSM series includes the new high-performance nShield 5s High, which offers superior asymmetric and symmetric performance and best-in-class elliptic curve cryptography (ECC) transaction rates.
nShield 5s Benefits
Powerful Architecture
Our Security World architecture integrates nShield HSMs into a unified ecosystem, delivering scalability, load balancing, and more.
Faster Data Processing
nShield 5s HSMs are ideal for enterprise retail, IoT 5G, and other environments where throughput is critical.
Protection of Sensitive Business and Application Logic
Execute code within nShield boundaries, protecting your applications and the data they process.
Tech Specs
Certified Hardware Solutions
Entrust has earned a broad set of certifications for nShield HSM products. These certifications help our customers to demonstrate compliance while also helping to give them the assurance that their nShield HSMs meet stringent industry standards.
Safety and Environmental Standards Compliance
- UL, CE, FCC, Canada ICES, KC, VCCI, RCM, UKCA RoHS, WEEE, REACH
Security Compliance
- FIPS 140-3 Level 3 eIDAS and Common Criteria EAL4 + AVA_VAN.5 and ALC_FLR.2 certification against EN 419 221-5 Protection Profile, under the Dutch NSCIB scheme
- Can form the basis of an EN 419 241-2 certified remote signing system for eIDAS
- Compliant with BSI AIS 31 for true and deterministic random number generation
Supported APIs
- PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI and CNG, nCore, and Web Services
Supported Cryptographic Algorithms
- Full NIST Suite B implementation
- Asymmetric algorithms: RSA, Diffie-Hellman, ECMQV, DSA, El- Gamal, KCDSA, ECDSA (including NIST, Brainpool & secp256k1 curves), ECDH, Edwards (Ed25519, Ed25519ph)
- Symmetric algorithms: AES, AES-GCM, Arcfour, ARIA, Camellia, MD5 HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, SHA-224 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC, Tiger HMAC, 3DES
- Hash/message digest: MD5, SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160, RIPEMD160, SHA-3 (224, 256, 384, 512 bit)
- Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs
- Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11 and nCore APIs
- TUAK & MILENAGE algorithm support for mutual authentication and key generation (3GPP)
- NIST short-listed post-quantum cryptographic algorithms supported using the nShield Post-Quantum SDK with CodeSafe
Supported Platforms
Windows and Linux operating systems including distributions from Red Hat and SUSE.
Reliability
Calculated at 25°C operating temperature using Telcordia SR-332 “Reliability Prediction Procedure for Electronic Equipment" MTBF Standard
- nShield 5s HSM: 1,702,841 hours
nShield 5s models | Base | Mid | High |
---|---|---|---|
RSA signing performance (tps) for NIST recommended key lengths | |||
2048 bit | 670 | 3,949 | 13,614 |
4096 bit | 135 | 814 | 2,200 |
8192 bit | 19 | 115 | 309 |
ECC prime curve signing performance (tps) for NIST recommended key lengths | |||
256 bit | 2,085 | 7,553 | 21,826 |
521 bit | 1,010 | 5,977 | 16,164 |
Key generation (key/sec) | |||
RSA 2048 bit | 7 | 20 | 23 |
ECDSA P-256 bit | 1,040 | 3,580 | 3,494 |
ECDSA P-521 bit | 518 | 2,480 | 2,724 |
Key agreement performance (transaction/sec) | |||
ECDH P-256 bit | 2,085 | 7,550 | 21,436 |
Each nShield 5s HSM is supplied with an external smart card reader for local use.
Options and Accessories
Performance Ratings and Options
We have a variety of nShield 5s models to meet your performance needs. You can select among the performance models shown in the Tech Specs tab and can also purchase in-field upgrades from lower nShield 5s performance models to higher performance models.
Software Options packs
Entrust offers a range of software option packs that can be used in conjunction with your nShield HSMs.
nShield Monitor
nShield Monitor is a monitoring platform that provides 24x7 visibility into the status of nShield HSMs. With this solution, security teams can efficiently inspect HSMs and find out immediately if any potential security, configuration or utilization issue may compromise their mission-critical infrastructure.
Remote Administration Kits
nShield Remote Administration lets operators manage distributed nShield HSMs – including adding applications, upgrading firmware, checking status, re-booting and more – from their office locations, reducing travel and saving money. Remote Administration Kits contain the hardware and software needed to set up and use the tool.
CodeSafe
CodeSafe is a powerful, secure environment that lets you execute applications within the secure boundaries of nShield HSMs. Sample applications include digital meters, authentication agents, digital signature agents and custom encryption processes. CodeSafe is available with FIPS Level 3 certified network attached and PCIe nShield HSMs
CipherTools
CipherTools is a set of tutorials, reference documentation, sample programs and additional libraries. With this toolkit, developers can take full advantage of the advanced integration capabilities of nShield HSMs. In addition to offering support for standard APIs, the toolkit enables you to run custom applications with nShield HSMs. CipherTools is included free of charge in the standard Security World software ISO/DVD.
KCDSA Activation
With the KCDSA activation license, you can use the Korean Certificate-based Digital Signature Algorithm (KCSDA) as well as HAS-160, SEED, and ARIA algorithms on nShield HSMs.
Smart Card Reader Rackmount
For organizations deploying one or more nShield 5s modules in a 19" rack, the optional nShield smart card reader rackmount provides a practical and clean solution for attaching card readers in the data center. The rackmount is 1U in height and can be equipped with up to four smart card readers, which come standard with nShield 5s cards. Each unit is packaged with three blanking plates to cover any unused slots.