Memjet Assures Secure Licensing and Manufacturing with nShield

Secure Licensing and Manufacturing

Rather than directly manufacture and sell printers, Memjet licenses its technologies and sells system components to original-design-and original-equipment-manufacturing (ODM/OEM) partners. This allows these partners to build their own unique product offerings. As a result, Memjet needs to securely support remote manufacturing models, where new Memjet-powered printers are created. This occurs at manufacturing facilities controlled by Memjet partners and even subcontractors to those partners.

“Our core technology is in our printhead,” says Bill Kavadas, senior director, Information Systems at Memjet. “We use the same printhead in a number of different printers with different attributes and price points. In addition, our OEM partners sell our components as printers at different price points in many different market segments. Consequently, we need to give these printers and components an identity for a particular model, brand or OEM, and we need to securely incorporate licensing information.”

Memjet assures the quality of the end-customer experience by ensuring that authentic and appropriate components and consumables are used with a given model, family, or brand of printer. To do this, Memjet includes an unconfigured quality assurance chip in printer modules and components. During the remote manufacturing process, the chip is configured to give the printer or component its unique identity and attribute set. This component information needs to be generated securely and digitally signed prior to installation at the remote ODM/OEM facilities.

Updating Key Management and Signing

In addition to implementing this always-on manufacturing infrastructure, Memjet wanted to refresh its back-office cryptographic key management and signing infrastructure. The functionality in this area represents an entirely different set of requirements, such as those for security around multi-factor operator authentication with an enforced minimum quorum on intentionally offline/air-gapped key management systems.

Memjet knew hardware security modules (HSMs) could meet this need. HSMs are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures. Entrust nShield® HSMs are certified at various FIPS 140-2 Levels and are frequently used to:

• Achieve higher levels of data security and trust
• Maintain high service levels and business agility
• Meet and exceed established and emerging regulatory standards for cybersecurity

Memjet’s technical group looked at various general-purpose HSMs to determine how each would map onto Memjet’s requirements and how much development effort each would require to integrate into Memjet’s manufacturing system. This required understanding a large amount of detail for each offering and how it might be used.

According to Robert Fairlie-Cuninghame, Memjet’s QAI technical lead/architect, “The Entrust sales team provided excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breadth and quality of the product documentation gave us confidence that the solution was well thought-out and supported. Entrust’s willingness, in short order, to provide a demonstration unit, necessary documentation and excellent support really impressed us and made it much easier to evaluate the nShield HSM technology.” 

Because Memjet has multiple facilities and multiple needs it chose to deploy two kinds of Entrust nShield HSMs. Fairlie-Cuninghame explains “For the always-on manufacturing infrastructure, the nShield Solo HSMs were the obvious choice for use in rack-mounted servers; however, for the air-gapped systems involving human operators, we deemed the nShield Edge HSMs to be more convenient.”

The nShield HSMs differentiated themselves in a number of ways, Fairlie-Cuninghame says. “Support for key management using smartcards with multi-factor authentication and minimum K of N operator enforcement is fully integrated into the core security technology as well as the provided core utilities. This was one of the main clinchers, and meant that with little or no software development, we could natively create and manage keys protected in this manner using just the provided utilities.”

Kavadas adds “Entrust nShield HSMs are state of the art and have enabled us to use a more sophisticated and secure chip in our technology. In addition, using Entrust nShield Remote Administration, we can remotely access our HSMs and change or modify operations and prevent problems. This is a great advantage; in the past we’ve had to travel to wherever our HSMs reside to reset them. I don’t know that we could achieve everything we do with software and have the kind of security we’re looking for without the nShield HSMs.”

Memjet’s initial deployment includes Entrust nShield HSMs in the U.S., Australia and three sites in Asia.

Business need

• Assure the quality of the end-customer experience by ensuring authentic and appropriate components and consumables are used with a given model/family/brand of printer across a decentralized worldwide system of licensed ODMs/OEMs
• Secure licensing
• Secure authorization and auditing of manufacturing activities
• Refresh back office cryptographic key management and signing infrastructure 

Solution

• Entrust nShield Solo HSMs for always-on manufacturing
• Entrust nShield CodeSafe for secure on-HSM execution of Memjet licensing information
• Entrust nShield Edge HSMs for air-gapped systems with human operators 
• Entrust nShield Remote Administration

Results

• End-customer quality assurance
• Updated system using more sophisticated security technology
• Increased security
• The ability to implement Memjet’s own software
• The ability to remotely manage HSMs
• The ability to use smart cards