SPYRUS Rosetta HSM
The foundation of almost all of the SPYRUS® technologies is SPYCOS® (SPYRUS Cryptographic Operating System). SPYCOS is the firmware operating system incorporated into SPYRUS hardware devices. It supports more cryptographic algorithms than any other commercial product and dynamically allocates nonvolatile memory. SPYCOS is at the core of the Rosetta Hardware Security Modules (HSM).
The family of Rosetta HSM includes the Rosetta Micro Series II (pictured to the right) and Series III. Micro Series II and Series III are embedded in many other SPYRUS products such as our Windows To Go Live Drives and are ideal for custom applications. Their compact size makes them the perfect choice for small devices such as computers, cell phones, PDAs, wired and wireless routers, point-of-sale and gaming terminals, set-top boxes, industrial control devices voting systems and new Internet of Things devices.
Other Rosetta HSM products offered by SPYRUS include:
Rosetta SDHC/microSDHC™ Card
TrustedFlash™ AES 256-bit hardware self-encrypting configuration option providing flash memory protection with PKI services
- High-assurance protection for keys, digital IDs, and sensitive data
- SD/IO interface standard supported
- Unique serial number for each Rosetta SDHC card
- Approximately 32K of EEPROM available for X.509 certificates and data storage
- Advanced random-number generation technology
Rosetta Series II and Series III USB and Smart Card Security Devices
The Rosetta Series II and Series III products draw on over a decade of proven performance to provide the strongest possible security for such security-critical capabilities as PKI-based identity management, data security, data integrity, and non-repudiation—all in a compact, rugged, tamper-evident hardware case. The Rosetta Series II and Series III USB is a reader-less industry standard USB Smart Card Class device (CCID). It uses drivers built into desktop operating systems like Windows, Linux and OSX.
When used with the companion SPYRUS Minidriver software, Rosetta Series II and Series III security devices provide support for standard application interfaces that use the Microsoft Windows Cryptographic API (CAPI) Cryptographic Service Provider (CSP), the Windows PC/SC smart card logon protocol, and the standard PKCS #11 interface used by some Web applications and non-Windows platofrms. Windows WHQL-certified drivers are available for Windows XP, Windows Server 2008, Windows Vista, Windows 7, Windows 8 and Windows Server 2012.
The design of the Rosetta Series II and Series III smart card and USB security devices provides a high-assurance security platform for application development and support:
Secure Document Transmission and Retention: Including high-strength encryption and digital signatures for applications such as secure e-mail.
Nonrepudiation applications: Digital signature private keys, once generated or loaded onto a Rosetta Series II smart card or USB, can never be exported or extracted from that device. Unique PINs can be assigned for nonrepudiation use, as opposed to encryption or authentication keys, to prevent confusion. Encryption keys can be securely archived onto another physical token or onto a virtual token that uses secret-sharing techniques for adequate key backup.
Electronic Notary: Digitally sign legal documents, including forensic evidence and audit logs, for uses such as Sarbanes-Oxley compliance.
Single Sign-On: Using Windows smart card logon, sign on to the network, Active Directory, and legacy applications. VPN and SSL/TLS mutual authentication applications are supported.
Secure Master Key Storage: Supports applications that use software encryption for file/disk encryption and high-speed streaming media while maintaining the master keys in a secure token. This provides cost-effective, high-security protection against the theft or surreptitious cloning of the entire file system of a client or server, including backup files and archives. SSL and EFS private keys can also be protected.
Code Signing: Supports digitally signed executable code, macros, and other assemblies. Compatible with Windows .NET Security Framework applications.
Microsoft Windows Compatibility: Rosetta Series II and Series III smart card and USB security devices, when used in combination with SPYRUS MiniDriver and PKCS #11 software, provide a flexible, highly secure interface with Microsoft Windows applications.
Built-in Algorithm Support for the Future
SPYRUS is committed to keeping the Rosetta™ Series II and Series III smart card and USB security devices well ahead of the rest of the industry as cryptographic requirements change and evolve. As our customers require new algorithms and increased key lengths, SPYRUS now supports algorithms to include 2048-bit RSA, AES-128/192/256, and SHA-1/224/256/384/512 key lengths advocated by industry and the U.S. Government.
The Rosetta Series II and Series III are designed to support elliptic curve cryptography (ECC) using the high-strength P-256, P-384, and P-521 curves that meet or exceed U.S. Government Suite B standards. The ECDSA digital signature standard and the EC Diffie-Hellman key establishment schemes are supported in accordance with NIST SP 800-56 Key Establishment Guidelines.
Enhanced Random Number and Key Generation Security
The Rosetta Series II and Series III smart card and USB use the latest approaches to random number and key generation as recommended by the U. S. Government. A true hardware-based random-number generator (RNG) is extensively filtered, tested, and then used to seed an approved high-strength, hash-based algorithm. RSA keys are generated in accordance with the latest X9.31 specification, as required for FIPS 140-2 Level 3 certification. Particular care is taken with ECC operations to avoid possible side-channel attacks.
The Rosetta Series II and Series III family features a highly tamper-resistant and tamper-evident design. The cryptographic boundary is the chip itself, so that it can be embedded in other products for specialized applications. Rosetta Series II and Series III smart card and USB security devices never store the PIN on the device. The PIN is used to derive a decryption key used for validation. All private data on the card, including the keys, is stored in encrypted form using a variation of the PIN.
Rosetta Series II and Series III smart card and USB security devices are based on a versatile, algorithm-agile platform that supports secure storage of private keys and certificates and the following cryptographic functions on the device:
Anti-Tearing File Management: This feature prevents inappropriate termination of a management transaction on the card due to early removal from the reader or power loss. Upon the next use of the card the transaction is completed. This can be viewed as a “fail-safe” mechanism.
Data Firewalling: This provides the ability to separate one user’s data from another.
Dynamic Memory Allocation: The SPYCOS File Allocation Table file system ensures that data files do not need contiguous sectors and that deleted file space can be reclaimed and reallocated as needed. This provides the ability to add and remove multiple certificates as required.
High Storage Capacity: Designed to hold over 20+ of X.509 version 3 certificates, depending upon certificate size and EEPROM.
Secure PIN-Based Key Protection: Multiple-level PIN protection for keys and data stored on the card.
Secure Firmware Update: This allows additional features to be added to the token, or conversely, features to be removed from the token. The firmware update is validated by the security device prior to acceptance.