In an ever-connected world with devices, apps and even things (IOT) on the internet, code signing plays an increasingly important role to ensure the integrity, authenticity
The CSG service manages a pool of HSMs to ensure a resilient and available code signing service; together with exposing a simple-to-use API for consuming various other cryptographic services. CSG supports both RSA and ECDSA signing. Code signing services are consumed either directly through the CSG’s API (Java, C++, .NET and RESTful) or using a CSG extension. CSG extensions provide additional
Endorsed signing is a unique CSG feature which is tailored for the code-signing market. CSG’s endorsed signing feature gives you the secure
CSG's managed encryption technology addresses a common crypto headache - ensuring encrypted data can be safely decrypted at a later date, even if the original key has been replaced. This technique is ideally suited for long-term storage of encrypted data within a business database, for example. Managed encryption is an optional feature that can be made available to any application using CSG.
Managed encryption provides confidentiality, authenticity
Tokenization is a common technique for protecting sensitive data, such as PANs, as they pass through business systems. The original data is replaced with a token of the same length, using a reversible process.
CSG offers tokenization as a basic crypto function available to any application. The tokenization process is customizable and can allow parts of the data to pass through unchanged (e.g. the last four digits of the PAN). A configurable mixture of format-preserving encryption and database storage is used to produce the token values.
For those concerned with PCI-DSS, tokenization may provide a way to bring systems out of scope for audits. For more information on PCI-DSS compliance with CSG, please refer to PCI-DSS topic paper.
CSG’s API exposes the ability to perform financial operations such as those required for PIN Management.
The API allows applications to verify PINs (including DUKPT-based encryption), and give the ability to calculate new PIN offsets for facilitating PIN change operation. Also included are functions for secure PIN translation, the process of changing the key that encrypts a PIN. This operation is commonly needed in payment systems, where the PIN must travel through different systems which use different zone-related keys. The PIN translation functions support a variety of standard PIN block formats.
CSG supports PIN functionality using our secure code execution (SCE) technology, which is a vendor-neutral approach to executing code within an HSM. This approach ensures that all calculations are perform inside the HSM, no intermediary results or PIN data will be exposed in plaintext outside the HSM.
There is a limit to how much data can be encrypted using an RSA public key – no more than the length of the key itself. For example, a 2048-bit RSA key cannot encrypt more than 2048 bits (256 bytes). To encrypt larger amounts of data, the typical solution is to use a random symmetric session key to encrypt the data. The public key of the recipient is then used to encrypt the session key. This is known as hybrid encryption.
CSG supports hybrid encryption as a single command, removing the need to code support for this into each application. The policy file defines the type of session key to generate (e.g. AES or Triple-DES) and the mode of encryption.
EMV is the payment specification used across the world to process credit and debit card transactions. EMV payment cards contain a secure chip holding a collection of cryptographic keys. These keys are used during a transaction to create a secure cryptogram which is sent back to the corresponding bank/processor for authorization.
CSG’s APIs provide support for EMV transaction authorization (ARQC/ARPC) through both specialized payment HSMs or using our vendor neutral secure code execution (SCE) technology. Other related functionality that the CSG supports includes: EMV issuer scripting (for PIN change) and Dynamic CVC/CVV verification.
Transitioning to the cloud entails addressing challenges related to digital asset protection, including compliance with complex privacy laws, maintaining control over data and encryption keys, and managing risks from shared infrastructure and potential insider threats. Addressing these demands a comprehensive approach to cloud security, incorporating customized security measures and a focus on securing encryption keys, is especially crucial in the uncertain trust levels of a cloud environment.
The Enclave Security Module (ESM) integrates with Cryptomathic's Crypto Service Gateway (CSG) platform as an accessible cryptographic resource, similar to traditional Hardware Security Modules (HSMs). The CSG nodes are positioned within an AWS EC2 instance, acting as a link to the ESM within the AWS Nitro Enclave. Depending on your compliance and security needs, the key management system safeguarding your cryptographic keys can be set up either on-premise or in the cloud, offering a flexible, secure, and compliant key management solution tailored to your specific requirements.
At the leading edge of security provision within its key markets, Cryptomathic closely supports its global customer base with many multinationals as longstanding clients.