Qualified protection for Corporate and State Digital Certification.
SECURE DIGITAL CERTIFICATION
A public key infrastructure (PKI) provides security for several applications, validating IDs, such as users, devices and systems, when carrying out transactions, granting access and digital signatures. All security provided by cryptographic keys will depend on how secure those are.
Any vulnerability that permits the keys to be used improperly in this infrastructure can compromise the authenticity, integrity and confidentiality of the information and applications they protect.
With proven expertise in high-performance cryptographic technologies for digital certification, Kryptus offers complete solutions to support the creation and operation of a country’s official public key infrastructure, as well as private institutions, public and defense agencies.
GUARANTEE A SECURE INFRASTRUCTURE FOR THE EMISSION AND STORAGE OF DIGITAL CERTIFICATES IN THE NATIONAL SCOPE, INCLUDING GOVERNMENTAL AND PRIVATE ENTITIES.
Kryptus promotes projects for the implementation of national public keys infrastructure, involving the Source Certification Authority and its entire ecosystem of certification, registration and time stamp authorities. As a turn-key solution, the services provided by Kryptus to different countries around the world include the architecture planning and safety regulations, supplying equipment and systems licenses, designing processes and the necessary training for the operationalization of the ICP Brasil.
In some countries, depending on the level of security of the certificates issued by the PKI, it is required that they are generated in a cryptographic device with international certifications such as FIPS, which is already approved by the Kryptus kNET HSM equipment.
UTILIZE DIGITAL CERTIFICATES IN ALL CORPORATE APPLICATIONS WITH NO LIMITATION AND TOTAL CONTROL AND SECURITY.
For institutions interested in reducing costs by holding a large volume of digital certificates in their internal services, such as TLS communication, intranet, extranet, SSH and VPN, Kryptus offers advice and the most suitable security technologies for creating their Internal Certification Authority.
Counting on their experienced PKI professionals, Kryptus can also contribute to the definition of Certification Policies, Certification Practices Statement and Security Policies.
ADD UNDISPUTABLE LEGAL VALUE TO DIGITAL SIGNATURES WITH SYNCHRONIZED DATE AND TIME APPLICATION TO OFFICIAL ENTITIES.
A Time Stamp, associated with a digital signature, establishes evidence of the instant in time when documents are signed, generated or copied. In synchrony with a reliable time source and auditable by PKI’s Certifying Entities, the Time Stamp is issued by an approved and homologated Time Stamp Authority (TSA), providing undisputable legal value (non-repudiation) of priority and authenticity.
Kryptus offers complete Time Stamp solutions that include the Time Audit Server, Kryptus TAS and the Time Stamp Server, Kryptus TSS, promoting management and interoperability between EATs and ACTs.
Kryptus, market leader in encryption and cybersecurity solutions for digital certification in Brazil.
Among the technologies provided by Kryptus, the kNET HSM stands out, the same cryptographic security module used by more than 50% of ICP Brazil’s Certifying Authorities, and the Time Stamp solutions, Kryptus TAS and Kryptus TSS.
• Centralized key generation and storage
• Centralized certificates management
• FIPS 140-2 Level 3 (EFP/EFT) Certification
• Approved by ICP Brasil MCT7 NSH3
• High Availability and Performance
PRIVATE KEY PROTECTION
KEEP YOUR KEYS PROTECTED WITH MAXIMUM SECURITY.
Private keys, necessary to encrypt, decrypt, sign or verify information in the various services based on a public key infrastructure, must remain in a secure environment free of unauthorized access. In the event that a private key is compromised, all systems and services protected by said key will be vulnerable.
For secure storage of keys, we recommend the utilization of dedicated cryptographic devices, such as Kryptus’ kNET HSM, which can be integrated on-premise or in the cloud (Cloud HSM).
Private keys are managed by HSM, through native cryptographic APIs, for instance, KMIP, Java JCA/JCE, PKCS#11, OpenSSL Engine, however, when it comes to a PKI, companies use softwares that are dedicated to the entire certificate life cycle, whether emission, validation and revocation, as well as RA functions – Registration Authority.
Kryptus has a certificate manager based on the EJBCA Community Edition, which fulfills all the aforementioned functions, allowing complete control over the certificate.
Advantages of the Certificates Vault
Smart Cards and tokens can be used to store cryptographic keys, but the high risk of loss and misuse of these devices makes companies that must manage them in large scale choose to deploy a Certificates Vault in an HSM, due to the higher level of security provided:
• Centralized key storage;
• Access to certificates through the company’s own portal for all employees;
• Strong access control with two-factor authentication (TOTP or HOTP);
• Audit trail with complete record of who used the digital certificate and when.
EXPLORE TIME CERTIFICATION WITH FACILITATED AND COMPLIANT MANAGEMENT.
Kryptus TAS is Kryptus’ solution for the Time Audit Server, used by the Source Certification Authority to manage the time source, time stamp network and audit trails storage. The kNET HSM Cryptographic Security Module completes the solution, and it’s responsible for protecting Kryptus TAS cryptographic Time Stamp Server.
For ACTs, Kryptus brings the Kryptus TSS: Time Stamp Server, with all the time stamp issuing and management functionalities. It also relies on kNET HSM for protecting Kryptus TSS cryptographic keys, logging all synched data and time stamp signatures.
There are several private keys and certificates involved in the Time Stamp process: those within the HSM to issue the TS, those in the TLS connection to users, the TLS connection to Kryptus TAS and the TLS connection to PTP (protocol of communication of auditing and synchronism). In order to facilitate managing them all, Kryptus systems offer a web interface, as well as programmatic APIs for custom development.
All Kryptus Time Stamp solutions comply with new ITI standards.
In compliance with ICP-Brasil standards
Kryptus TAS and Kryptus TSS
• external management systems
• Administration web portal
• kNET HSM for secure storage and signature (Timestamp and Permit)
• High performance
• Email Alerts
• Automatic submission of Syslog logs
• Logs available for download
TIME STAMP IN ICP-BRASIL DYNAMICS
When a document is signed at the Client Station, the user’s system calculates a hash for this document and sends it to the timestamp server (Kryptus TSS), which receives the request, validates that the hash existed at that moment. and generates the time stamp – a signed document attesting that the user’s document was created and existed on that date. The private key, certificate and signature of this document are protected by cryptographic security modules (kNET HSM) that are also within the ACT. A single ACT can have multiple Time Stamp Server.
To ensure that ACTs are issuing time stamps at the correct time, there is a synchronization and audit system (Kryptus TAS), which synchronizes the server clock kept by ITI with a reliable time source (National Observatory) and, when it obtains the correct current time, it communicates with the Kryptus TSS to audit its clock and synchronize it if necessary. Once synchronized, the Kryptus TAS issues a permit authorizing the Kryptus TSS to operate and issue Time Stamps for a specified period. The license is a digitally signed document with a Kryptus TAS private key, whose certificate is securely stored in a cluster of HSM kNETs, inside CA Source.
As an added security measure, Kryptus TSS should record every timestamp in a log that allows it to be audited by Kryptus TAS or any other entity, but never edited. Any attempt to edit the log to change the clock is exposed by the Kryptus TSS cryptographic engine.
The composition of the solutions is flexible, allowing multiple SCTs to share an HSM to issue a time stamp, or a single Time Stamp Server taking advantage of a cluster with pairs of HSMs to ensure high availability, or multiple SAS being able to audit the same Time Stamp Server.
The communication protocol used for auditing and synchronizing between Kryptus TAS and Kryptus TSS is open, enabling any interested company to build an Time Stamp Server, approve it and know that it will work with ITI’s SAS. A measure that stimulates market competitiveness.