ViPNet HSM (Hardware Security Module)

Main article: Cryptography

ViPNet Hardware Security Module (ViPNet HSM) is a hardware and software platform for cryptographic protection of applied electronic services. ViPNet HSM ensures the maintenance of the full life cycle of cryptographic keys, the implementation of EP and encryption operations (GOST 28147-89, GOST R 34.10-2001/2012).

2023: ViPNet HSM version 3.3 compatibility with Payment Gateway

InfoTeCS and Compass Plus announced the completion of compatibility testing of the ViPNet HSM version 3.3 cryptographic module, the ACS solution for authentication with 3DS online payments and the Payment Gateway solution for processing e-commerce transactions. Information on the compatibility of current versions of the cryptographic module and software products is included in the documentation available to Compass Plus customers. This was reported by representatives of the company "InfoTeCS" on March 29, 2023.

Illustration: oooalatyr.ru

ViPNet HSM is a universal cryptographic module providing a PKCS# 11 interface for embedding. The module implements increased security measures to ensure compliance with the requirements for CIPF and electronic signatures of the CV and KV2 safety class. ViPNet HSM can also be used as a platform for developing cryptographic services, on its basis the ViPNet PKI Service electronic signature server has been developed.

Compass Plus's ACS and Payment Gateway solutions are designed for processing and authorizations authentication online payments from any digital device. Compass Plus products are designed in accordance with current standards, payment security industries which allows holders to cards safely make online purchases in any, and time financial institutes to improve the quality of customer service, reducing the risk of false failures and increasing the level of securities transactions. With a wide range of full-featured, well-structured and documented, ACS and API Payment Gateway can quickly and easily with to be integrated many merchant acquiring card management systems and systems.

ViPNet HSM compatibility testing with ACS and Payment Gateway has once again demonstrated the reliability, flexibility and adaptability of Compass Plus software products. By supporting the updated HSM from InfoTeCS, the company can now recommend Russian to customers a proven cryptographic module from, domestic producer in no way inferior to foreign counterparts. The implementation of this project is important for a company interested not only in developing the business of its customers, but also in, payment security Russia commented on the joint project Olga Bogdanova, director of the business department (support) of Compass Plus.

InfoTeCS supports customer-relevant functionality in ViPNet HSM. The results of the tests showed that domestic HSM cryptographic modules can be used as security modules in those use cases where foreign-made HSMs were traditionally used. InfoTeCS and Compass Plus have been technological partners for several years, joint work brings closer the prospect of import substitution of HSM and will be in demand by Compass Plus customers, noted Dmitry Gusev, Deputy General Director of InfoTeCS.

2017

Use Cases

Payment systems: ensuring the security of financial transactions in the national and international payment card systems, including MasterCard, MIR and Visa. ViPNet HSM integrates as CIPF with banking systems that perform the following operations (as of February 2017):

• Processing of bank transactions in the mode of compatibility with the protocols of domestic and international payment systems.
• Support for the issue of bank cards, development and printing of PIN codes.
• Implementation of payment systems certification authority functions.
• Support of the international standard of transactions on EMV bank cards, including with built-in domestic crypto algorithms GOST R 34.10-2001/2012.
• Working with the main domestic and international payment applications of terminal equipment (M/Chip, VSDC).

Certification center: increase the validity of electronic signature keys and root certificates due to compliance with the requirements for longer storage. Reducing the risk of key compromise. Namely:

• Create and store credential center administrator keys in the ViPNet HSM sandbox.
• Electronic signature generation and verification as per GOST R 34.10-2001/2012, data hashing as per GOST R 34.11-94/2012.
• Sharing with timestamp servers (TSPs) and certificate status check servers (OCSPs).

Cloud E-P service: reducing the cost of deploying a public key infrastructure (PKI).

• Secure storage of electronic document management user keys in ViPNet HSM.
• Secure user access to keys and electronic signature operations.

TLS gateway: high-performance data protection when users work with web services:

• Establish and maintain TLS connections between users and the web server.
• Secure communication between the user and the web server on the Internet.

Benefits of ViPNet HSM

• Protection against physical unauthorized access to stored data, which is provided by the sensor for monitoring the opening of the case and changing the physical parameters of the platform (temperature, power).
• Cryptographic key generation mechanism using a built-in physical random number sensor.
• Guarantee the invariability of platform settings by using the role model of delimitation of administrator rights (quorum) and separation of secrets according to the Shamir scheme.
• Up to 35,000 e-signature operations per second.
• The ability to use the platform by embedding third-party applications and services in ViPNet HSM.

Features of ViPNet HSM:

• Writes significant events to the system log.
• Web interface for remote administration over a secure channel and a touch screen for local configuration.
• PKCS# 11 interface for application services.
• Support for working with application services managed by OS Windows and. Linux

Certification in the FSB of Russia

An extract was received from the positive conclusion of the FSB of Russia on the compliance of the ViPNet HSM hardware and software complex (version 1) with the following documents:

• Requirements to means of cryptographic protection of information, designed to protect information that does not contain information constituting a state secret "in class CV;
• Special requirements for encryption (cryptographic) means designed to protect information that does not contain information constituting a state secret and operated in the territory of the Russian Federation "in terms of CV level;
• Requirements for electronic signature means "established for the KV2 class, provided that the Rules of Use FRKYe.00127-01 99 01 PP are fulfilled.

PAC ViPNet HSM (version 1) may be operated up to 31.10.2021.

At the request of ViPNet services, HSM provides the following cryptographic functions:

• Creation of encryption keys (GOST 28147-89).
• Data encryption and imitation protection (GOST 28147-89).
• Creation of electronic signature keys and electronic signature verification keys (GOST R 34.10-2001 or GOST R 34.10-2012).
• Electronic signature generation and verification (GOST R 34.10-2001 or GOST R 34.10-2012).
• Data hashing (GOST R 34.11-94 or GOST R 34.11-2012).
• Implementation of secure connections using TLS version 1.2.
• Creating keys based on the Diffie-Hellman protocol (VKO_GOSTR3410_2012_256 and VKO_GOSTR3410_2012_512).
• Data integrity monitoring (HMAC_GOSTR3411_2012_256 and HMAC_GOSTR3411_2012_512).
• Secure Session Key Export and Import (RFC 4357).

(data current as of February 2017)