EasyManuals Logo
Home>Entrust>Security System>nShield

Entrust nShield User Manual

Entrust nShield
90 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #54 background imageLoading...
Page #54 background image
7.9.1. Installing the nShield JCA/JCE CSP
Security configuration guidance for using unlimited strength JCE jurisdiction policy files
and the correct preference order for nShield in the Java security configuration file is
provided in-situ in the User Guide. See the Installing the nShield JCA/JCE CSP in the User
Guide for your HSM for details.
7.10. nShield PKCSÊ#11 library
7.10.1. Symmetric encryption
The nShield PKCSÊ#11 library can use the nShield HSM to perform symmetric encryption
with the following algorithms:
DES
Triple DES
AES.
Because of limitations on throughput, these operations can be slower on the nShield
HSM than on the host computer. However, although the nShield HSM may be slower than
the host under a light load, you may find that under a heavy load the advantage gained
from off-loading the symmetric cryptography (which frees the host CPU for other tasks)
means that you achieve better overall performance.
Performing symmetric encryption on the host increases the threat of key compromise as
the security protection provided by the host will be less than the nShield HSM.
Additionally there may be a lack of key lifecycle management of the application keys on
the host.
For these reasons we recommend performing symmetric operations on the nShield HSM.
If symmetric encryption is performed on the host, technical and procedural access
controls should be deployed to protect the host, in order to mitigate the higher threat of
key compromise.
7.10.2. PKCSÊ#11 library with Security Assurance Mechanism
It is possible for an application to use the PKCSÊ#11 API in ways that do not necessarily
provide the expected security benefits, or which might introduce additional weaknesses.
The PKCSÊ#11 library with the Security Assurance Mechanism (SAM), libcknfast, can help
users to identify potential weaknesses, and help developers create secure PKCSÊ#11
applications more easily.
The SAM in the PKCSÊ#11 library is intended to detect operations that reveal questionable
nShield® Security Manual 54 of 90

Table of Contents

Other manuals for Entrust nShield

Preview: Installation Guide
Installation Guide9 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Entrust nShield and is the answer not in the manual?

Entrust nShield Specifications

General IconGeneral
BrandEntrust
ModelnShield
CategorySecurity System
LanguageEnglish

Related product manuals