E-Business, Digital Certification, Hardware Security Modules

Digital signatures make it possible to trust and act upon electronic transactions as if they were printed on paper and signed by a trusted business partner. The digital signature is one of the corner stones of e-Security and vital for e-Business.

Forte provides solutions, including several applications, which allow customers to reduce the complexity and improve the usability of their legacy system.

Forte Makes It Easier

The use of digital signatures should be as easy and simple as possible. In addition to the core applications, the trust product family also includes solutions for central key management and mobile digital signatures. Not only do these solutions simplify deployment and management, they also make digital signatures mobile and easier to use.

A Trust Community

Any large-scale use of digital signatures takes place within a trust community called a Public Key Infrastructure (PKI). Reliable authentication in an open environment (Internet) is unthinkable without these almost invisible, yet indispensable communities.

Forte's Approach

The solutions provided by Forte are designed to enable your business to handle digital signatures, both on the infrastructure and application level.

The family of trust products includes all the applications needed to set up and maintain a strong e-Security platform. The applications complement each other and form a professional suite, but they can also be deployed individually or customized to fit into an existing infrastructure.

With Forte's trust solutions, you can include the benefits of digital signatures and reliable authentication in a business application for internal or external use and offer trust services as a service provider.


In the PKI realm, Certificate Authority (CA) and the identity assertions issued by the CA are contained in the certificates. Certificates are electronic files that contain information about the holder of the certificate. A certificate might contain several data, such as personal information (name, address, etc); public key of the certificate holder; information about the CA; and administrative items like the type of certificate and certificate expiration date.

Certificate Authorities and Trust

When a CA issues a certificate, the CA's private key is used to sign the certificate so people can trust the right CA and be sure of the certificate's origins. Therefore, the CA must possess a certificate containing its public key to identify itself and permit the verification of other certificates that it has signed. Because of this requirement, the CA is in a unique position - it is responsible for signing its own certificate. In effect, the CA's identity is entirely derived by the sole fact that it is who it says it is, through a process called self-signing. Because the CA's private key signs its own certificate (during the self-signing procedure) and every other certificate it issues, if the CA's private key fell into the wrong hands, every certificate ever issued by that CA using that private key could no longer be trusted.

The Root Key

Because the CA's private key is the anchor to the trustworthiness of all certificates within a PKI, it is called the root key, owing its name to the fact that it is the root of trust for all the identities (certificates) in the PKI. A compromise of the root key means that the network of trust inherent within a stable PKI has collapsed.

Root CAs and Subordinate CAs

A PKI may contain several CAs to distribute the traffic load, or bring the certificate signing CA closer to the point of issuance. In this case, the CAs are usually arranged in a hierarchy, with a root CA holding the root key at the top, and one or more subordinate CAs below it. Each subordinate CA contains a unique private key, but this is not the root key. The subordinate CA's identity is established with a certificate derived from the subordinate CA's public/private key, signed by the root CA's private key. When subordinate CAs issue certificates, they sign the certificate with their own private key. The recipient of the certificate can verify the authenticity of the subordinate CA by checking the validity of the subordinate CA's certificate. While not holding the root key, the subordinate CA's private key still must be protected with the same precautions as the root key. If a subordinate CA's private key were compromised, the loss of trust within the PKI would be devastating.

Because of the importance of the root key and the subordinate CAs' private keys to the operation of a PKI, they should be protected with the best available physical, technological, and operational security. Hardware Security Modules (HSMs) address these additional security requirements with secure hardware to generate, store, and manage sensitive private keys.


A Hardware Security Module (HSM) is a dedicated hardware device that works in conjunction with a host CA server to provide a secure hardware storage location for the CA's root key or subordinate CAs' private keys. It is separately managed and stored outside of the operating system software.

Why an HSM is Important

As certificates become essential components in electronic business transactions, the need to maintain the integrity of those certificates, and the PKI as a whole, will increase. If a CA's root key is compromised, the credibility of financial transactions, business processes, and intricate access control systems is adversely affected.

Experience has shown that in order to secure a PKI and maintain the integrity of the certificates, extraordinary caution should be taken to protect the root key. For example, the storage of high value root keys should utilize specialized hardware that is dedicated to preventing theft, tampering, and access to the secret key material.

A full-scale deployment of the PKI application, such as in a smart card access control application, secure e-mail, or Secure Sockets Layer (SSL) Web services used by thousands of employees or customers, may represent a significant capital investment for an organization. Therefore, the investment in a reliable, secure HSM should be considered a core component due to all the associated processes, hardware, training, and operational costs relying on the foundation provided by a PKI.

HSM protects PKI deployments with widely recognized best practices that provide a number of specific security benefits:

  • FIPS 140-1 and FIPS 140-2 validation
  • Hardware-secured key generation
  • Hardware-secured key storage
  • Hardware-secured key backup
  • Hardware-secured digital signing
  • PKI-authenticated software updates
  • Controlled physical access
  • Host-independent, two-factor authentication
  • Enforced operational roles
  • Independent audit
Our methods in securing CA's root keys (M of N)

M of N keys provide additional security by requiring a predefined number of people (M) out of a group of people (N) to be present before the private key stored on the secure cryptographic token can be accessed, thus decreasing the risk of collusion between operators even further. M of N significantly increases access security for your token, but the logistical and operational requirements increase accordingly. M of N key-splitting prevents unilateral actions. The exploitation of the HSM when split-keys are used requires collusion between multiple people, greatly reducing the risk of insider attacks from rogue administrators. Our methods can work integrated with the most reputable CAs.

Our methods in accelerating digital signing

Forte's solution is a scalable hardware security module for high-performance digital signing of e-business transactions in a FIPS 140-1 and 140-2 level 3-validated solution. The product operates in conjunction with CA root key protection systems leveraging ultimate private key integrity for high-volume digital signing applications such as OCSP responders, digital signature validation, remote access authentication and transaction coordinators.

The product devices provide load balancing support to existing CA deployments for unparalleled PKI system scalability, while maintaining the same level of trust that a CA has established worldwide. Its signing devices allow you to add signature processing throughput as needed, while leveraging your existing CA security hardware investment.

Our methods in accelerating SSL applications

Forte provides a high-performance hardware-secured SSL accelerator solution that delivers on the promise of e-business and enables Ultimate Trust™. It offloads the computationally-expensive operations of SSL authentication from the SSL server, overcoming performance bottlenecks. Forte's solution offloads cryptographic processing to deliver faster server response time, increased server throughput and improved server stability. It also maintains digital keys only within the hardware module so that private keys are never accessible from the server.

Trusted Digital Identities

Whether the online identity application uses digital certificates or smart cards and USB tokens for individuals, or is a device identity to uniquely identify computer equipment, our products ensure that the critical encryption keys that underpin these identities are always protected in the hardware. Our products are deployed extensively to provide secure issuance and authentication for:

  • Web services
  • Secure e-mail
  • Digital certificates
  • Device identification (Personal Computers, Servers)
  • Regulatory requirements like those from HIPAA and Identrus
Trusted Digital Data

Like traditional signatures on paper-based transactions, digital signatures allow you to 'sign' electronic documents and add integrity to the signed documents. Digital signatures rely on the secure storage and management of unique cryptographic keys to ensure the validity of signatures. Unlike software-only solutions, our products store digital signature keys and perform signing operations within a cryptographic hardware token for security.

Trusted Digital Transactions

Forte provides hardware solutions that are used in a variety of electronic transaction applications to ensure high performance with the highest levels of security for authentication:

  • Web services
  • 3-D Secure
  • Payment processing systems
  • Time-stamping
  • Online Certificate Status Protocol Responders
  • Transaction coordinators

EMV HSMs are commonly used within electronic payment processing systems to deliver PIN encryption and verification within the electronic payment processing system, card validation, chip card and stored value card issuing and processing, message authentication, plus symmetric key management.

Forte provides HSMs that deliver unmatched cryptographic processing of Electronic Funds Transfer (EFT) host functions and comprehensive key management. Forte's HSMs ensure secure payment processing, card issuance and online banking functionality to meet the needs of payment processors, card issuers, merchants and e-payment solution providers worldwide.

Forte's HSMs specifically meet the needs of payment processors, card issuers, merchants and e-payment solution providers to adhere to American Express, JCB, EMV, MasterCard and Visa security standards.


A Registration Authority (RA) is an optional component that can be used to 'offload' many of the administrative functions that a CA would have to assume in the absence of a RA. As stated earlier, the RA is normally associated with the end entity registration process. This would include the verification of the identity of the end entity attempting to register with the PKI. However, the RA can perform a number of other functions, including:

  • Validating the attributes of the subject who is requesting the certificate
  • Verifying that the subject has possession of the private key being registered (known as 'proof of possession')
  • Generating shared secrets to support the initialization and certification process
  • Generating public/private key pair
  • Conducting interactions with the CA (or several CAs) as an intermediary of the end entity, including key compromise notifications and key recovery requests
  • Validating parameter of public keys presented for registration
Smart Cards

There are numerous benefits to implementing PKI enabled smart cards as identity management architecture. Non-repudiation, which can be achieved by using digital signatures, is a combination of integrity and authentication that can be proven to a third party. The relative strength of digital signatures, as well as the strength of the underlying asymmetric cryptography, relies on the access control procedures established and enforced over the private key.

  • Smart cards provide an easy-to-use, familiar, portable form factor to securely store an individual's private signature key. Security related to removable media protecting the location of the private key is increased. A significant benefit from this is the ability for an individual to utilize his/her smart card at various terminal locations (e.g., login to numerous PCs at various locations).
  • Smart cards provide a tamper resistant security module in which to generate asymmetric key pairs, securely store private signature keys, and generate digital signatures. Security related to physical access controls over the private key is increased.
  • Smart cards can provide local authentication (e.g., PIN and biometric) of the individual to the card to activate the integrated circuit chip. Security related to logical access controls over the private key is increased.
USB Tokens

USB tokens eliminate reader technology concerns and offer superior implementation requirements; the security offered in credit-card sized smart cards and USB tokens is quite similar. Both can perform RSA operations, authenticate and encrypt, offering very high levels of security. The smart card's high security capabilities are anchored in its ability to perform sensitive operations inside the chip itself, thus providing a fully independent, secure environment. This is true in both the traditional smart cards and USB tokens.

Functionality and security levels are virtually identical in both forms, leaving the USB infrastructure as an overwhelmingly significant advantage for tokens.

Wherever a USB port exists, tokens can be quickly implemented. And tokens can be easily set up to supply secure log on, web access control for specific sites, as well as signing and encryption of e-mail.

The ability to use USB connectivity is especially significant for large-scale distribution of tokens, such as sizable e-commerce applications. By deploying readerless smart card technology, organizations can minimize cost, while providing simpler implementation and fewer headaches. Customers and users more readily accept USB tokens primarily because they utilize the USB port infrastructure already available - something not possible for traditional smart card readers.


A Validation Authority (VA) provides a universal clearing house for establishing the validity of a digital certificate. The VA represents a centralized store of aggregated CA published CRLs. It is possible for a VA to aggregate CRLs from one or more different CAs. This store of certificate status data is continuously available and accessible to PKI enabled applications via several standard real-time protocols. These protocols allow PKI applications to obtain the status of a specific certificate rather than the raw cumulative CRL periodically published by the CA. Thus the introduction of a VA addresses the scalability and access issues associated with CA certificate validation in PKI, as well as the audit requirements for secure transactions.

Validation Authority:

  • Manages risk by validating a party's identity and transaction-specific authorization
  • Reduces fraud and liability
  • Facilitates compliance with operating procedures that help make transactions legally-binding
Validation Protocols

A VA offers a server referred to as a 'Responder' to handle PKI client application requests for digital certificate status. The client may interact with the 'Responder' in several different ways such as Online Certificate Status Protocol (OCSP), VACRL protocol (CRL/CRL Deltas), Certificate Management Protocol (CMP) and Simple Certificate Validation Protocol (SCVP).