The StrongAuth KeyApplianceTM (SAKA), StrongKey's flagship product, has undergone a radical change in the 4.0 release. The SAKA 4.0 retains all the great features of the 3.0 release, but also adds significant new capability.
The SAKA KeyAppliance Module (KAM) is a collection of technologies designed to assist companies with addressing PCI DSS, 45 CFR 170.299 (k), 201 CMR 17.00, HB-1149, and similar regulations that require encryption of sensitive data.
It does this in the following manner:
Securely generating, storing, using and controlling access to cryptographic keys within the system using a Federal Information Processing Standards (FIPS)140-2 Level 2 (or above) certified cryptographic Hardware Security Module (HSM) or Trusted Platform Module (TPM). These devices are designed to erase cryptographic key material rather than give it up when they sense they are being attacked. Keys generated on these devices never leave the device unless encrypted using other cryptographic keys.
Using only one cryptographic algorithm—the Advanced Encryption System (AES)—with a choice of 128-, 192-, or 256-bit symmetric keys for the encryption and decryption of PANs or PII.
Using only one cryptographic algorithms for generating Hashed Message Authentication Codes (HMAC)—while providing a choice of key sizes for the HMAC: the HmacSHA256 algorithm—with a 256-bit cryptographic key, HmacSHA224, HmacSHA384 and HmacSHA512 for preserving the integrity of encrypted data (ciphertext) in the system.
Storing ciphertext on the appliance system—never allowing it to leave the SAKA—while returning the calculated HMAC or a configurable pseudo-number of the PAN or PII as a “token” to be used by applications as a unique identifier for the PAN/PII.
By choosing the strongest algorithm and cryptographic components recommended by PCI DSS and the US National Institute of Standards and Technology (NIST), and by localizing all cryptographic processing on the SAKA and by storing ciphertext on the appliance, the SAKA narrows the scope of the application system at risk, and consequently, the scope for the PCI DSS/201 CMR 17.00/HB-1149 audit.