Thales HSMs Help Secure Tunisia’s Digital Infrastructure
The Challenge: Help Tunisia Grow Their Digital Economy While Delivering Security to its Citizens
In 2015, the Tunisian government launched Digital Tunisia 2020, a plan designed to boost the nation’s digital economy by enriching online government services and electronic commerce. Fundamental to the success of the initiative was establishing Tunisia’s citizens’ trust and confidence in the public and private online services and electronic transactions. The National Digital Certification Agency (NDCA), representing the nation’s highest level of trust for electronic transactions, embarked on the cornerstone project of Digital Tunisia 2020 to re-engineer the national public key infrastructure (PKI), that underpins the security of digital transactions.
To succeed, the project would need a smooth and rapid transition from the existing PKI while also providing enhanced trust services once implemented. Additionally, the PKI would need to comply with new stringent regulations for digital certification.
The Solution: New PKI Secured By Thales HSMs
Modernizing Tunisia’s government PKI would require installing up-to-date, best available hardware and software to improve availability, reliability, and quality of services. To protect the root keys used in the PKI, the NDCA knew they needed a hardwarebased solution, as processing sensitive information in softwareonly solutions exposes it to risk.
NDCA Selects PrimeKey + Thales
For optimum function and security, the NDCA chose a solution that combined two crucial components: A new PKI from PrimeKey, and hardware security modules (HSMs) from Thales. Thales nShield HSMs would provide security for the PKI by hosting and protecting the private keys of the Certification Authorities (CAs) during the highly sensitive transactions.
The NDCA used two models of nShield HSMs to secure the PKI and protect transactions including the following:
- Authenticating electronic identities of citizens carrying out e-commerce transactions as well as businesses carrying out B2B and B2G transactions
- Securing online transactions including online tax payments and returns, electronic submission of customs and foreign trade declarations, electronic invoices, and e- banking services
- Validating companies responding to government Requests for Proposals using Tunisia’s on-line e-procurement system, TunEPS
- Creating signatures and authenticating information, such as biometric data and other personal identifying information (PII), stored on chips in documents including e-passports and eID cards
The nShield Edge, Thales’s USB-connected HSM, is used to generate and manage keys for the offline root CAs. The nShield Connect, Thales’s network-attached HSM, performs a variety of services such as:
- Supporting Online Certificate Status Protocol (OCSP) transactions to obtain certificate revocation status
- Securing keys and transactions using those keys on the government signing server, which issues and signs certificates for biometric and electronic information stored in passport and eID chips.
The NDCA installed their nShield HSMs in two datacenters, one for production and the second for backup and disaster recovery.
In addition to providing HSMs and integration support, Thales also delivered training to NDCA’s technical team on how to take full advantange of their nShield HSMs.
Thales took the initiative to work directly with PrimeKey and provided them the assets and support they needed to design and test their solution. This direct and proactive collaboration helped the project run smoothly and resulted in an optimally integrated solution.
About the Solution
Thales nShield HSMs provide a tamper-resistant environment for secure cryptographic processing and key management. nShield HSMs are FIPS 140-2 Level 2 and 3, Common Criteria certified and eIDAS compliant, and meet established and emerging security standards for cryptographic systems while staying highly efficient.
nShield HSMs isolate and protect cryptographic operations and keys for organizations’ most critical applications, and perform encryption, digital signing, and key management for an extensive range of applications including PKIs, SSL/TLS, and code signing. nShield HSMs provide high-assurance solutions, and superior protection over software-only cryptography. nShield HSMs support all leading algorithms and feature worldclass transaction rate performance.
With Thales HSMs and their unique Security World architecture, you buy only the capacity you need and easily scale your solution as your needs evolve.
Key Thales Solution Benefits
- Protect cryptographic keys and operations within tamperresistant hardware to significantly enhance security over software-only solutions.
- Trust your certified solution—Thales nShield HSMs are certified to stringent standards including FIPS and Common Criteria, and are compliant to eIDAS standards.
- Maintain control over your keys and build HSM estates that scale with your evolving needs with Thales’ unique Security World architecture.