Signature Generation and Verification

The server produces RAW (PKCS#1) and PKCS#7 compliant signatures and supports the the SHA-2 suite of digest algorithms. Signatures are compliant with Bacs, Faster Payments and Fast Cheque digital signature requirements

The server performs full signature validation including path building and revocation checking, supporting both CRL and OCSP revocation checking, including OCSP request signing (as required by IdenTrust)

Many configuration options are available including custom path checking (checking certificates based on specific requirements), performing additional checks on hash algorithms/certificate extensions etc.

AES Data Encryption

High performance, strong data encryption/decryption using AES keys stored in software or on HSMs. The ability to generate a number of AES keys, allowing the client to choose based on a name

Multi Token Support

The server supports several mechanisms for secure key storage, including:

• AWS CloudHSM
• PKCS#11 based HSMs (such as the Thales nShield Connect and the SafeNet Luna range)
• Thales PayShield HSMs
• Software. For testing or applications that do not require hardware key protection, a software key store may be used. Keys and certificates are AES encrypted

Java based

The server is java based, supporting all versions from 8 to 11

Java and .NET Simple Client APIs

Java and .NET clients are available which are easy to integrate into any application. The clients have no dependencies on any other external libraries and developers can start to sign/encrypt data via the API within minutes

Multi-Channel

The server provides key separation and the ability to support different configuration options per channel e.g. one channel can use a software key store whilst another makes use of an HSM, all from the same server.

For more information contact Krestfield Support (support@krestfield.com)