Signature Generation and Verification

The server produces RAW (PKCS#1) and PKCS#7 compliant signatures and supports the the SHA-2 and SHA-3 suite of digest algorithms. Signatures are compliant with Bacs, Faster Payments and Fast Cheque digital signature requirements

The server performs full signature validation including path building and revocation checking, supporting both CRL and OCSP, including OCSP request signing (as required by IdenTrust)

Many configuration options are available including custom path checking (checking certificates based on specific requirements), performing additional checks on hash algorithms/certificate extensions etc.

AES Data Encryption

High performance, strong data encryption/decryption using AES keys stored in software or HSMs.  The ability to generate any number of AES keys, allowing the client to choose based on a name

Multi Token Support

The server supports several mechanisms for secure key storage, including:

• AWS CloudHSM
• PKCS#11 based HSMs (such as the SafeNet nShield and the Thales Luna range)
• Thales PayShield HSMs (including the 10k)
• Azure KeyVault and Google KMS HSM backed key stores
• Software. For testing or applications that do not require hardware key protection, a software key store may be used. Keys and certificates are AES encrypted

Java based

The server is java based, supporting all versions from 8 onwards

Java and .NET Simple Client APIs

Java and .NET clients are available which are easy to integrate into any application.  The clients have no dependencies on any other external libraries and developers can start to sign/encrypt data via the API within minutes

Multi-Channel

The server provides key separation and the ability to support different configuration options per channel e.g. one channel can use a software key store whilst another makes use of an HSM, all from the same server.

For more information contact Krestfield Support (support@krestfield.com)