Acala: Enhanced Key Protection Without Complicated Hardware
Acala is a software HSM emulator that acts as a universal key store as well as a cryptographic service provider. Acala:
- maintains a central repository for private keys and X.509 certificates
- and provides a secure environment for cryptographic operations
Acala affords an organization’s servers the functionality of a physical hardware security module (HSM) for a fraction of the cost. It stores each servers’ credentials in a single encrypted file on any designated storage device (e.g., local hard drive, network share, or removable memory device), and provides cryptographic operations to security-enabled programs through a PKCS#11 application programming interface.
Safeguarding Offline Certificate Authority Keys for CSfC
Acala’s software protection of a CA’s sensitive keys, combined with sufficient protection of the system on which both Acala and the certificate authority reside, can enable a low cost solution for an offline certificate authority.
Generating Pre-shared Keys for a IKEv1 VPN
Acala supports the generation of symmetric keys in an IPSEC VPN using IKEv1 deployment.
Securing Keys in a Prototype, Test, or Development CertAgent Effort
Acala allows the quick establishment of a certificate authority for prototype, test, or development purposes without the expense of a true hardware security module.
- Lowers cost
- Enhances security
- Enforces strict password quality requirements
- Audits all private key operations
- May be easily deployed and managed
- Appropriate for oganizations of any size
- Uses NIST CMVP-validated FIPS 140-2 cryptography and today’s proven standards, including ANSI X.509 and IETF PKIX, TLS, and S/MIME
- Complies with NIST FIPS 140-2 Level 1 requirements
- Exports a PKCS#11 version 2.20 compliant API
- Imports and exports PKCS#12, PKCS#7, and ASN.1 DER- encoded X.509 certificates
- Generates up to 8192-bit RSA and up to 571-bit ECDSA PKCS#10 requests
- Supports SHA-256, SHA-384, and SHA-512
- Employs password-protected PKCS#15 PDUs for key storage on local, removable, or network-attached drives, using AES-256 for confidentiality and HMAC-SHA-512 for integrity checking
- Windows Server 2012 R2 or above
- Windows 7, 8, 8.1, 10, or above
- CentOS 6.7 (Linux Kernel 2.6) or above (x64)