<img alt="" src="https://secure.weed6tape.com/193471.png" style="display:none;">
x
Contact Sales
Download Factsheet

PRIMUS HSM Models S4/S6/S6P

The Primus Hardware Security Modules S4/S6/S6P have been built exclusively for the Swiss Interbank Clearing System operated by SIX-SIC under the supervision of the Swiss National Bank. Daily transactions of over CHF 100 billion are protected by Primus HSMs.

S2FrontDirect_DSC07676-S2cn

Overview

The Primus HSM models S4/S6/S6P, meticulously designed, developed, and manufactured in Switzerland, are exclusively tailored for the Swiss banking system SIC, meeting its unique requirements and standards.

Setting industry benchmarks, our product offers market-leading encryption and authentication performance, ensuring the utmost security for sensitive data and transactions. Thanks to its dynamic FPGA (field programmable gate array) based architecture, all models of the new HSM series support PQC algorithms and will be updated according to the on-going standardization processes.

The Primus HSM models S4, S6 and S6P differ in performance and the maximum number of partitions (logical HSMs for multi-tenancy).

Remote Administration
All devices can be securely and efficiently administrated with the Decanus Terminal, while flexible partitioning allows for application-specific key segregation.
 
Security
Integrated two-factor authentication enhances security protocols, adding an additional layer of protection against unauthorized access. Tamper protection features safeguard the integrity of sensitive information during transport, storage, and operation.
 
Setup
Built-in high-availability clustering across data centers eliminates the need for cumbersome manual key distribution. Copper and 10Gbps optical interfaces, together with LACP interface bundling, allow integration into any network environment. With a user-friendly interface, our solution offers a simple setup process, streamlined commissioning procedures, and straightforward configuration and maintenance protocols, ensuring operational efficiency.
S2Back_DSC07692cn

Important information regarding the S500 HSM devices

Please note, that the Primus S500 HSMs are no longer available for purchase and need to be exchanged to the current models until June 30, 2026. For detailed Information please refer to the SIC Extranet (Login required). 

Technical
specification

Security Architecture

  • Multi-barrier software and hardware architecture with supervision mechanisms

Encryption / Authentication (extract)

  • 128/192/256-bit AES with GCM-, CTR-, GCTR-, ECB-, CBC-, MAC Mode
  • Camellia, ChaCha20-Poly1305, ECIES
  • RSA 1024-8192, DSA 1024-8192
  • ECDSA 224-521, GF(P) arbitrary curves (NIST, Brainpool, ...)
  • ED25519, Curve25519
  • Diffie-Hellman 1024, 2048, 4096, ECDH
  • SHA-2/SHA-3 (224 - 512), SHA-1, RIPEMED-160, Keccak
  • HMAC, CMAC, GMAC, Poly 1305
  • Post-Quantum Cryptographic (PQC) algorithms
    CRYSTALS-Dilithium, CRYSTALS-Kyber, SPHINCS+

Key Generation

  • Two hardware true random number generators (TNRG)
  • NIST SP800-90 compatible random number generator

Key Management

  • Key capacity: up to 12 GB
  • 1 partition @240 MB secure storage
    upgradeable to max. partitions:
    S6P: 50 / S6: 10 / S4: 1

Operation

  • Number of client connections not restricted

Anti-Tamper Mechanisms

  • Several sensors to detect unauthorized access
  • Active destruction of key material and sensitive data on tamper
  • Transport and multi-year storage tamper protection by digital seal

Attestation and Audit Features

  • Cryptographic evidence of audit relevant parameters (keys, configuration, hardware, states, logs, time-stamping)

Identity based authentication

  • Multiple security officers (m out of n)
  • Identification based on smart card and PIN

Software Integration

  • JCE/JCA Provider

Networking

  • IPv4/IPv6
  • Interface bonding (LACP or active/backup)
  • Active clustering of multiple units for load-balancing and fail-over
  • Monitoring and log streaming (SNMPv2, syslog/TLS)

Device Management

  • Local configuration (GUI, Console)
  • Remote administration (Decanus Terminal)
  • Local and remote firmware update
  • Secure log and audit
  • Enhanced diagnostic functions

Performance (transactions per second, concurrent)

Model RSA 4096 RSA 3072 ECC521 ECC384
S6P 1000 2000 800 2000
S6 500 1000 400 1000
S4 25 50 25 50

 

Power

  • Two redundant power supplies, hot pluggable:
    • 100 ... 240 V AC, 50 ... 60 Hz
  • Power dissipation: 65 W (typ.), 100 W (max.)
  • Backup lithium battery:
    Lithium Thionyl Chloride 0.65g Li, IEC 60086-4, UL 1642, 3.6V

Interfaces

  • 4 Ethernet RJ-45 ports with 1 Gbps (rear)
  • 2 SFP+ slots for optical 10Gbps Ethernet modules (rear)
  • 2 Console ports (RJ45, front/rear)
  • 2 USB-A management ports (front/rear)
  • 1 USB-C management port (rear)
  • 3 Smart card slots

Controls

  • 3 slots for Securosys security smart cards
  • 4 LEDs for system and interface status (multicolor)
  • Touch screen for configuration
  • Console interface
  • Optional Decanus Terminal for remote administration

Specifications

  • Temperature ranges (IEC 60068-2-1 Ad, IEC 60068-2-2 Bd): storage -20 ... +60 °C; operation 0 ... +35 °C
  • Humidity (IEC 60068-2-78 Cab):
    40 °C, 93% RH, non-condensing
  • EMV/EMC: EN 55022, EN 55024, FCC Part 15 Class B
  • Safety: IEC 62386-1
  • MTBF (RIAC-HDBU-217Plus) at tamb=25 °C: >100 000 h
  • Dimensions (w×h×d) 417 x 44 x 365 mm (1U 19" EIA standard rack)
  • Weight 7.5 kg

Certifications

  • CE, FCC, UL

Didn't find what you were looking for?

Please find here our product overview or solutions overview page.

Contact us

Contact us if you want to know more about our products and offering.

Hinterlassen Sie uns Ihre Nachricht hier
Language
Address

Max-Högger-Strasse 2
8048 Zürich
Switzerland

Phone

+41 44 552 31 00

Fax

+41 44 552 31 99

Copyright © 2024 Securosys SA. All rights reserved.