Tim Bruijnzeels, senior software developer with RIPE NCC says Soon our members will be able to use digital certificates to verify that the entities sending resource-related messages, such as routing updates, are authorized to do so. Members can use this ability to make processes like traffic routing more reliable and automated, while reducing the potential for Internet fraud and disruption. Thales nShield Connect HSMs will protect the integrity of certificates issued by RIPE NCC, helping our members to efficiently identify trustworthy messages.
An independent, not-for-profit organization, RIPE NCC is one of five Regional Internet Registries (RIRs) that provide Internet resource allocations, registration services, and coordination activities that support the operation of the Internet globally. RIPE NCC facilitates the allocation and registration of IP address for the reliable routing of Internet traffic. The organization maintains a database of registered resources for all RIPE NCC members, most of whom are telecommunications companies, ISPs, and large corporations. Internet number resources make it possible to find websites and communicate online. Resource holders can send messages to other entities about their resources. These messages might indicate a number change or specify how traffic should be routed to reach the resources controlled by their numbers. These resources are often websites.
Today, unauthorized users with sufficient knowledge and malicious intent can attack websites by sending invalid resource-related messages. ISPs currently rely on inefficient and time-consuming processes to prevent attacks. That is why RIPE NCC and the worlds other four RIRs are implementing a process that will allow the authentication of resource holdersand the messages they sendusing digital certificates. Each RIR is responsible for developing and implementing a process for issuing secure digital certificates to resource holders. Certificates will be signed by keys generated and secured within Thales nShield Connect HSMs. Because of the security offered by Thales nShield Connect, the signing keys are protected, making it impossible for anyone to access the keys and issue forged certificates. RIPE NCC expects to launch its new IP routing and allocation verification system in early 2011.
Prior to selecting Thales nShield Connect, RIPE NCC evaluated HSMs from four leading makers of security technology. Thales nShield Connect stood out because of its superior scalability and easy-to-use application programming interface (API). Importantly for RIPE NCC, nShield Connect is also FIPS 140-2 Level 3 validated. FIPS is one of the most widely recognized and stringent security standards for HSMs.
After we enable certificate-based resource verification, our members will be able to further automate processes and ensure the smooth operation of the Internet, continues Bruijnzeels. It will be much easier to identify fraudulent messages that could potentially disrupt traffic. With the keys that sign the certificates secured by Thales HSMs, no one will be able to forge a certificate. Thales HSMs gave us everything we wanted, including FIPS validation, an easy-to-use API, and scalability.
Digital certificates are an effective way to make processes more secure through the authentication of machines, messages, and identities, says Franck Greverie, Vice President, Thales in charge of information technology security activities. The fact that RIPE NCC and other RIRs are using digital certificates for the addresses they register will help to make the Internet more secure and reliable for everyone. Thales is particularly pleased that RIPE NCC chose to secure its process using Thales HSMs.