I4P — Trident HSM

I4P — Trident HSM

Common Models / Form Factors

  • Trident HSM as a network appliance (multi-tenant/MPC design). Security Target references model variants A11, A21, A31, A33, B11, B31, B33, C16. I4P+1

FIPS Status

  • Today: Trident is Common Criteria EAL4+ (eIDAS/QSCD use-cases); I4P publicly notes FIPS 140-3 evaluation underway for the Trident cryptographic module. (We design deployments in “FIPS-ready” configurations and track CMVP progress.) I4P+1

PQC (Post-Quantum) Support

  • I4P positions Trident as PQC-capable, enabling applications to use NIST PQC (e.g., ML-KEM/Kyber and ML-DSA/Dilithium) even in restricted/CC modes; the PQC Capabilities Matrix and I4P guidance highlight hybrid migrations. (Trident also publishes QKD integration for key transport in certain designs.) PKI Consortium+2I4P+2
  • We implement dual-stack rollouts so classical (RSA/ECDSA) and PQC can run side-by-side during migration.

Dual Private-Key Format Support (Seed vs Expanded)

  • Context: PQC brings two private-key forms—compact seeds (~tens of bytes) and expanded keys (~1.6–4 KB). Seed-centric custody affects backup/interchange (with emerging seed-only PKCS#12 profiles).
  • What we implement on Trident estates:
    • Seed custody in HSM: Store seeds as high-assurance objects; gate exports with dual control/split knowledge and partition policy.
    • Deterministic re-derivation in hardware: Materialize expanded keys from seeds inside Trident for KEM/signing, avoiding persistence of large keys when policy forbids it.
    • Expanded-key import & lifecycle: Where required by apps, import/wrap expanded keys under CC/FIPS-ready policies with labeling, rotation, and archival.
    • Backup & portability: HSM-wrapped seeds (and, if needed, expanded keys) with tamper-evident ceremonies; runbooks to shift from legacy PFX to seed-centric custody as standards finalize.

How SafeCipher Helps (Procure • Deploy • Support)

  • Procurement & contracts: Sizing, pricing, spares/RMA logistics, co-termed renewals; vendor-neutral evaluations and PoCs.
  • Deployment & integration: Cluster/HA design, client stacks (PKCS#11/CNG/JCE), PKI/code-signing/data-protection onboarding, and performance tuning—leveraging Trident’s MPC-based architecture. I4P
  • Operations: 24×7/BH support options, monitoring/telemetry, seed/expanded-key ceremonies, backup/escrow, and audit-ready evidence.
  • Migrations: Classical→PQC dual-stack pilots, provenance-preserving re-wraps, staged cutovers aligned to FIPS 140-3 program milestones and CC profiles.

Bottom line

Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor.