HSMs Overview


Rosetta® USB Series II and III/Rosetta Smart Card

FIPS 140-2 Level 3 certified, EAL5+ tamper proof
USB miniature form factor or ISO 7810 Smart Card

Approximately 32K of EEPROM available for X.509 certificates and data storage
ECC/AES/SHA-2 and legacy RSA support


Rosetta microSDHC™

microSDHC form factor, internal SPYCOS® Suite B PKI HSM with approved for classified RNG
Sizes to 128 GB in Class 10 performance, Hardware AES-256 Encryption



Two models of SPYRUS Linux2Go drives are available: the Secure Portable Workplace (SPW) and the WorkSafe Pro (WSP). Both models combine Secured by SPYRUS™ encryption and security technologies with a USB 3.0 drive. The WSP drive also provides fully integrated PKI smart card support from the em- bedded Rosetta® Micro FIPS 140-2 Level 3 certified EAL5+ se- curity controller when used with the SPYRUS PKCS#11 software.


Cryptographic Operating System

At the core of the SPYRUS technologies is SPYCOS® (SPYRUS Cryptographic Operating System). SPYCOS is the firmware operating system incorporated into SPYRUS hardware devices. It supports more cryptographic algorithms than any other commercial product and dynamically allocates nonvolatile memory. A unique feature bounds the memory space dedicated to multiple applications with a data “firewall” to ensure total isolation and security during processing. A sophisticated on-card key management system and advanced random number generation technology provide the strongest hardware-based encryption and security for application and personal identity keys in commercially available devices. Other features include:

  • FIPS 140-2 Level 3
  • Cryptographic algorithm
  • Large key and certificate storage space support multiple applications, permissions, and identities on a single SPYRUS security device
  • Anti-tearing mechanisms to ensure that file management transactions complete even if interrupted
  • Secure firmware upgrades for corrections, new features and functionality (FIPS SPYCOS modules not firmware updatable – storage and bootable updatable)

SPYCOS uses SPYRUS patented intellectual property that permits a device’s cryptographic functionality to be configured as non-modifiable at the factory under specified rights and conditions without changing the basic primitive mathematical operations. SPYCOS interacts with commercial cryptographic APIs, PKCS #11, and Microsoft CAPI and CNG. These and other features make SPYCOS the most secure and reliable cryptographic operation system for applications with advanced security requirements.

Key Features:

Built-in Algorithm Support for the Future
SPYRUS is committed to keeping the Rosetta Series II and Series III smart card and USB security devices well ahead of the rest of the industry as cryptographic requirements change and evolve. As our customers require new algorithms and increased key lengths, SPYRUS now supports algorithms to include 2048-bit RSA, AES-128/192/256, and SHA-1/224/256/384/512 key lengths advocated by industry and the U.S. Government.

The Rosetta Series II and Series III are designed to support elliptic curve cryptography (ECC) using the high-strength P-256, P-384, and P-521 curves that meet or exceed U.S. Government Suite B standards. The ECDSA digital signature standard and the EC Diffie-Hellman key establishment schemes are supported in accordance with NIST SP 800-56 Key Establishment Guidelines.

Enhanced Random Number and Key Generation Security
The Rosetta Series II and Series III smart card and USB use the latest approaches to random number and key generation as recommended by the U. S. Government. A true hardware-based random-number generator (RNG) is extensively filtered, tested, and then used to seed an approved high-strength, hash-based algorithm. RSA keys are generated in accordance with the latest X9.31 specification, as required for FIPS 140-2 Level 3 certification. Particular care is taken with ECC operations to avoid possible side-channel attacks.

Tamper-Proof Security
The Rosetta Series II and Series III family features a highly tamper-resistant and tamper-evident design. The cryptographic boundary is the chip itself, so that it can be embedded in other products for specialized applications. Rosetta Series II and Series III smart card and USB security devices never store the PIN on the device. The PIN is used to derive a decryption key used for validation. All private data on the card, including the keys, is stored in encrypted form using a variation of the PIN.

Cryptographic Functions
Rosetta Series II and Series III smart card and USB security devices are based on a versatile, algorithm-agile platform that supports secure storage of private keys and certificates and the following cryptographic functions on the device:

  • Anti-Tearing File Management: This feature prevents inappropriate termination of a management transaction on the card due to early removal from the reader or power loss. Upon the next use of the card the transaction is completed. This can be viewed as a “fail-safe” mechanism.
  • Data Firewalling: This provides the ability to separate one user’s data from another.
  • Dynamic Memory Allocation: The SPYCOS File Allocation Table file system ensures that data files do not need contiguous sectors and that deleted file space can be reclaimed and reallocated as needed. This provides the ability to add and remove multiple certificates as required.
  • High Storage Capacity: Designed to hold over 20+ of X.509 version 3 certificates, depending upon certificate size and EEPROM.
  • Secure PIN-Based Key Protection: Multiple-level PIN protection for keys and data stored on the card.
  • Secure Firmware Update: This allows additional features to be added to the token, or conversely, features to be removed from the token. The firmware update is validated by the security device prior to acceptance.

Secure Channel
Serious security means your critical security parameters (CSP’s), like passwords and keys, are never transmitted without using encryption.  FIPS 140-2 Level 3 certification means that a module meets this standard for high assurance through evaluation and inspection certified evaluation laboratories and the United States Federal Government.  The Rosetta family of FIPS 140-2 Level 3 certified crypto-modules provide an ECDH-AES secure channel meeting and exceeding most requirements for protecting CSP’s.