Telecom & 5G

Network infrastructure encryption

High performance security infrastructure

Enterprise encryption for telecom and 5G providers

To fight back against cybercriminals and phone scammers, telecommunications providers must establish a root of trust. The root of trust is a guarantee that a provider’s cryptographic infrastructure is secure, from the hardware to the software. They must meet the FCC-approved STIR/Shaken standards. These standards require you to authenticate calling numbers by using public-key encryption. Futurex provides market-leading HSMs for telecom providers to establish a public key infrastructure (PKI) and a certificate authority (CA), forming the root of trust and complying with all regulations at once. The Futurex solution suite empowers telecom providers to build trust with end-users by authenticating caller IDs and proving that calling numbers have not spoofed.

  • FIPS-validated HSMs establish an offline root certificate authority (CA)
  • The CA generates asymmetric key pairs for public key infrastructure (PKI)
  • The issuing CA and PKI handle digital signatures and authentication
  • Key management HSMs contain OCSP and CRL for certificate revocation
Talk to an expertExplore solutions

This is a set of FCC-approved industry standards requiring the originating carrier to digitally sign calls and other carriers to validate them before reaching end users.

See it now

Digital certificates

Certificates consist of public and private key pairs. The originating provider uses private keys to sign calls, and other providers use public keys to validate the originating provider’s signature.

See it now

The challenges for telecom providers

The growing prevalence of robocalls and spoofing is not merely an annoyance. When it limits a merchant’s ability to contact customers or opens the door to phishing attempts, it becomes both a business and security risk. To face this threat, telecom providers must deploy public key cryptography to comply with the FCC-backed STIR/SHAKEN standards. Public key cryptography allows providers to establish a CA, where they use private keys to sign phone calls and public keys to validate the signature. This provides a secure experience for end users. However, you have to balance security with performance. A telecommunications security infrastructure must be efficient to manage and capable of high processing speeds.
  • Deploy scalable public key cryptographic architecture
  • Maintain public trust in network integrity by preventing data breaches
  • Combat the epidemic of illegal robocalls using digital certificate signing
  • Comply with FCC-required STIR/SHAKEN protocols
  • Manage on-premises or cloud-based infrastructure

Futurex solutions for telecom providers

Futurex HSMs provide a wide range of public-key cryptographic solutions, both on-premises and in the cloud. Managing key lifecycles, establishing a public key infrastructure (PKI), and setting up a CA to issue digital certificates and control their revocation are only a few examples of the Futurex solution suite’s extensive functionality. Futurex HSMs are equipped with physical and logical controls to guard against both external and internal threats. The result is a highly available and scalable cryptographic infrastructure that can meet and surpass STIR/SHAKEN requirements without creating security flaws or post-dial delays.

  • Manage the key lifecycle from generation to disposal
  • Establish a CA to authenticate calls
  • Create a PKI for remote management
  • Scale your processing power with increased call volume
  • Use logical controls: dual control and role-based permission
  • Use physical controls: tamper-proof and responsive chassis

The challenges for 5G providers

5G networks depend upon a secure root of trust and powerful processing ability. What’s more, the network security infrastructure must not be made obsolete by advances in quantum computing. And, while security is important, high performance is needed to deal with the increased data transaction speeds.
  • Establish a root of trust to secure physical infrastructure and software applications
  • Build a PKI to mitigate impact of quantum computing
  • Secure massive quantities of data in transit
  • Protect stored data

Futurex solutions for 5G providers

Futurex provides FIPS 140-2 Level 3 validated key management servers with built-in HSMs to handle key management, certificate authority (CA), and encryption. Futurex devices can be deployed on-premises for hands-on security and control, or can be deployed in the cloud for nearly limitless scalability and processing power.

  • Futurex HSMs establish offline root CA to form trust anchor across enterprise
  • Issuing CA validates components of infrastructure, from the physical radio access network (RAN) to the software applications.
  • CA uses asymmetric cryptography to build a PKI to quantum-proof infrastructure
  • HSMs leverage high-performance transaction processing to secure data in transit
  • Database encryption and vaultless tokenization protect data at rest
Minimize downtime, minimize risk

Multiple instances of HSM services in the cloud, on-premises, or both eliminate single points of failure and enable you to perform updates and maintenance with no downtime. It’s a risk-free backup and recovery method.

See our data protection solutions
Root of trust

A root of trust (RoT) is a cryptographic source guaranteed to be secure. The Futurex Root CA’s private key generates a self-signed root certificate allowing it to preside as the root of trust for your infrastructure.

See the VirtuCrypt Cloud
Enterprise key management

Futurex key management servers manage key lifecycles. They secure private keys, forming the basis for PKI and offline root CA. This enables device and code signing on an enterprise-class scale.

Learn about post-quantum

In the cloud, on-premises, or a hybrid of both: Futurex delivers tailored cryptographic solutions to fit your business needs.


Any cryptographic function. Any size. Any scale. Any location.

Learn more

Explore telecom & 5G solutions

Issuing CA

Using Futurex enterprise key management servers, organizations can establish a PKI to secure private keys and create an issuing certificate authority (CA). The offline root certificate establishes a working certificate that can digitally sign calls, devices, and code by using asymmetric key pairs.

It can authenticate calls to prevent unauthorized spoofed calls, spam, and robocalls. Like the PKI, having a CA in your security infrastructure is essential to protecting critical infrastructure, maintaining end-user trust, and mitigating cybersecurity vulnerabilities.

Offline root CA

To ensure the integrity and security of an organization’s public key infrastructure (PKI), you have to secure an offline root CA. PKI has become crucial in the modern age of networked devices, such as mobile phones or IoT sensors. Managing an organization’s security assets all but requires it. The offline root CA is the trust anchor for the entire PKI: it essentially vouches for the authenticity of the certificates that hierarchically descend from it.

Futurex provides an all-in-one solution for establishing a CA and PKI in the KMES Series 3. It features a built-in HSM, flexible integration (such as with Active Directory), and full key and certificate lifecycle management of the PKI. A device so robust and efficient is rare in the marketplace today.

  • Identity theft by stolen digital certificates can incur major reputational and financial losses
  • Man-in-the-middle attacks can lead to sensitive information theft.
  • Cybercriminals can use stolen or rogue certificates to sign malicious code to make it look legitimate.
Technology solution description

The configuration process for creating an offline root CA is simple using the KMES Series 3:

  • Create a CA within the KMES Series 3
  • Keep the KMES series 3 offline all the time
  • When you need to perform a new cryptographic function, use a dedicated team of custodians to perform those tasks in a secure room or facility

Access the device, kept offline and never connected to a network, through a console to perform any cryptographic functions on the root CA.


Planning certificate revocation across multiple trusted certificate authorities (CA) is an important component of a secure public key infrastructure. You need to revoke old certificates to mitigate cyber vulnerabilities and prevent application downtime.

Transport layer security (TLS) offers two cryptographic protocols for systems to revoke certificates:

  1. Certificate Revocation Lists (CRL)
  2. Online Certificate Status Protocol (OSCP)

The OCSP and CRL protocols are as important as the issuing CA.

Futurex offers a hardened certificate validation solution with seamless system integration. It acts as an OCSP server and a CRL distribution point. It comes with FIPS 140-2 Level 3 validated HSM storage and includes automated CRL distribution and OCSP validation. It’s also easily configurable within the KMES Series 3, requiring only a few steps for either OCSP or CRL setup.

The Futurex technology offerings strike the perfect balance between performance and security when planning certificate revocation. Plus, with our cloud-based offerings through VirtuCrypt, organizations can eliminate hardware, maintenance, and management costs.

Futurex telecom & 5G solutions portfolio

Issuing CA
Protect an issuing CA by using hardware-based key management solutions with PKI functionality and third-party integration.
Automate certificate management through HSMs with your CRLs and OCSP in mind through custom configuration.
Offline Root CA
Take advantage of an all-in-one solution to guarantee the integrity of your PKI with a secure, offline root CA.

Want to learn more?

Contact a Solutions Architect today.

Give us a call