Our Technology

Enabling our customers to deliver immutable digital integrity in the software, information, and physical supply chains


The new standard in data integrity

KSI is a distributed network infrastructure for the issuance and verification of a new type of digital signature.

Unlike traditional digital signature approaches that depend on asymmetric key cryptography, KSI uses only hash function cryptography, allowing signature verification to rely on the security and quantum-resistance of those hash functions and the availability of a public ledger.

Data Authenticity & Privacy

KSI does not ingest any customer data. Instead, the system is based on one-way cryptographic hash functions that result in irreversible digital fingerprint uniquely representing the data.

Immutable Time

Protect your data with a KSI Signature that is cryptographically verifiable down to the second it was created. The KSI aggregation network generates unique block value every second which allows you to mathematically identify when your data was signed.


The hierarchical and distributed architecture of KSI allows for signatures to be generated at exabyte-scale. A trillion records can be signed every second with negligible computational, storage, or network overhead.

KSI Dockets

Metadata Integrity and Provenance

Extend the power of KSI Signatures with KSI Dockets. A Docket is a construct which combines the integrity of your data with any associated metadata. With the ability to cryptographically link dockets together, you can now create a provenance chained micro ledger to represent your processes, workflows, data transformations and more. All sealed with a KSI signature proving integrity, attribution, and creation time to the exact second.

Docket Builder Application – Coming Soon!

Guardtime Federal has been working with Lockheed Martin Aeronautics for 5 years on an ever-increasing level of integration with our digital integrity technologies.  In that time Lockheed has made a significant investment necessary for adoption of Guardtime Federal integrity solutions to be implemented across their heritage capabilities.  It is now time to extend the integration of integrity capabilities further left in the supply chain.

At Guardtime Federal we recognize that suppliers may not have the same level of resources or time to invest in customized integration as a prime integrator.  We have developed our KSI® Docker Builder turnkey solution for rapid adoption that has a narrower list of features, is less expensive than the full developer customization tool suite, is simpler to implement, and easier to operate.

Black Lantern® Security Appliance

What is a Black Lantern?

The Black Lantern Security Appliance is an integrated hardware and software platform, purpose built to mitigate both remote and physical attacks against your infrastructure and applications. The Black Lantern completely changes the protection paradigm by being able to identify, defeat, deter, and react against nation-state level reverse engineering attempts or cyber-attacks against both itself, its hosted applications, and your network-based critical assets.

The Black Lantern is a Hardened KSI® Gateway

The Black Lantern Security Appliance comes with a built in KSI Gateway running in protected environment to ensure continued operations even when your infrastructure expands into areas where you may no longer have physical control over the hardware. Black Lantern guarantees the integrity of your system, and proves it through the KSI instrumentation.

The Black Lantern combines the usual capabilities of an Application Server with additional metro-class encryption, communication, and active defense measures. Black Lantern Products are capable of defending themselves from Advanced Persistent Threats regardless of deployment location or physical access to ensure QoS and SLA for the applications it hosts.

Not only can Black Lantern protect itself against remote attacks, it is also capable of defending itself from physical attacks – where an attacker has the device on a reverse engineering bench.

This level of hardening is an industry first, and absolutely necessary when your infrastructure expands into areas where you no longer have physical control over the hardware. Even when you have physical control over the hardware, the threat of malicious insiders still exists. Black Lanterns are designed to survive in the most harassing environments.

Expand the sections below to learn more.

Black Lantern Hardware and Software

The Black Lantern software is digitally signed and encrypted at rest with KSI and NIST / ETSI approved encryption algorithms. The hardware is incapable of executing unsigned code – it will not boot if the software and hardware runtime environment is not authentic. Black Lantern uses advanced ASICs with customized tamper protection features and escalation reaction monitors for added security given a variety of physical attack vectors. The hardware is also resistant to cryptanalysis attacks, such as statistical power analysis on invasive attacks. All of the executable software is monitored during run-time by both software and hardware. This mitigates threats relating to the use of “mod chips” for the purposes of altering data streams in and out of the Security Appliance. End-to-End protection and resilience is afforded to guarantee delivery of your services. In addition to the active monitoring of executable code during run-time, the architecture prohibits the introduction of executable code after the software has been authenticated, decrypted, and executed. All executable code is read-only, through custom processor enforcement with hardware-based tamper reactions. Latency for Incident Response becomes sub millisecond due to hardware adaptation and acceleration of your application code. Importantly, Black Lantern cannot be manipulated to attack other systems in your network infrastructure.

Black Lantern Connectivity

Communication channels are authenticated and encrypted using ephemeral keys with perfect forward secrecy. This means that if an attacker recorded any of the Security Appliance traffic, they could not decrypt it. All traffic to and from the Security Appliance is also encrypted to protect against side-channel attacks.

Black Lantern Resiliency

The Black Lantern defends itself from denial of service attack by policing traffic at the data-link layer (OSI layer 2). The Black Lantern’s layer 2 is content-aware – meaning it can identify specific traffic and de-prioritize everything else. This ensures that Black Lantern can sustain its performance while it is the target of a Denial of Service attack. It is also possible to throttle traffic from a single client node in the event that single device attempts to flood the Black Lantern with requests. Since our network stack is content-aware at the hardware level, we can rapidly identify and report any traffic that might indicate the presence of a rogue device in an infrastructure. This means that your services run by Black Lantern will remain uninterrupted under the harshest of conditions.

A Platform for Developers

Aside from our turnkey solutions, we offer several ways to integrate KSI into your own applications.


Offering a more integrated solution, the KSI SDK’s are available in multiple programming languages for developers who want to integrate KSI with their own applications and systems. They provide an API for all KSI functionality, including the core functions – signing of data, extending and verifying the signatures.

Docket SDK

Quickly integrate KSI Dockets into your applications. The Docket SDK handles your data integrity and provenance requirements with an easy to use API, while providing the ability to create custom metadata property sets to suit your needs. Flexible serialization capabilities allow your KSI Dockets to be represented as Binary, XML, JSON, or Open Provenance formats.

Resonance Platform

Easily manage your KSI Dockets with the Resonance Platform. Resonance provides a framework for ingesting, validating, storing and managing dockets. Robust interfaces enable you to create custom logic to validate dockets prior to ingestion and to create custom workflow automation triggered on the ingestion of dockets with the properties you define.
©2021 Guardtime Federal