White Paper. Deploying CKMS Within a Business

Similar documents
Who s Protecting Your Keys? August 2018

The Device Has Left the Building

HARDWARE SECURITY MODULES (HSMs)

Key Management in a System z Enterprise

SafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION

Remote Key Loading Spread security. Unlock efficiency

Getting to Grips with Public Key Infrastructure (PKI)

White Paper. Key Management Compliance - Explained

Channel FAQ: Smartcrypt Appliances

Payment Card Industry (PCI) PTS PIN Security Requirements. Technical FAQs for use with Version 2

Tokenisation for PCI-DSS Compliance

PCI DSS and VNC Connect

Adding value to your MS customers

Security Architecture Models for the Cloud

CAPABILITY STATEMENT

SHA-1 to SHA-2. Migration Guide

Creating Trust in a Highly Mobile World

Payment Card Industry (PCI) PTS PIN Security Requirements. Technical FAQs for use with Version 2

VMware, SQL Server and Encrypting Private Data Townsend Security

Unbound and Oasis KMIP Interoperability

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

6 Vulnerabilities of the Retail Payment Ecosystem

PKI is Alive and Well: The Symantec Managed PKI Service

CipherCloud CASB+ Connector for ServiceNow

VMware, SQL Server and Encrypting Private Data Townsend Security

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

Advanced Solutions of Microsoft SharePoint Server 2013 Course Contact Hours

Advanced Solutions of Microsoft SharePoint 2013

The SafeNet Security System Version 3 Overview

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

PROFESSIONAL SERVICES (Solution Brief)

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Advanced Solutions of Microsoft SharePoint Server 2013

SecurityFirst DataKeep

SecureDoc Disk Encryption Cryptographic Engine

Remote Key Loading. Decoding RKL

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

REMOTE KEY LOADING DECODING RKL

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

The Kony Mobility Platform

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Course 20342B: Advanced Solutions of Microsoft Exchange Server 2013

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Disk Encryption Buyers Guide

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

SECURITY PRACTICES OVERVIEW

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Device Discovery for Vulnerability Assessment: Automating the Handoff

Cloud Customer Architecture for Securing Workloads on Cloud Services

Oracle Database 11g: Security Release 2

Microsoft SharePoint Server 2013 Plan, Configure & Manage

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Don t just manage your documents. Mobilize them!

MaaS360 Secure Productivity Suite

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

Data Center Automation: Automated Provisioning, Patching, and Compliance

Payment Card Industry (PCI) Point-to-Point Encryption

David Jenkins (QSA CISA) Director of PCI and Payment Services

Archiving. Services. Optimize the management of information by defining a lifecycle strategy for data. Archiving. ediscovery. Data Loss Prevention

SHARE THIS WHITEPAPER. Modern Application Delivery Lifecycle Automation with Radware s Operator Toolbox Whitepaper

Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard (PA-DSS) Summary of 2012 Feedback

Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

PCI DSS Compliance. White Paper Parallels Remote Application Server

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

Alliance Key Manager A Solution Brief for Technical Implementers

WORKSHARE SECURITY OVERVIEW

Dyadic Security Enterprise Key Management

Oracle Database 11g: Security Release 2

VACMAN Controller. HSM Integration Guide - White Paper. Revision 4.0

TransKrypt Security Server

Making the Case for Digital Signatures

Deliver Data Protection Services that Boost Revenues and Margins

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

Network Security and Cryptography. 2 September Marking Scheme

data leak prevention and compliance for the Financial Services industry

Getting Started with AWS Security

PCI DSS COMPLIANCE 101

Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients

Microsoft Administering Microsoft Exchange Server 2016

Security Solutions. Overview. Business Needs

Strong Security Elements for IoT Manufacturing

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

An Enterprise Guide to Understanding Key Management

WHITE PAPER DECEMBER VMWARE vsphere VIRTUAL MACHINE ENCRYPTION. Virtual Machine Encryption Management

Enhanced Privacy ID (EPID), 156

ORACLE DATABASE LIFECYCLE MANAGEMENT PACK

DATABASE ADMINISTRATOR

Alliance Key Manager A Solution Brief for Partners & Integrators

enhance the network transform performance

SD-WAN Solution How to Make the Best Choice for Your Business

payshield 9000 Online PIN Delivery Application Note PWPR February 2012

COURSE A ADMINISTERING EXCHANGE SERVER 2016

Data Security Overview

ATA DRIVEN GLOBAL VISION CLOUD PLATFORM STRATEG N POWERFUL RELEVANT PERFORMANCE SOLUTION CLO IRTUAL BIG DATA SOLUTION ROI FLEXIBLE DATA DRIVEN V

The Road to a Secure, Compliant Cloud

Transcription:

White Paper Deploying CKMS Within a Business

1 Introduction The Cryptomathic Crypto Key Management System (CKMS) is a market-leading lifecycle key management product that can manage cryptographic keys for a wide variety of applications within a business. CKMS provides a centralized and automated architecture that enables an organization to effortlessly generate, distribute and update keys across its distributed security network. The central management and automated key distribution capabilities can eliminate paperwork and remove the need to manually update keys on individual security targets. In other words, key ceremonies can be done securely at your desk. listen for encrypted keys sent (or pushed ) from CKMS. Received keys are decrypted and placed in local key storage, which is accessed by a business application. For example, a PKCS #11 HSM may have an associated AR that receives keys sent from CKMS and unwraps them into the HSM with C_Unwrap (see Figure 1). Cryptomathic can provide ARs for several common use cases, including PKCS #11 HSMs and Java key stores. In other cases, ARs can be developed on a case-by-case basis by either the business or Cryptomathic. CKMS is hardware-vendor agnostic and supports current standards and emerging protocols, such as PKCS#11 and KMIP, making it the most flexible and adaptable solution available. CKMS is designed to meet various compliance requirements, such as FIPS 140-2, PCI DSS and payment schemes. Its central tamper-evident audit logs provides controlled access to the relevant information, which greatly simplifies proof of compliance. CKMS Encrypted Key Originally developed in 1998 for a global payments provider, CKMS is now the leading key management solution for the financial sector. Companies that use CKMS include First Data, Swedbank, Unicredito as well as global card payment schemes. WAN With the ever-increasing number of cryptographic keys that an organization needs to manage combined with the mounting pressure of internal and external compliance, businesses are looking for ways to improve efficiency and reduce overheads on their key management operations. Before the right solution for a business can be selected, the deployment and integration capabilities with existing systems must be taken into account. Key Target Storage This document describes how a typical CKMS deployment is designed and implemented, including integration with existing business applications. 2 Key Distribution with CKMS Load Key PKCS#11 Token Before we go much further, a quick recap on key distribution with CKMS will provide a reminder of the terminology and capabilities of the product. CKMS can deliver key material in two ways: across the network to an Automated Recipient (a.k.a. target), or physically to a Manual Recipient (a.k.a. client). Business Application 2.1 Automated Recipients Automated Recipients (ARs) are network-accessible applications that Figure 1: Key distribution to Automated Recipient 2

3 Key Discovery Phase Two levels of key encryption keys (KEKs) are used to encrypt keys sent to ARs. The top-level key is known as a root KEK and is shared in XOR components between CKMS and the AR. Typically CKMS generates this key, but it is also possible to import key components generated by an AR. The second-level key is known as a transport KEK. The transport KEK is delivered to the AR across the network, encrypted with the root KEK. The transport KEK is used to protect the application keys sent from CKMS to the AR. The process of identifying potential CKMS integrations within a business is known as a key discovery phase. This phase requires examination of each project and associated infrastructure to find places where cryptography is used. In each instance, the purpose of the cryptography, the key properties (size, algorithm) and the way the key is stored should be noted. Once a list of keys has been produced, the next step is to prioritize the list. The prioritization process will be business specific, but common factors include: 2.1.1 Key Requesting ARs can also request keys from CKMS. A message is sent from the AR to CKMS, requesting generation of a particular key type. Once authorized, the key is then sent back to the AR automatically. 2.2 Manual Recipients In contrast to ARs, Manual Recipients (MRs) are not network-accessible and so receive keys in XOR components or encrypted files. MRs are typically external entities that need to share key material with the business for instance, a payment processor sharing a PIN encryption key (PEK). CKMS supports a wide range of different MR import and export formats, including: Format Export mport Atalla Key Block Yes Yes Atalla Variant Yes Yes Cryptogram under ZMKP Yes No Multos Public Key Yes No The risk associated with the key or certificate if it is not renewed Whether the current manual key management meets compliance requirements The current cost associated with managing the key manually Before finalizing the prioritized list of keys to manage, thought must be given to the way CKMS will deliver keys to each system. If the distribution is to be over the network, then a suitable AR application must be developed or purchased. If the distribution is manual (i.e. to an MR), then the correct delivery format must be understood. The final result of this discovery phase should be: A list of all key usage within the business, including algorithm and length information (preferably validity too). This is a useful asset that should be kept up-to-date. A prioritized list of which keys will be managed by CKMS. A decision about how each key will be distributed. If necessary, a target application should be developed or licensed. PKCS#8 Cryptogram Yes Yes XOR components via PIN pad Yes Yes Self-signed Certificate No Yes Standard Cryptogram Yes Yes To share encrypted keys with an MR, CKMS must first establish a shared zone master key (ZMK) between the MR and CKMS. Typically this is generated by CKMS, then exported in XOR components to the MR. Once this is established at both ends, application keys can be sent encrypted under the ZMK. In order to offer assistance during the key discovery phase, Cryptomathic can provide a key scanning tool to determine the type of cryptographic resource accessed and the name and algorithm type of each key accessed via that cryptographic resource for each target system. Figure 2 overleaf shows the typical discovery lifecycle for cryptographic keys. From an initial unknown state, the key is discovered during project examination and subsequently prioritized. High priority keys should be managed by CKMS sooner than lower priority keys. The next stage is the distribution of the key, which is often done manually at first, although some projects will immediately move to automatic distribution. 3

Examine project Automatic Distribution Undiscovered Discovered Deploy automated recipient High priority Low priority Manual Distribution Configure in KMS Managed by CKMS Priority increases Unmanaged Figure 2: Key discovery lifecycle 3.1 Key Management Policies Now is an excellent time to update the key management policy (or create one, if the business lacks a formal policy). This policy should define the rotation frequency of cryptographic keys and prescribe allowed algorithms and minimum key lengths. It should also describe how keys are to be handled and distributed, including defining roles and responsibilities for staff. Many of these policy decisions can then be enforced by CKMS. The flexible role-based access control in CKMS can be configured to match the decisions made in the security policies. 4 Training Once the discovery phase is finished, the next phase is to train the staff to use CKMS. By completing this training before deployment, the staff will learn the skills necessary to install the system themselves. Even if the intention is to use professional services installation assistance from Cryptomathic, there are still benefits to training the staff ahead of this activity as it will increase their participation and understanding of what is being done. Cryptomathic offers a two-day CKMS training course that covers: Software installation System configuration and user management AR and MR configuration Key lifecycle management Protocol information System maintenance Bespoke training courses are available upon request. 5 Deployment The deployment phase is where CKMS is installed, AR applications are configured and existing key material is migrated into the system. The basic software installation procedure is well documented in the CKMS manuals and will not be repeated here. Instead, the focus will be on configuration of AR applications and key migration. 5.1 Automated Recipient Configuration Before an AR application can be used, it must be added to CKMS and several keys must be exchanged with the CKMS server. Adding the AR to CKMS involves giving the AR a name and configuring the hostname and port number that it will be listening on. 4

The keys exchanged with the AR are listed below: CKMS Authentication Key this is the key used by CKMS to sign messages sent to the AR. The AR must import the public key so that it can verify messages are coming from the real CKMS server. AR Authentication Key this key is generated by the AR and the public half is imported into CKMS. This key signs messages sent from the AR back to CKMS. Root KEK this key is shared in XOR components with the AR and is used to encrypt transport KEKs. Transport KEK these keys are sent to the AR encrypted under the root KEK. Once a transport KEK is installed, the AR can receive application keys. 5.2 Manual Recipient Configuration To configure an MR in CKMS, one assigns a name to the MR and selects the list of import/export formats that it supports. In addition to a name, MRs can have up to five pieces of meta-data associated with them, which are stored as simple strings. Once the MR is configured, the final task is to share a ZMK. Typically CKMS will generate this ZMK, split it into XOR components which are then loaded into the MR. It is possible, though, for CKMS to import ZMK components generated by the MR. 5.3 Migration of Existing Key Material Migrating existing key material is optional. In some cases, it may be preferable to completely re-key the system with keys generated in CKMS. Another approach is to generate all future keys using CKMS and gradually phase out the non-managed keys. If migration is deemed necessary, then the options available differ depending upon whether the keys are imported from an MR or an AR. Once an application key is imported, it can be distributed to any MR or AR. Manual Exchange Shared in components CKMS Root KEK Root KEK Automated Recipient Automated Distribution Encrypted under Root KEK (SOAP message) Transport KEK Transport KEK Encrypted under Transport KEK (SOAP message) Application Key Application Key Application Key Transport KEK 5

5.3.1 Manual Recipient Key Import Before keys can be imported, a ZMK must be established between the MR and CKMS. This can either be generated by CKMS and exported in XOR components through the PIN pad, or generated by the MR and imported in XOR components into CKMS. With a ZMK in place, CKMS can import keys in a variety of formats: 6 Using CKMS Whether a business chooses to manage their cryptographic keys using manual or automated techniques, CKMS offers a flexible approach to deploying centralized key management within a business and delivers the fine-grained controls to simplify procedures and streamline operations. Atalla Key Block Atalla Variant PKCS#8 Cryptogram XOR components on PIN pad (no need for ZMK in this case) Standard Cryptogram 5.3.2 Automated Recipient Key Import Before importing keys, a root KEK must be established between the AR and CKMS. This KEK will be generated by either the AR or CKMS and shared in XOR components. A transport KEK is required to encrypt any application keys imported by CKMS. This can either be shared in XOR components or imported from an XML file, encrypted under the root KEK. Application keys can be imported, in bulk, from an XML file. These keys must be encrypted by the currently active transport KEK. Once successfully deployed, CKMS provides the business users with a centralized and unified view of the cryptographic key estate throughout the life-cycle of each key. CKMS delivers the most comprehensive key management toolset combined with automated and asynchronous workflows to allow a business to administer large numbers of keys, across various business applications, in a straightforward and compliant manner. Contact us: For more information on key management, please contact your Cryptomathic representative OR Email: enquiry@cryptomathic.com sales_enquiry@cryptomathic.com technical_enquiry@cryptomathic.com Disclaimer 2017 Cryptomathic A/S. All rights reserved Jægergårdsgade 118, DK-8000 Aarhus C, Denmark This document is protected by copyright. No part of the document may be reproduced in any form by any means without prior written authorisation of Cryptomathic. Information described in this document may be protected by a pending patent application. This document is provided as is without warranty of any kind. Cryptomathic may make improvements and/or changes in the product described in this document at any time. The document is not part of the documentation for a specific version or release of the product, but will be updated periodically. ABOUT CRYPTOMATHIC Cryptomathic is a global provider of secure server solutions to businesses across a wide range of industry sectors, including banking, government, technology manufacturing, cloud and mobile. With over 30 years' experience, we provide systems for Authentication & Signing, EMV, Key Management and PKI & ID, through best-of-breed security solutions and services. We pride ourselves on strong technical expertise and unique market knowledge, with 2/3 of employees working in R&D, including an international team of security experts and a number of world renowned cryptographers. At the leading edge of security provision within its key markets, Cryptomathic closely supports its global customer base with many multinationals as longstanding clients. 6 Learn more v1.0

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback