Symmetric/Asymmetric Caching, CADP for C CAPI
The key caching enables you to export keys from the server by using either the NAE XML or the KMIP protocol, and store them on the client for a limited time to perform cryptographic operations locally. Keys cached on the client are stored in process memory only; they are not stored on disk. This feature can improve performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, your client’s cryptographic operations can continue without access to the server.
To use this feature, the keys must be marked exportable and you must have export privileges for the key. Therefore, you must be the key owner or the key must be global. You automatically have full encryption and decryption privileges for all keys in the client cache; while in the cache, authorization policies are ignored. Key permissions are supported in cache.
Your client and its connection to CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. When using the key caching feature, ensure you are using a secure method of download and that your client’s operating system is secure.
How it Works
The client requests a key.
The client checks whether
Symmetric_Key_Cache_EnabledorAsymmetric_Key_Cache_Enabledisyesortcp_ok. If the feature is enabled, the client searches for the key in the key cache.The client does not find the key in the cache.
The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.
Subsequent requests for that key use the key cache until the time set in
Symmetric_Key_Cache_Expiryhas passed.
Logging
The server logs all key downloads in the NAE log. The client logs when key caching is enabled. When Log_Level is set to INFO, the client logs the following actions:
Key downloads
Use of downloaded key
Deletion of key from cache
Refreshing Cached Keys
The Key Refresh feature provides a mechanism to update the symmetric/asymmetric Key Cache in background. This feature helps in synchronizing keys with their states on CipherTrust Manager.
The Key Refresh feature works only when the Symmetric_Key_Cache_Enabled or Asymmetric_Key_Cache_Enabled parameter is set to yes or tcp_ok in the properties file. This means that this feature works only through the NAE XML protocol.
CADP for C provides support for:
Symmetric Caching
The symmetric key caching allows you to export symmetric keys from the server. Only symmetric keys that have been marked exportable and are based on the following algorithms can be cached:
AES
DES
DESede
SEED
RC4
HMAC-SHA1
Supported Functions
I_C_CryptInit
I_C_CryptUpdate
I_C_CryptFinal
I_C_Crypt
I_C_Crypt_Fast
I_C_Crypt_Enhanced
I_C_CryptBulk_Enhanced
I_C_FindKey
I_C_GetKeyAttributes
I_C_ExportAESWrappedKey
I_C_ExportSymmetricKey
I_C_RefreshCache
Related Parameters
To use the symmetric key cache, you need to set the following parameters in the properties file:
Symmetric_Key_Cache_Enabled
Symmetric_Key_Cache_Expiry
Refer to Caching Parameters to know more about the caching related properties.
Asymmetric Caching
The asymmetric key caching allows you to export asymmetric keys from the server. Only asymmetric keys (RSA) that have been marked Exportable may be cached.
Supported Functions
I_C_Crypt
I_C_CryptBulk_Enhanced (EC sign/Sign Verify not supported)
I_C_ExportPublicKey
I_C_FindKey
I_C_GetKeyAttributes
Supported Operations
The following operations are supported by the asymmetric key cache feature:
Encrypt/Decrypt
Sign/SignVerify
Related Parameters
To use the symmetric key cache, you need to set the following parameters in the properties file:
Asymmetric_Key_Cache_Enabled
Symmetric_Key_Cache_Expiry
Refer to Caching Parameters to know more about the caching related properties.
