Please Note:

User Guide
Quick Start
- Installation
  - Installing CADP for C on Linux
  - Installing CADP for C on Windows
  - Client Certificate Renewal in Linux/Windows
- Installed Directories
  - Installed Directory on Linux
  - Installed Directory on Windows
Tasks
- Tasks for CAPI
  - Setting up SSL/TLS on CipherTrust Manager and CADP for C
  - Create an NAE Session
  - Configuring CADP for C CAPI Properties File
  - Connecting to a Server through Single Properties File
  - Connecting to a Server through Multiple Properties File
  - Connecting to a Server through NAE and KMIP Session in a Single configuration
  - Adding CipherTrust Manager Servers
  - Adding Syslog Server
  - Enabling Connection Pooling
  - Securing Passphrase
  - Enabling Asymmetric Key Caching
  - Enabling Symmetric Key Caching
  - Setting Logging Parameters
  - Working with Certificates
    - Importing a Certificate
    - Exporting a Certificate
    - Creating a CA Chain using OpenSSL and Uploading on the CipherTrust Manager
    - Exporting a CA Chain
    - Deleting a Certificate
    - Creating a Certificate Signing Request
    - Signing a CSR with an existing local certificate authority
  - NAE Key Management Operations
    - Creating versioned key
    - Creating a new version of a key
    - Destroying versioned key
    - Creating a CipherSpec for a versioned key
    - Exporting a public versioned key
    - Exporting a symmetric versioned key
    - Getting key attributes of a versioned key
    - Modifying the state of a versioned key
    - Calculating the size of ciphertext created by versioned keys
    - Calculating the size of the ciphertext header for a versioned key
    - Deleting the EVP context created using I_C_Crypt_Fast
    - Deriving AES/HMAC symmetric key from any AES/HMAC symmetric key
    - Wrapping AES Key
    - Search key names by multiple attributes
- Tasks for PKCS#11
  - Configuring CADP for C PKCS11 Properties File
  - Configuring Registry Editor on Windows for CADP for C PKCS11
  - Initializing CADP PKCS#11 Library
  - Adding CipherTrust Manager Servers
  - Creating a Key
  - Enabling Connection Pooling
  - Enabling Symmetric Key Caching
  - Enabling Asymmetric Key Caching
  - Setting Logging Parameters
  - Migrating VAE to CADP for C
- Modifying the CADP for C Basic Configuration File
Advanced Topics
- Configuration
  - Logging Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Caching Parameters
  - SSL Configuration Parameters
  - Miscellaneous Parameters
- Symmetric/Asymmetric Caching
  - Symmetric/Asymmetric Caching, CADP for C CAPI
  - Symmetric/Asymmetric Caching, CADP for C PKCS#11
- Connection Pooling
- Load Balancing Group
- Multi-tier Load Balancing Group
- Persistent Key Caching
- Key Management, CADP for C PKCS#11
- Supported Cryptographic Operations
  - Supported Cryptographic Operations for CAPI
  - Supported Cryptographic Operations for PKCS#11
- Format Preserving Encryption
- KMIP Key Management in C
- Utilities
  - CryptoDataUtility
  - SelfSignedCertificate
  - RSAEncryptionUtility
- Pkcs11Interop Library for .Net Core
- Upgrade
  - Upgrade from CADP CAPI to CADP for C
  - Recompiling with CADP for C Library
  - For Already Existing CAPI Sample Executables
  - Upgrade from VAE to CADP for C
- Uninstall

CADP for C
User Guide
Advanced Topics
Symmetric/Asymmetric Caching
Symmetric/Asymmetric Caching, CADP for C CAPI

Symmetric/Asymmetric Caching, CADP for C CAPI

The key caching enables you to export keys from the server by using either the NAE XML or the KMIP protocol, and store them on the client for a limited time to perform cryptographic operations locally. Keys cached on the client are stored in process memory only; they are not stored on disk. This feature can improve performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, your client’s cryptographic operations can continue without access to the server.

To use this feature, the keys must be marked exportable and you must have export privileges for the key. Therefore, you must be the key owner or the key must be global. You automatically have full encryption and decryption privileges for all keys in the client cache; while in the cache, authorization policies are ignored. Key permissions are supported in cache.

Your client and its connection to CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. When using the key caching feature, ensure you are using a secure method of download and that your client’s operating system is secure.

How it Works

The client requests a key.
The client checks whether Symmetric_Key_Cache_Enabled or Asymmetric_Key_Cache_Enabled is yes or tcp_ok. If the feature is enabled, the client searches for the key in the key cache.
The client does not find the key in the cache.
The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.
Subsequent requests for that key use the key cache until the time set in Symmetric_Key_Cache_Expiry has passed.

Logging

The server logs all key downloads in the NAE log. The client logs when key caching is enabled. When Log_Level is set to INFO, the client logs the following actions:

Key downloads
Use of downloaded key
Deletion of key from cache

Refreshing Cached Keys

The Key Refresh feature provides a mechanism to update the symmetric/asymmetric Key Cache in background. This feature helps in synchronizing keys with their states on CipherTrust Manager.

The Key Refresh feature works only when the Symmetric_Key_Cache_Enabled or Asymmetric_Key_Cache_Enabled parameter is set to yes or tcp_ok in the properties file. This means that this feature works only through the NAE XML protocol.

CADP for C provides support for:

Symmetric Caching
Asymmetric Caching

Symmetric Caching

The symmetric key caching allows you to export symmetric keys from the server. Only symmetric keys that have been marked exportable and are based on the following algorithms can be cached:

AES
DES
DESede
SEED
RC4
HMAC-SHA1

Supported Functions

I_C_CryptInit
I_C_CryptUpdate
I_C_CryptFinal
I_C_Crypt
I_C_Crypt_Fast
I_C_Crypt_Enhanced
I_C_CryptBulk_Enhanced

Related Parameters

To use the symmetric key cache, you need to set the following parameters in the properties file:

Symmetric_Key_Cache_Enabled
Symmetric_Key_Cache_Expiry

Refer to Caching Parameters to know more about the caching related properties.

Asymmetric Caching

The asymmetric key caching allows you to export asymmetric keys from the server. Only asymmetric keys (RSA) that have been marked Exportable may be cached.

Supported Functions

I_C_Crypt
I_C_CryptBulk_Enhanced (EC sign/Sign Verify not supported)
I_C_ExportPublicKey
I_C_FindKey
I_C_GetKeyAttributes

Supported Operations

The following operations are supported by the asymmetric key cache feature:

Encrypt/Decrypt
Sign/SignVerify

Related Parameters

To use the symmetric key cache, you need to set the following parameters in the properties file:

Asymmetric_Key_Cache_Enabled
Symmetric_Key_Cache_Expiry

Refer to Caching Parameters to know more about the caching related properties.

Suggest A Change

Symmetric/Asymmetric Caching, CADP for C CAPI

How it Works

Logging

Refreshing Cached Keys

Symmetric Caching

Supported Functions

Asymmetric Caching

Supported Functions

Supported Operations

On this page