Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Symmetric/Asymmetric Caching

Symmetric/Asymmetric Caching, CADP for C PKCS#11

search

Please Note:

Symmetric/Asymmetric Caching, CADP for C PKCS#11

Key caching allows you to export symmetric/asymmetric keys from the CipherTrust Manager by using the NAE XML protocol and store them on the client for a limited time to perform cryptographic operations locally. Keys cached on the client are stored in process memory only; they are not stored on disk. This feature can improve performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. After keys are cached, your client’s cryptographic operations can continue without access to the server.

Only symmetric keys that have been marked Exportable can be cached. In addition, you must have export privileges for the key. Therefore, you must be the key owner or the key must be global. You automatically have full encryption and decryption privileges for all keys in the client cache; while in the cache, key permissions and authorization policies are ignored.

Warning

Your client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attacks. When using symmetric key caching, ensure that you are using a secure download method and that your client’s operating system is secure.

Caution

It is highly recommended the communication between the CipherTrust Manager and the client be secured using TLS.

How it Works

The following steps describe what happens when the feature is enabled and the client requests a key:

  1. The client requests a key.

  2. The client checks whether Symmetric_Key_Cache_Enabled or Asymmetric_Key_Cache_Enabled is yes (or tcp_ok) for NAE. If the feature is enabled, the client will search for the key in the key cache.

  3. The client does not find the key in the cache.

  4. The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.

  5. Subsequent requests for that key use the key cache until the time set in the Symmetric_Key_Cache_Expiry parameter has passed.

To use the symmetric key cache, set the following parameters in the CADP_PKCS#11.properties file:

ParameterDescription
Symmetric_Key_Cache_EnabledEnables symmetric key caching. This value must be set to yes or tcp_ok. Selecting yes enables key caching over an SSL connection, therefore, you must also configure SSL. Selecting tcp_ok enables key caching over both TCP and SSL connections.
WARNING: TCP is not a secure communication protocol.
Asymmetric_Key_Cache_EnabledEnables asymmetric key caching. This value must be set to yes or tcp_ok. Selecting yes enables key caching over an SSL connection, therefore, you must also configure SSL. Selecting tcp_ok enables key caching over both TCP and SSL connections.
WARNING: TCP is not a secure communication protocol.
Symmetric_Key_Cache_ExpiryThe time after which a key may be removed from the symmetric key cache. The cache is cleaned only when it is used; therefore, keys may stay in the cache longer than this value. This value must be smaller than Persistent_Cache_Expiry_Keys. Otherwise, keys are removed from the persistent key cache before they expire from the symmetric key cache.

On this page