Symmetric/Asymmetric Key Caching
Key caching allows you to export symmetric/asymmetric keys from the CipherTrust Manager by using the NAE XML protocol and store them on the client for a limited time to perform cryptographic operations locally.
Keys cached on the client are stored in the process memory only. They are not stored on the disk. This feature can improve performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, the client’s cryptographic operations can continue without access to the server.
Only symmetric keys (based on AES, HMACSHA1, HMACSHA256, HMACSHA384 and HMACSHA512 algorithms) and asymmetric keys that are marked Exportable
can be cached. In addition, the user must have export privileges for the key. Thus, the user must be the key owner or the key must be global. The user automatically has full encryption and decryption privileges for all keys in the client cache; while in the cache, authorization policies are ignored. Key permissions are supported in cache.
Warning
The client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attacks. When using symmetric/asymmetric key caching, ensure that you are using a secure download method and that the operating system of the client is secure.
How it Works
The following steps describe what happens when the feature is enabled and the client requests a key:
The client requests a key.
The client checks whether
Symmetric_Key_Cache_Enabled
/Asymmetric_Key_Cache_Enabled
isyes
(ortcp_ok
). If the feature is enabled, the client searches for the key in the key cache.The client does not find the key in the cache.
The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.
Subsequent requests for that key use the key cache until the time set in
Key_Cache_Expiry
is passed.
Symmetric Key Caching
Supported Algorithms
Symmetric key caching is supported for specific algorithms in these classes:
NaeRijndaelKey (for AES algorithm only, not AES/GCM)
NaeHmacKey (for HMACSHA1, HMACSHA256, HMACSHA384, and HMACSHA512 algorithms)
NaeAesGcm (for AES/GCM)
NaeFpe (for FPE/AES/CARD10, FPE/AES/CARD26)
Related Parameters
To use the symmetric key cache, you will have to set the following parameters in the properties file:
Symmetric_Key_Cache_Enabled
Key_Cache_Expiry
Refer to Caching Parameters to know more about the caching configuration related properties.
Caution
The server will log all key downloads in the Server logs. The client will log when key caching is enabled. When Log_Level is set to HIGH
, the client will log the following actions:
• Key downloads
• Use of downloaded key
• Deletion of key from cache
Asymmetric Key Caching
Supported Functions
The following functions are supported by the asymmetric key cache feature:
byte[] Encrypt(byte[] data, RSAEncryptionPadding padding)
byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
public byte[] SignData(byte[] inputdata, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
Note
SignData
does not work when key size is 1024 bit,HashAlgorithmName
is SHA256 andRSASignaturePadding
isPss
.Note
The sign/verify operation is not supported with
SHA384withRSA/PSSPadding
andSHA512withRSA/PSSPadding
for RSA-512 key size.public bool VerifyData(byte[] inputdata, byte[] signedData, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
Supported Operations
The following operations are supported by the asymmetric key cache feature:
Encrypt/Decrypt
Sign/SignVerify
Related Parameters
To use the asymmetric key cache, set the following parameters in the properties file:
Asymmetric_Key_Cache_Enabled
Key_Cache_Expiry
Refer to Caching Parameters to know more about the caching configuration related properties.
The server logs all key downloads in the NAE log. The client logs when key caching is enabled. When Log_Level
is set to HIGH
, the client logs the following actions:
• Key downloads
• Use of downloaded key
• Deletion of key from cache