Please Note:

Administration
Overview
Quick Start
Upgrade from PA/CAP for .NET Core to CADP for .NET Core
Tasks
- Create an NAE Session
- Setting up SSL with CipherTrust Manager
- Add Multiple CipherTrust Manager Servers
- Key Operations
  - Creating a Key
  - Creating a New Version of the Versioned Key
  - Using a Versioned Key to Decrypt, SignV, and MACV
  - Getting an Instance of a Key Object
  - Alternative Method to Get an Instance of a Key Object
  - Deleting a Key using the Key Name
  - Exporting a Key
  - Exporting a Warapped Key
  - Setting a Key Mode and Padding
  - Getting Attributes of a Key
  - Exporting all Versions of a Versioned Key
- Generate and Verify MAC
- Encrypt a String Using an AES Key
- Decrypt a String Using an AES Key
- Encrypt a String Using an RSA Key
- Decrypt a String Using an RSA Key
- Sign and SignVerify Data using an RSA Key
- Enable Connection Pooling
- Enable Symmetric Key Caching
- Enable Asymmetric Key Caching
- Set Logging Parameters
- Change the Default Value of Connection Timeout
Advanced Topics
- Configuration
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Caching Parameters
  - Logging Parameters
  - SSL Configuration Parameters
  - Miscellaneous Configuration Parameters
- Concepts
  - Connection Pooling
  - Load Balancing Group
  - Multi-tier Load Balancing Group
  - Symmetric/Asymmetric Key Caching
- Connection Pooling
- Supported Services & Operations
  - Supported Cryptographic Operations
- NAE Supported Functions
  - Supporting Calls
  - Connection Calls
  - Key-related Calls
  - MAC/Hash-related Calls
  - Security Considerations
- Format Preserving Encryption
- API Definitions
- Alternate Method to Add Nuget Package
- Troubleshooting

CADP for .NET Core
Administration
Advanced Topics
Concepts
Symmetric/Asymmetric Key Caching

Symmetric/Asymmetric Key Caching

Key caching allows you to export symmetric/asymmetric keys from the CipherTrust Manager by using the NAE XML protocol and store them on the client for a limited time to perform cryptographic operations locally.

Keys cached on the client are stored in the process memory only. They are not stored on the disk. This feature can improve performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, the client’s cryptographic operations can continue without access to the server.

Only symmetric keys (based on AES, HMACSHA1, HMACSHA256, HMACSHA384 and HMACSHA512 algorithms) and asymmetric keys that are marked Exportable can be cached. In addition, the user must have export privileges for the key. Thus, the user must be the key owner or the key must be global. The user automatically has full encryption and decryption privileges for all keys in the client cache; while in the cache, authorization policies are ignored. Key permissions are supported in cache.

Warning

The client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attacks. When using symmetric/asymmetric key caching, ensure that you are using a secure download method and that the operating system of the client is secure.

How it Works

The following steps describe what happens when the feature is enabled and the client requests a key:

The client requests a key.
The client checks whether Symmetric_Key_Cache_Enabled/Asymmetric_Key_Cache_Enabled is yes (or tcp_ok). If the feature is enabled, the client searches for the key in the key cache.
The client does not find the key in the cache.
The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.
Subsequent requests for that key use the key cache until the time set in Key_Cache_Expiry is passed.

Symmetric Key Caching

Supported Algorithms

Symmetric key caching is supported for specific algorithms in these classes:

NaeRijndaelKey (for AES algorithm only, not AES/GCM)
NaeHmacKey (for HMACSHA1, HMACSHA256, HMACSHA384, and HMACSHA512 algorithms)
NaeAesGcm (for AES/GCM)
NaeFpe (for FPE/AES/CARD10, FPE/AES/CARD26)

Related Parameters

To use the symmetric key cache, you will have to set the following parameters in the properties file:

Symmetric_Key_Cache_Enabled
Key_Cache_Expiry

Refer to Caching Parameters to know more about the caching configuration related properties.

Caution

The server will log all key downloads in the Server logs. The client will log when key caching is enabled. When Log_Level is set to HIGH, the client will log the following actions:
• Key downloads
• Use of downloaded key
• Deletion of key from cache

Asymmetric Key Caching

Supported Functions

The following functions are supported by the asymmetric key cache feature:

byte[] Encrypt(byte[] data, RSAEncryptionPadding padding)
byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
public byte[] SignData(byte[] inputdata, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
Note
SignData does not work when key size is 1024 bit, HashAlgorithmName is SHA256 and RSASignaturePadding is Pss.
Note
The sign/verify operation is not supported with SHA384withRSA/PSSPadding and SHA512withRSA/PSSPadding for RSA-512 key size.
public bool VerifyData(byte[] inputdata, byte[] signedData, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)

Supported Operations

The following operations are supported by the asymmetric key cache feature:

Encrypt/Decrypt
Sign/SignVerify

Related Parameters

To use the asymmetric key cache, set the following parameters in the properties file:

Asymmetric_Key_Cache_Enabled
Key_Cache_Expiry

Refer to Caching Parameters to know more about the caching configuration related properties.

The server logs all key downloads in the NAE log. The client logs when key caching is enabled. When Log_Level is set to HIGH, the client logs the following actions:
• Key downloads
• Use of downloaded key
• Deletion of key from cache

Suggest A Change

Symmetric/Asymmetric Key Caching

How it Works

Symmetric Key Caching

Supported Algorithms

Asymmetric Key Caching

Supported Functions

Supported Operations

On this page