Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced Topics

Symmetric/Asymmetric Key Caching

search

Please Note:

Symmetric/Asymmetric Key Caching

The key caching feature allows you to export symmetric and asymmetric keys from the server using the NAE XML protocol, and store them on the client for a limited time to perform cryptographic operations locally. Keys cached on the client are stored in the process memory, not on the disk.

This feature improves performance, specifically if:

  • Network latency is high

  • Encryption sizes are small

  • Local CPU cycles are available

Once keys are cached, the client's cryptographic operations can continue without access to the server.

To use this feature, the keys must be marked Exportable and you must have export privileges for the key. Therefore, you must be the key owner or the key must be global.

Note

When using the key caching feature, ensure you are using a secure method of download, and the client operating system is secure.

CADP for .NET Core supports:

How Symmetric/Asymmetric Key Caching Works

  1. The client requests a key.

  2. The client checks whether the Symmetric_Key_Cache_Enabled or Asymmetric_Key_Cache_Enabled parameter is enabled, and searches for the key in the cache.

  3. The client does not find the key in the cache.

  4. The client requests the key from the server. If you have permission and the key is Exportable, the server downloads the key to the client. The key is stored in the cache.

  5. Subsequent requests for that key use the key cache until the time set in Symmetric_Key_Cache_Expiry has passed.

Logging

The server logs all the key downloads in the NAE log. The client logs are recorded when the key caching is enabled. When Log_Level is set to HIGH, the client logs the following actions:

  • Keys downloaded

  • Use of downloaded keys

  • Deletion of keys from cache

Symmetric Key Caching

The symmetric key caching allows you to export symmetric keys from the server. Only symmetric keys that have been marked Exportable can be cached.

Supported Algorithms

  • NaeAesGcm (for AES/GCM)

  • NaeFpe (for FPE/AES/CARD10, FPE/AES/CARD26)

  • NaeRijndaelKey (for AES algorithm only, not AES/GCM)

  • NaeHmacKey (for HMACSHA1, HMACSHA256, HMACSHA384, and HMACSHA512 algorithms)

To use the symmetric key cache, set the following parameters in the properties file:

Symmetric_Key_Cache_EnabledKey_Cache_Expiry

Refer to Caching Parameters for details about the caching configuration related properties.

Asymmetric Key Caching

The asymmetric key caching allows you to export asymmetric keys from the server. Only asymmetric keys that have been marked Exportable can be cached.

Supported Functions

  • byte[] Encrypt(byte[] data, RSAEncryptionPadding padding)

  • byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)

  • public byte[] SignData(byte[] inputdata, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)

    Note

    • SignData does not work when key size is 1024 bit, HashAlgorithmName is SHA256 and RSASignaturePadding is Pss.

    • The sign/verify operation is not supported with SHA384withRSA/PSSPadding and SHA512withRSA/PSSPadding for RSA-512 key size.

  • public bool VerifyData(byte[] inputdata, byte[] signedData, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)

Supported Operations

  • Encrypt/Decrypt

  • Sign/SignVerify

To use the asymmetric key cache, set the following parameters in the properties file:

Asymmetric_Key_Cache_EnabledKey_Cache_Expiry

Refer to Caching Parameters for details about the caching configuration related properties.

On this page