Key Caching
This section describes how to use the key caching features.
Symmetric/Asymmetric Key Caching
The key caching feature enables you to export symmetric/asymmetric keys from the server using NAE-XML, and stores them on the client for a limited time to perform cryptographic operations locally. Keys cached on the client are stored in process memory only; they are not stored on disk. This feature can improve performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, your client's cryptographic operations can continue without access to the server.
Symmetric and Asymmetric keys that have been marked Exportable
can be cached. In addition, you must have export privileges for the key. Therefore, you must be the key owner or the key must be global. You automatically have full encryption and decryption privileges for all the keys in the client cache; while in the cache, key permissions and authorization policies are ignored.
Caution
Your client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. When using the key caching feature, make sure that you are using a secure method of download and that your client's operating system is secure.
How it Works
The following steps describe what happens when the feature is enabled and the client requests a key:
The client requests:
Symmetric key - checks whether
Symmetric_Key_Cache_Enabled
isyes
(ortcp_ok
). If the feature is enabled, the client searches for the key in the key cache.Asymmetric Key - checks whether
Asymmetric_Key_Cache_Enabled
isyes
(ortcp_ok
). If the feature is enabled, the client searches for the key in the key cache.
If the client does not find the key in the cache, the client requests the key from the server.
If you have the permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.
Subsequent requests for that key use the key cache until the time set in
Symmetric_Key_Cache_Expiry
has passed.
Related Parameters
To use the symmetric key cache, you need to set the following parameters in the properties file:
Possible Settings | Description |
---|---|
Symmetric_Key_Cache_Enabled | Enables symmetric key caching. This value must be set to yes or tcp_ok .Tip: TCP is not a secure communication protocol. |
Asymmetric_Key_Cache_Enabled | Enables asymmetric key caching. This value must be set to yes or tcp_ok . |
Symmetric_Key_Cache_Expiry | The time after which a key may be removed from the symmetric key cache. The cache is cleaned only when it is used; therefore, keys may stay in the cache longer than this value. |
Note
Symmetric_Key_Cache_Expiry
is applicable to both Symmetric and Asymmetric Key Caching.
Selecting
yes
enables key caching over an SSL connection; therefore, you must also configure SSL.Selecting
tcp_ok
enables key caching over both tcp and ssl connections.