Run a Windows CNG application as Crypto Officer limited to key handling ability at Crypto User level
NOTE KSP works with Crypto Officer only.
You might wish to implement the following scenario:
>create keys (requires the CO to have read/write capability on the partition, meaning that Partition Policy 28 - Allow Key Management Functions is set to ON)
>but also permit an application or service to make ongoing use of those keys, without an ability to change/create/delete them, (meaning that Partition Policy 28 - Allow Key Management Functions is set to OFF)
>from time to time, create new keys or delete old ones, etc. (requires the CO to have read/write capability on the partition, meaning that Partition Policy 28 - Allow Key Management Functions is set to ON again)
>then resume using your application, still as CO, without an ability to change/create/delete keys, (meaning that Partition Policy 28 - Allow Key Management Functions is set to OFF again)
>but Partition Policy 28 is destructive when set from OFF (0) to ON (1)
It is possible to implement such a scheme by initializing the partition using a Partition Policy Template file (see Setting Partition Policies Using a Template) which allows you to override the destructiveness setting, as follows:
Prerequisites
>The partition is created (
To restrict Crypto Officer power for KSP-using application, while temporarily enabling full capability for partition management
1.Create a basic default policy template file.
lunacm:> partition showpolicies -slot <slotnum> -verbose -exporttemplate <filename.policy>
2.In that file, edit policy 28,
FROM its default value of
28:"Allow Key Management Functions":1:1:0
(This means that setting KeyManagement OFF to ON will zeroize the partition.)
TO a new value of
28:"Allow Key Management Functions":1:0:0
(This removes destructiveness.)
TIP In the file, you can delete any of the other entries where you intend to use the default values.
3. Initialize a partition with the newly created template
lunacm:> partition init -label <label string> -password <password> -domain <domainstring if PW-auth> -applytemplate <filename.policy> -force
Complete the mandatory steps of creating new roles and changing the initial password.
4.Log in as Partition Security Officer.
lunacm:> role login -name PO
5.Initialize the Crypto Officer role.
lunacm:> role init -name CO
6.Log in as Crypto Officer.
lunacm:> role logout
lunacm:> role login -name CO
7.Partition policy 28 should currently be ON (from partition initialization with the template file).
Generate keys by whatever means you normally employ.
8.Log in as Partition Security Officer.
lunacm:> role logout
lunacm:> role login -name PO
9.Switch policy 28 to OFF, to disallow key management.
lunacm:> partition changepolicy -policy 28 -value 0
In this state, the CO (or an application authenticated with CO credential) can now use any key that is currently in the partition, but cannot delete them or add new ones. This permits the CO, when logged in, to facilitate application access via KSP/CNG but with key-use capability at read-only Crypto User level.
10.Log in as Crypto Officer.
lunacm:> role logout
lunacm:> role login -name CO
Run your KSP/CNG-using application that needs CO credentials (but not full CO read-write capability) to make use of existing keys.
11.Whenever it is necessary to manage keys in the partition (delete existing ones or create new ones, etc.), first shut down the application or service (for example code-signing) and then switch Partition Policy 28 to ON.
lunacm:> role logout
lunacm:> role login -name PO
lunacm:> partition changepolicy -policy 28 -value 1
lunacm:> role logout
lunacm:> role login -name CO
In this state, CO has full ability to add, delete, change objects in the partition, and the application is paused so that it does not make use of the expanded powers.
12.Generate a new keypair or perform other management function in the partition.
13.When key management action is done, switch Partition Policy 28 back to OFF.
lunacm:> role logout
lunacm:> role login -name PO
lunacm:> partition changepolicy -policy 28 -value 0
lunacm:> role logout
lunacm:> role login -name CO
14.Resume operation of your application or service, via KSP/CNG, as the CO role, but with CU role limitations.
