Key Backup Feature Tutorial
This section illustrates the use of KMU for Key Backup, which can be used to ensure keys, certificate objects and other PKCS#11 objects can be recovered after a failure or tamper.
It contains the following subsections:
>Creation of Encrypted Key Set to Backup (Payload)
>Backup to Smart Card – Single Custodian Mode
>Backup to Smart Card – Multiple Custodian Mode
Two storage media options are available:
>smart card
>file (hard disk drive)
For smart card media, there are two modes available:
>single-custodian
>multiple-custodian
All the PKCS#11 attributes for any key/object, including the security attributes, are backed up along with the key/object's value.
When backing up to smart card, the utility will automatically prompt for additional smart cards if the size of the backup is larger than one smart card.
The security officer and user PINs for a token cannot be backed up. Before a restore operation, the destination token must be already initialized and the security officer and user PINs set.
There are a number of additional keys generated, used, and then deleted during the backup process.
NOTE The KMU application does not support using DES3 keys to make backups. You must use the CTKMU command-line application. Include the –3 option to specify DES3. For example:
ctkmu x -s0 -w des3key -3 backup.bin
See CTKMU for complete command syntax.
Key Definitions
| wK |
Wrapping key. The top-level key for the backup process. This key must be valid for the operation E2x. When performing a backup to file or single custodian to smart card, the custodian must provide this key. It is recommended that this be a triple length DES key. For the multiple Custodian backup, this key is created from the randomly generated split components for each custodian. |
| tK | A randomly generated transport key, which is a triple length DES key, using CKM_DES3_KEY_GEN. This is the key that the keys/objects to be backed up will be wrapped under. This key is used with Wx. |
| mK | A randomly generated MAC key, which is a triple length DES key, using CKM_DES3_KEY_GEN. This key is used with Mx. |
| Ex | Encryption using CKM_DES3_ECB_PAD with key 'x'. |
| E2x | Encryption using CKM_(based on key type of ‘x’) with key 'x', e.g. CKM_DES3_ECB. |
| Wx | C_WrapKey() operation using CKM_WRAPKEY_DES3_CBC with key 'x'. |
| Rx | C_DeriveKey() operation using CKM_XOR_BASE_AND_DATA with key 'x' and provided data. |
| Mx | MAC generation, using CKM_DES3_MAC (4 byte MAC result) with key 'x'. |
Creation of Encrypted Key Set to Backup (Payload)
The creation of the encoded payload to backup is common to all storage options. The payload can contain one or more keys/objects.
To create the encoded payload
1.Generate tK.
2.For each key/object to be backed up:
w = WtK(Key/Object)
The format of the resulting Payload is as follows:
p = Nl1w1[l2w2[l3w3[…lNwN]]]
where N = Number of keys/objects in the payload, li = length of wi, and wi = The i’th wrapped key data, i.e. WtK(Key/Object)
3.Generate mK.
4.Calculate the MAC for the Payload, m = MmK(p).
Backup to File
This is the simplest form of backup. The only limitation is that the wrapping key must already exist. This key must be able to be recreated after a tamper/failure before a restore can be performed. It may be entered in components, have a known value, or be backed up using the multiple custodian backup mode (described below).
To backup to file
1.Encode mK with tK, emK = EtK(mK)
2.Encode tK with wK, etK = EwK(tK)
3.Write the binary file containing the backed up Payload. The format of the file is:
| Header | Contains the version of the Backup Feature |
| length p | Length of the encoded Payload |
| p | Encoded Payload |
| m | MAC of the Payload |
| length emK | Length of the Encoded MAC key |
| emK | Encoded MAC key |
| length etK | Length of the Encoded Transport key |
| etK | Encoded Transport key |
4.Delete mK and tK.
Backup to Smart Card – Single Custodian Mode
This backup mode has more security than the backup to file mode because the payload is stored on a smart card instead of in a file. The payload data on the smart card is also protected by the custodian’s PIN, i.e. the PIN must be presented and authenticated to the smart card before the data can be read.
The only limitation is that the wrapping key must already exist. This key must be able to be re-created after a tamper/failure before a restore can be performed. It may be entered in components, have a known value, or be backed up using the multiple custodian backup mode (described below).
If the payload cannot fit on one smart card, then the backup process will prompt the custodian to continue entering new smart cards, until the entire payload has been exported.
To back up to Smart Card
1.Encode mK with tK, emK = EtK(mK)
2.Encode tK with wK, etK = EwK(tK)
3.Write the following data files to the smart card:
| Header |
Not protected by custodian’s PIN. Contains the following information about the payload: Contains the version of the backup feature Name of this backup payload MAC of the complete payload MAC of the payload component on this smart card, i.e. MmK(p’) Timestamp of payload creation Total number of custodians Number of the custodian who owns this smart card Number of the current card being written Flag to indicate if encoded transport key (etK) is on this smart card Flag to indicate if encoded MAC key (emK) is on this smart card Size of the complete payload Size of the payload component on this smart card Offset of this payload component in the complete payload Name of custodian who owns this smart card Payload Protected by the custodian’s PIN. The component of the payload contained on this smart card. This may be the entire payload. |
| etK |
Protected by the custodian’s PIN. Encoded transport key This data file will only be located on the last smart card of the backup set. |
| emK |
Protected by the custodian’s PIN. Encoded MAC key This data file will only be located on the last smart card of the backup set. |
4.Delete mK and tK.
Backup to Smart Card – Multiple Custodian Mode
This backup mode has the most security. This is because the payload is stored on smart cards and the payload is split between a number of custodians. Also, the payload data on the smart card is protected by the custodian’s PIN, i.e. the PIN must be presented and authenticated to the smart card before the data can be read.
The top level wrapping key (wK) is randomly generated, and each custodian has a component of this key. The entire set of smart cards is needed before the wrapping key can be successfully re-created.
If each custodian’s payload component cannot fit on one smart card, then the backup process will prompt the custodian to continue entering new smart cards, until their payload component has been exported.
To back up to a Smart Card in Multiple Custodian Mode
1.Create an initial intermediate wrapping key, which is a triple length DES key, wK’, with a value of zero.
Each custodian must then:
2.Generate random wrapping key component (24 bytes), wC
3.Derive new intermediate wrapping key wK’ = RwK’(wC)
4.Delete the previous intermediate wrapping key (wK’-1)
5.Write the following data files to the smart card:
| Header |
Not protected by custodian’s PIN. Contains the following information about the payload: Contains the version of the backup feature Name of this backup payload MAC of the complete payload MAC of the payload component on this smart card, i.e. MmK(p’) Timestamp of payload creation Total number of custodians Number of the custodian who owns this smart card Number of the current card being written Flag to indicate if encoded transport key (etK) is on this smart card Flag to indicate if encoded MAC key (emK) is on this smart card Size of the complete payload Size of the payload component on this smart card Offset of this payload component in the complete payload Name of custodian who owns this smart card |
| wC |
Protected by the custodian’s PIN. The wrapping key component for this custodian. |
| Payload |
Protected by the custodian’s PIN. The component of the payload contained on this smart card. |
The last custodian must then:
6.Encode mK with tK, emK = EtK(mK)
7.Encode tK with the final wrapping key (wK = wK’), etK = EwK(tK)
8.Write the following data files to the smart card:
| etK |
Protected by the custodian’s PIN. Encoded transport key This data file will only be located on the last smart card of the last custodian of the backup set. |
| emK |
Protected by the custodian’s PIN. Encoded MAC key This data file will only be located on the last smart card of the last custodian of the backup set. |
9.Delete mK, tK and wK.
