Key Backup Feature Tutorial

This section illustrates the use of KMU for Key Backup, which can be used to ensure keys, certificate objects and other PKCS#11 objects can be recovered after a failure or tamper. 

It contains the following subsections:

>Key Definitions

>Creation of Encrypted Key Set to Backup (Payload)

>Backup to File

>Backup to Smart Card – Single Custodian Mode

>Backup to Smart Card – Multiple Custodian Mode

Two storage media options are available:

>smart card

>file (hard disk drive)

For smart card media, there are two modes available:

>single-custodian

>multiple-custodian

All the PKCS#11 attributes for any key/object, including the security attributes, are backed up along with the key/object's value.

When backing up to smart card, the utility will automatically prompt for additional smart cards if the size of the backup is larger than one smart card.

NOTE   When logging in to a smart card, the card is locked after 7 consecutive incorrect PIN attempts. You must re-initialize the card to set a new PIN.

The security officer and user PINs for a token cannot be backed up. Before a restore operation, the destination token must be already initialized and the security officer and user PINs set.

There are a number of additional keys generated, used, and then deleted during the backup process.

NOTE   The KMU application does not support using DES3 keys to make backups. You must use the CTKMU command-line application. Include the –3 option to specify DES3. For example:

ctkmu x -s0 -w des3key -3 backup.bin

See CTKMU for complete command syntax.

Key Definitions

wK

Wrapping key. The top-level key for the backup process.  This key must be valid for the operation E2x. When performing a backup to file or single custodian to smart card, the custodian must provide this key. It is recommended that this be a triple length DES key.

For the multiple Custodian backup, this key is created from the randomly generated split components for each custodian.

tK A randomly generated transport key, which is a triple length DES key, using CKM_DES3_KEY_GEN. This is the key that the keys/objects to be backed up will be wrapped under. This key is used with Wx.
mK A randomly generated MAC key, which is a triple length DES key, using CKM_DES3_KEY_GEN. This key is used with Mx.
Ex Encryption using CKM_DES3_ECB_PAD with key 'x'.
E2x Encryption using CKM_(based on key type of ‘x’) with key 'x', e.g. CKM_DES3_ECB.
Wx C_WrapKey() operation using CKM_WRAPKEY_DES3_CBC with key 'x'.
Rx C_DeriveKey() operation using CKM_XOR_BASE_AND_DATA with key 'x' and provided data.
Mx MAC generation, using CKM_DES3_MAC (4 byte MAC result) with key 'x'.

Creation of Encrypted Key Set to Backup (Payload)

The creation of the encoded payload to backup is common to all storage options. The payload can contain one or more keys/objects.

To create the encoded payload

1.Generate tK.

2.For each key/object to be backed up:

w = WtK(Key/Object)

The format of the resulting Payload is as follows:

p = Nl1w1[l2w2[l3w3[…lNwN]]]

where N = Number of keys/objects in the payload, li = length of wi, and wi = The i’th wrapped key data, i.e. WtK(Key/Object)

3.Generate mK.

4.Calculate the MAC for the Payload, m = MmK(p).

Backup to File

This is the simplest form of backup.  The only limitation is that the wrapping key must already exist.  This key must be able to be recreated after a tamper/failure before a restore can be performed.  It may be entered in components, have a known value, or be backed up using the multiple custodian backup mode (described below).

To backup to file

1.Encode mK with tK, emK = EtK(mK)

2.Encode tK with wK, etK = EwK(tK)

3.Write the binary file containing the backed up Payload. The format of the file is:

Header Contains the version of the Backup Feature
length p Length of the encoded Payload
p Encoded Payload
m MAC of the Payload
length emK Length of the Encoded MAC key
emK Encoded MAC key
length etK Length of the Encoded Transport key
etK Encoded Transport key

4.Delete mK and tK.

Backup to Smart Card – Single Custodian Mode

This backup mode has more security than the backup to file mode because the payload is stored on a smart card instead of in a file. The payload data on the smart card is also protected by the custodian’s PIN, i.e. the PIN must be presented and authenticated to the smart card before the data can be read.

The only limitation is that the wrapping key must already exist.  This key must be able to be re-created after a tamper/failure before a restore can be performed.  It may be entered in components, have a known value, or be backed up using the multiple custodian backup mode (described below).

If the payload cannot fit on one smart card, then the backup process will prompt the custodian to continue entering new smart cards, until the entire payload has been exported.

To back up to Smart Card

1.Encode mK with tK, emK = EtK(mK)

2.Encode tK with wK, etK = EwK(tK)

3.Write the following data files to the smart card:

Header

Not protected by custodian’s PIN.

Contains the following information about the payload:

Contains the version of the backup feature

Name of this backup payload

MAC of the complete payload

MAC of the payload component on this smart card, i.e. MmK(p’)

Timestamp of payload creation

Total number of custodians

Number of the custodian who owns this smart card

Number of the current card being written

Flag to indicate if encoded transport key (etK) is on this smart card

Flag to indicate if encoded MAC key (emK) is on this smart card

Size of the complete payload

Size of the payload component on this smart card

Offset of this payload component in the complete payload

Name of custodian who owns this smart card

Payload

Protected by the custodian’s PIN.

The component of the payload contained on this smart card. This may be the entire payload.

etK

Protected by the custodian’s PIN.

Encoded transport key

This data file will only be located on the last smart card of the backup set.

emK

Protected by the custodian’s PIN.

Encoded MAC key

This data file will only be located on the last smart card of the backup set.

4.Delete mK and tK.

Backup to Smart Card – Multiple Custodian Mode

This backup mode has the most security. This is because the payload is stored on smart cards and the payload is split between a number of custodians.  Also, the payload data on the smart card is protected by the custodian’s PIN, i.e. the PIN must be presented and authenticated to the smart card before the data can be read.

The top level wrapping key (wK) is randomly generated, and each custodian has a component of this key.  The entire set of smart cards is needed before the wrapping key can be successfully re-created.

If each custodian’s payload component cannot fit on one smart card, then the backup process will prompt the custodian to continue entering new smart cards, until their payload component has been exported.

To back up to a Smart Card in Multiple Custodian Mode

1.Create an initial intermediate wrapping key, which is a triple length DES key, wK’, with a value of zero.

Each custodian must then:

2.Generate random wrapping key component (24 bytes), wC

3.Derive new intermediate wrapping key wK’ = RwK(wC)

4.Delete the previous intermediate wrapping key (wK’-1)

5.Write the following data files to the smart card:

Header

Not protected by custodian’s PIN.

Contains the following information about the payload:

Contains the version of the backup feature

Name of this backup payload

MAC of the complete payload

MAC of the payload component on this smart card, i.e. MmK(p’)

Timestamp of payload creation

Total number of custodians

Number of the custodian who owns this smart card

Number of the current card being written

Flag to indicate if encoded transport key (etK) is on this smart card

Flag to indicate if encoded MAC key (emK) is on this smart card

Size of the complete payload

Size of the payload component on this smart card

Offset of this payload component in the complete payload

Name of custodian who owns this smart card

wC

Protected by the custodian’s PIN.

The wrapping key component for this custodian.

Payload

Protected by the custodian’s PIN.

The component of the payload contained on this smart card.

The last custodian must then:

6.Encode mK with tK, emK = EtK(mK)

7.Encode tK with the final wrapping key (wK = wK’), etK = EwK(tK)

8.Write the following data files to the smart card:

etK

Protected by the custodian’s PIN.

Encoded transport key

This data file will only be located on the last smart card of the last custodian of the backup set.

emK

Protected by the custodian’s PIN.

Encoded MAC key

This data file will only be located on the last smart card of the last custodian of the backup set.

9.Delete mK, tK and wK.