Creating keys
This section describes the keys types, key attributed types, and key creation functions supported by the Key Management Utility (KMU).
Note
To refresh the key information displayed on the Main KMU Interface, select Options > Refresh from the menu bar. The display a representation of what KMU has found on that token. If the token is modified by any other process or the KMU is out of sync with the token for any reason, choosing this menu option will refresh the list.
The KMU can also export and import keys for key backup and/or key escrow. This feature employs the PKCS#11 concept of key wrapping using high security key encryption keys (KEK) to wrap other KEKs and/or data keys. The KEK is a special key created with the wrap attribute, allowing it to be used for this purpose. KEKs are usually created as split custodian keys because of their enhanced security.
Note
Only keys marked for export can be wrapped in this way, so it is possible to create keys that can never be extracted from the secure key storage.
Key Component creation is an important feature of ProtectToolkit-C, since it allows key material to be split up and distributed among multiple trusted custodians. All custodians must combine their components to reconstruct the keys. Key custodians can use smart cards for key component and authentication PIN data storage, or use a disk file for key component storage.
Available keys
The following single key types and key pair types are available when selecting a key operation.
Single key types
- DES
- Double DES
- Triple DES
- AES (16, 24, or 36 bytes)
- IDEA
- CAST128 (1 to 16 bytes)
- RC2 (1 to 128 bytes)
- RC4 (1 to 256 bytes)
- SEED
Key pair types
- RSA (Public)
- RSA (Private)
- DSA (Public)
- DSA (Private)
- DH (Public)
- DH (Private)
- EC (Public)
- EC (Private)
Key attribute types
You can specify what attributes a key will have when it is created. The following table describes the attributes which you can set when creating a key using the KMU.
Attribute | Description |
---|---|
Persistent | Stores the object on non-volatile memory. Persistent objects can be accessed after session termination. |
Private | Defines whether the user PIN protects the object. A private object is only accessible to an application that has supplied the user PIN. |
Sensitive | If a key is sensitive, the key’s value cannot be revealed in plain text. Once a key becomes Sensitive it cannot be modified to be non-sensitive. |
Modifiable | Indicates whether or not the object is modifiable, that is, if the object’s attributes can be modified after creation. |
Wrap | Indicates that the key can be used to wrap (that is, extract) other keys. |
Unwrap | Indicates that the key can be used to unwrap keys. |
Extractable | An extractable key can be wrapped (encrypted with another key) and extracted from the HSM. |
Export | Indicates the key can be used to export other keys (similar to the wrap function). |
Exportable | An exportable key can be wrapped (encrypted with another key), but only with keys marked with the Export attribute. |
Derive | Indicates that the key can be used in key derivation functions. |
Encrypt | Indicates that the key can be used for encryption. |
Decrypt | Indicates that the key can be used for decryption. |
Sign | Indicates that the key can be used for signing. |
Verify | Indicates that the key can be used for verifying signatures or MAC values. |
Creating a random secret key
-
Select an initialized token from the Select a Token drop-down box and select the Secret Key button in the toolbar. Alternatively, select Options > Create > Secret Key from the menu bar.
The Generate Secret Key dialog is displayed.
-
Choose the type of key you wish to generate from the Mechanism drop-down box. If you are generating an AES, CAST, RC2 or RC4 key, you must specify a Key Size.
-
Enter a label for the key into the Label input field.
-
Select the desired key attributes by checking their boxes. See Key attribute types for descriptions of the individual attributes. There will be a default set of attributes checked for the key type.
-
Select OK to generate the secret key, or Cancel to reject your input and return to the previous menu.
The generated key will be displayed in the Objects on Selected Token box on the main KMU interface
Creating a random key pair
-
Select an initialized token from the Select a Token drop-down box and select the Key Pair button in the toolbar. Alternatively, select Options > Create > Key Pair from the menu bar.
The Generate Key Pair dialog is displayed
-
Select the type of key pair you wish to generate from the Key Pair Type drop-down box.
The Subject field can be left blank, in which case there will be no X.500 certificate information attached to the key pair. If you specify a Subject, it must be set according to X.500 distinguished name syntax. For example,. C=CA, O=safenet, CN=Alice. The subject fields can be any of the following, and can be input in any order:
-
C= Country code
-
O= Organization
-
CN= Common Name
-
OU= Organizational Unit
-
L= Locality name
-
ST= State name
This information will be stored with the public and private key objects in the CKA_SUBJECT_STR attribute and also DER-encoded and stored in the CKA_SUBJECT attribute. This attribute will be propagated into any PKCS #10 and X.509 certificates derived from these keys.
-
-
Specify the Key Size (bits) or Curve Name (only enabled if Key Pair Type is Elliptic Curve).
Note
If the FIPS Mode security policy is enabled, the cryptographic operations of RSA, DSA, DH, and EC algorithms are restricted to key sizes within a specified range. For more information about the size limitations of keys that are created or imported in FIPS Mode, see FIPS Mode operational restrictions.
-
Label both the public key and the private key. Check or uncheck any available boxes to select the desired key attributes.
Note
The check boxes are enabled and disabled according to the selected Key Pair Type.
-
Press OK to generate the keys, or Cancel to discard your input and return to the previous menu.
Generated keys will be displayed under the Objects on Selected Token list on the main KMU user interface.
Creating key components
This function will create a random key as a number of components. These components can be recorded manually, either for backup purposes or so that they can be entered on another machine by using the Enter Key function.
This is useful for the creation and distribution of Key Encryption Keys (KEKs) with multiple custodians. This function makes it possible to create a key whose value is unknown to any single party. Only by combining the components known by each custodian can the key be regenerated. Each component is randomly generated, and in itself does not expose any portion of the final key value.
To create key components
-
Select an initialized token from the Select a Token drop-down. Log on if necessary.
-
Choose Options > Create > Generate Key Components from the menu bar, to open the Create Key Components dialog box.
-
Select a key type from the Mechanism drop-down list.
-
Enter a label for the key into the Label field.
-
For key types AES, CAST, RC2 and RC4, specify the size of the key to be generated in the Key Size (bits) field.
-
Decide on the key attributes and select active checkboxes as required.
-
Select OK to continue, or Cancel to abort this operation and return to the previous menu.
-
When prompted by the KMU, enter in the Number of Components field the number of components that you wish the key to be split into. There is no limit on the number of components.
-
Select OK to start displaying the key components, or Cancel to abort this operation and return to the previous menu.
A Ready to generate componentn dialog box will be displayed for each component determined in step 8.
-
Record the Component Value and Key Check Value (KCV), both given in hexadecimal, displayed in these dialogs. The KCV for the generated component is used to verify correct entry of the component during manual key component entry.
Entering a key from components
This function allows a key to be entered from one or more components.
To enter a key from components
Note
The component entry can be masked by selecting Options > Mask Component Entry before beginning the operation.
-
Select an initialized token from the Select a Token drop-down box and select Enter Key From Components on the toolbar. Alternatively, select Options > Create > Enter Key From Components from the menu bar.
The Enter Key Components dialog will open.
-
Select a key type from the Mechanism drop-down list.
-
Enter a label for the key into the Label field.
-
For key types AES, CAST, RC2 and RC4, specify the size of the key to be generated in the Key Size (bits) field.
-
Decide on the key attributes and select active checkboxes as required.
-
Select OK to continue, or Cancel to abort this operation and return to the previous menu.
-
When prompted by the KMU, enter the number of key components to combine in the Number of Components field. There is no limit on the number of components.
-
Select OK to continue and open the Ready to accept componentn dialog, or Cancel to abort this operation
A number of component dialogs will appear, corresponding with the number specified in the Enter Key dialog.
Note
The KCV appears automatically when the key component is entered, allowing the custodian to confirm correct entry. The KMU will check that the KCV matches that of the key components being input. If a mismatch is detected, an error is shown.
Key check value (KCV) of symmetric keys can be displayed by selecting a key and clicking View on the toolbar. Alternatively, select Options > View from the menu bar.
Refer to PKCS#11 attributes for details on how the KCV is calculated.