Key backup feature tutorial
This section demonstrates how to use the Key Management Utility (KMU) to back up keys.
Overview
This feature can be used to ensure keys, certificate objects, and other PKCS#11 objects can be recovered after a failure or tamper.
Two storage media options are available:
-
smart card
-
file (hard disk drive)
For smart card media, there are two modes available:
-
single-custodian
-
multiple-custodian
All the PKCS#11 attributes for any key/object, including the security attributes, are backed up along with the key/object's value.
When backing up to smart card, the utility will automatically prompt for additional smart cards if the size of the backup is larger than one smart card.
Note
When logging in to a smart card, the card is locked after 7 consecutive incorrect PIN attempts. You must re-initialize the card to set a new PIN.
The security officer and user PINs for a token cannot be backed up. Before a restore operation, the destination token must be already initialized and the security officer and user PINs set.
There are a number of additional keys generated, used, and then deleted during the backup process.
Note
The KMU application does not support using DES3 keys to make backups. You must use the ctkmu command-line application. Include the -3 option to specify DES3. For example:
ctkmu x -s0 -w des3key -3 backup.bin
See ctkmu for complete command syntax.
Key definitions
wK - Wrapping key. The top-level key for the backup process. When performing a backup to file or single custodian to smart card, the custodian must provide this key. This is an AES key. For the multiple custodian backup, this key is created from the randomly generated split components for each custodian.
tK - A randomly generated transport key, which is an AES key, generated using CKM_AES_KEY_GEN. This is the key that the keys/objects to be backed up will be wrapped under. This key is used with Wx.
mK - A randomly generated MAC key, which is a 256-bit secret key generated using CKM_GENERIC_SECRET_KEY_GEN). This key is used with Mx.
Ex - Encryption using CKM_AES_KWP with key 'x'.
Wx - C_WrapKey() operation using CKM_AES_KWP with key 'x'.
Rx - C_DeriveKey() operation using CKM_XOR_BASE_AND_DATA with key 'x' and provided data.
Mx - MAC generation, using CKM_SHA512_HMAC_GENERAL (4 byte MAC result) with key 'x'.
Creation of encrypted key set to backup (payload)
The creation of the encoded payload to backup is common to all storage options. The payload can contain one or more keys/objects.
To create the encoded payload
-
Generate tK.
-
For each key/object to be backed up:
w = WtK(Key/Object)
The format of the resulting Payload is as follows:
p = Nl1w1[l2w2[l3w3[…lNwN]]]
where N = Number of keys/objects in the payload, li = length of wi, and wi = The i’th wrapped key data, i.e. WtK(Key/Object)
-
Generate mK.
-
Calculate the MAC for the Payload, m = MmK(p).
Backup to file
This is the simplest form of backup. The only limitation is that the wrapping key must already exist. This key must be able to be recreated after a tamper/failure before a restore can be performed. It can be entered in components, have a known value, or be backed up using the multiple custodian backup mode (described below).
To backup to file
-
Encode mK with tK, emK = EtK(mK)
-
Encode tK with wK, etK = EwK(tK)
-
Write the binary file containing the backed up Payload. The format of the file is:
Header - Contains the version of the Backup Feature
length p - Length of the encoded Payload
p - Encoded Payload
m - MAC of the Payload
length emK - Length of the Encoded MAC key
emK - Encoded MAC key
length etK - Length of the Encoded Transport key
etK - Encoded Transport key
-
Delete mK and tK.
Backup to smart card - single custodian mode
This backup mode has more security than the backup to file mode because the payload is stored on a smart card instead of in a file. The payload data on the smart card is also protected by the custodian’s PIN, i.e. the PIN must be presented and authenticated to the smart card before the data can be read.
The only limitation is that the wrapping key must already exist. This key must be able to be re-created after a tamper/failure before a restore can be performed. It can be entered in components, have a known value, or be backed up using the multiple custodian backup mode (described below).
If the payload cannot fit on one smart card, then the backup process will prompt the custodian to continue entering new smart cards, until the entire payload has been exported.
To back up to a smart card
-
Encode mK with tK, emK = EtK(mK)
-
Encode tK with wK, etK = EwK(tK)
-
Write the following data files to the smart card:
-
Header
Not protected by custodian’s PIN.
Contains the following information about the payload:
Contains the version of the backup feature
Name of this backup payload
MAC of the complete payload
MAC of the payload component on this smart card, i.e. MmK(p’)
Timestamp of payload creation
Total number of custodians
Number of the custodian who owns this smart card
Number of the current card being written
Flag to indicate if encoded transport key (etK) is on this smart card
Flag to indicate if encoded MAC key (emK) is on this smart card
Size of the complete payload
Size of the payload component on this smart card
Offset of this payload component in the complete payload
Name of custodian who owns this smart card
Payload
Protected by the custodian’s PIN.
The component of the payload contained on this smart card. This may be the entire payload.
-
etK
Protected by the custodian’s PIN.
Encoded transport key
This data file will only be located on the last smart card of the backup set
-
emK
Protected by the custodian’s PIN.
Encoded MAC key
This data file will only be located on the last smart card of the backup set.
-
-
Delete mK and tK.
Backup to smart card - multiple custodian mode
This backup mode has the most security. This is because the payload is stored on smart cards and the payload is split between a number of custodians. Also, the payload data on the smart card is protected by the custodian’s PIN, i.e. the PIN must be presented and authenticated to the smart card before the data can be read.
The top level wrapping key (wK) is randomly generated, and each custodian has a component of this key. The entire set of smart cards is needed before the wrapping key can be successfully re-created.
If each custodian’s payload component cannot fit on one smart card, then the backup process will prompt the custodian to continue entering new smart cards, until their payload component has been exported
To back up to a smart card in multiple custodian mode
-
Create an initial intermediate wrapping key, which is an AES key, wK’, with a value of zero.
Each custodian must then:
-
Generate random wrapping key component (24 bytes), wC
-
Derive new intermediate wrapping key wK’ = RwK’(wC)
-
Delete the previous intermediate wrapping key (wK’-1)
-
Write the following data files to the smart card:
-
Header
Not protected by custodian’s PIN.
Contains the following information about the payload:
Contains the version of the backup feature
Name of this backup payload
MAC of the complete payload
MAC of the payload component on this smart card, i.e. MmK(p’)
Timestamp of payload creation
Total number of custodians
Number of the custodian who owns this smart card
Number of the current card being written
Flag to indicate if encoded transport key (etK) is on this smart card
Flag to indicate if encoded MAC key (emK) is on this smart card
Size of the complete payload
Size of the payload component on this smart card
Offset of this payload component in the complete payload
Name of custodian who owns this smart card
-
wC
Protected by the custodian’s PIN.
The wrapping key component for this custodian.
-
Payload
Protected by the custodian’s PIN.
The component of the payload contained on this smart card.
The last custodian must then:
-
-
Encode mK with tK, emK = EtK(mK)
-
Encode tK with the final wrapping key (wK = wK’), etK = EwK(tK)
-
Write the following data files to the smart car
-
etK
Protected by the custodian’s PIN.
Encoded transport key
This data file will only be located on the last smart card of the last custodian of the backup set.
-
emK
Protected by the custodian’s PIN.
Encoded MAC key
This data file will only be located on the last smart card of the last custodian of the backup set.
-
-
Delete mK, tK and wK.