Access control considerations when cloning
There are three classes of roles to consider for cloning operations.
- Roles at the share administration (SA) node.
- Roles at the source node: coprocessor share signing (CSS) node
- Roles at the target node: coprocessor share signing (CSS) node
- Generate a random master key at the source node.
- Set the master key, the action which brings a new master key into operation. When the master key changes, the keys enciphered by the master key must be updated.
- Generate the retained Rivest-Shamir-Adleman (RSA) keys to certify the public keys of the source and target nodes (the SA key), and to generate the retained keys at the source (CSS) and target (CSR) nodes.
- Register the SA key and its hash and determine whether it will be a split responsibility.
In addition, you must decide how many nodes must cooperate to clone a master key. Of course, this must be selected to avoid collusion.
In deciding the m and n values, consider when the cloning will take place and whether you need to reconstitute the master key from a fewer number of shares than the total number obtained from the source node (perhaps because of share corruption or the unavailability of one or more individuals who can obtain or install a share).
Note: The cryptographic node management (CNM) utility places all of
the shares from a node in the csr.db file. Each
share is encrypted under a unique, triple-length data encryption standard
(DES) key which itself is encrypted by the CSR public key of the target
node.
Table 1 provides guidance for selecting the permissions applicable to the roles that are related to cloning.
| Code | Command name | Verb name | Consideration |
|---|---|---|---|
| X'001A' | Set Master Key | Master_Key_Process | Critical. This role must have knowledge of the contents of the new master key register and the implications of a master key change. |
| X'001D' | Compute Verification Pattern | Many | All |
| X'0020' | Generate Random Master Key | Master_Key_Process | Not critical except that it fills the new master key register. |
| X'0032' | Clear New Master Key Register | Master_Key_Process | This role is assigned to the role that can set the master key. The role can override the collected shares. It must be mutually exclusive with the Generate Random Master Key command. |
| X'0033' | Clear Old Master Key Register | Master_Key_Process | Generally not used. |
| X'008E' | Generate Key | Key_Generate Random_Number_Generate | All |
| X'0090' | Reencipher to Current Master Key | Key_Token_Change | This role depends on who will update the working keys encrypted by the master key. |
| X'0100' | PKA96 Digital Signature Generate | Digital_Signature_Generate | This role certifies the SA, CSS, and CSR keys. |
| X'0101' | PKA96 Digital Signature Verify | Digital_Signature_Verify | All |
| X'0102' | PKA96 Key Token Change | PKA_Key_Token_Change | This role depends on who will update the working keys encrypted by the master key. |
| X'0103' | PKA96 PKA Key Generate | PKA_Key_Generate | This role is required to generate the SA, CSS, and CSR keys. |
| X'0107' | One-Way Hash, SHA-1 | One_Way_Hash | All |
| X'0114' | Change User Profile Authentication Data | Access_Control_Initialization | This role allows to change the passphrase in any profile. Use with discretion. |
| X'0116' | Read Public access control Information | Access_Control_Maintenance | All |
| X'011C' | Set EID | Cryptographic_Facility_Control | This role is required to set up the CSS and CSR nodes. |
| X'011D' | Initialize Master Key Cloning | Cryptographic_Facility_Control | This role is required to set up the m of n values at the CSS and CSR nodes. |
| X'0200' | PKA Register Public Key Hash | PKA_Public_Key_Hash_Register | This role must be used at the CSS and CSR nodes to ensure the SA key can be recognized. Split responsibility with X'0201'. |
| X'0201' | PKA Public Key Register | PKA_Public_Key_Register | This role must be used at the CSS and CSR nodes to ensure the SA key can be recognized. Split responsibility with X'0200'. |
| X'0203' | Delete Retained Key | Retained_Key_Delete | This role is used to remove obsolete SA, CSS, and CSR keys. Be careful about denial of service. |
| X'0204' | PKA Clone Key Generate | PKA_Key_Generate | This role is required to generate the CSS and CSR keys. |
| X'0211' - X'021F' | Clone-info (Share) Obtain | Master_Key_Distribution | This role is assigns a profile and role for each share to enforce split responsibility. |
| X'0221' - X'022F' | Clone-info (Share) Install | Master_Key_Distribution | This role is assigns a profile and role for each share to enforce split responsibility. |
| X'0230' | List Retained Key | Retained_Key_List | All |