Scenario: Creating nodes in a production environment

Edit online

In this scenario, the responsibility for creating cryptographic nodes is divided among three individuals, namely, an access control administrator and two key management officers.

The administrator sets up the node and its access control system. Then, the key management officers load a master key and any required key encrypting keys (KEKs). The KEKs can be used as transport keys to convey other keys between nodes.

This scenario is focused on installing master keys and high level, internode data encryption standard (DES) KEKs from key parts. The CCA implementation supports alternatives to the key part technique such as random master-key generation and distribution of DES keys by using techniques that are based on Rivest-Shamir-Adleman (RSA) public key technology. The key part technique assumes that there are two key management officers who can be trusted to perform their tasks and to not share their key part information. This technology implements a split knowledge policy. The access control system is set up to enforce dual control by separating the tasks of the first and second officers.

In this scenario, the access-control administrator uses the cryptographic node management (CNM) utility to prepare coprocessor node initialization (CNI) lists for the target nodes. The CNI lists automate the process of using the CNM utility at the target node. The administrator prepares a CNI list for the tasks that are performed by the target node access control administrator and the two key management officers. The administrator must know the commands require authorization in the target node under different conditions, which includes:
  • Normal, limited operation (when the default role is used)
  • When the access control administrator tasks are run
  • When each of the key management officer tasks are run
  • Under any other special circumstances by using additional roles and profiles
Note: The CNM and CNI utilities are tools that are used to set up and manage the CCA cryptographic services that are provided by a node.

The administrator authorizes commands in the various roles to ensure that only required commands are enabled. Sensitive commands, such as loading a first key part or loading subsequent key parts, are only enabled in roles for users with the responsibility and authority to use those commands. It is important to separate the responsibilities so that policies such as split knowledge and dual control are enforceable by the coprocessor's access control system.