Establishing master keys

The preferred and most secure method of establishing master keys in the coprocessor is to use a Trusted Key Entry workstation (TKE). The TKE leverages user smart cards to establish a secure connection all the way to the firmware in the coprocessor, with a unique session key. Your key parts are secured from the smart card all the way to the target coprocessor with this solution.

An AES master key is established from clear key parts (components). An APKA master key is also established from clear key parts. Instructions on how to generate an AES master key using the TKE are provided in How to set an AES master key.

DES and PKA master keys, on the other hand, are established in one of these ways:

  • from clear key parts
  • through random generation internal to the coprocessor

Establishing a master key from clear information

Individual key parts are supplied as clear information, and the parts are exclusive-ORed within the cryptographic engine. Knowledge of a single part gives no information about the final key when multiple, random-valued parts are exclusive-ORed.

A common technique is to record the values of the parts (typically on paper or diskette) and independently store these values in locked safes. When installing the master key, individuals trusted to not share the key-part information, retrieve the parts and enter the information into the cryptographic engine. Use the Master Key Process verb for this operation.

Entering the first and subsequent parts is authorized by two different control points so that a cryptographic engine, the coprocessor, can enforce that two different roles, and thus profiles, are activated to install the master-key parts. This requires that roles exist that enforce this separation of responsibility.

Setting the master key uses a unique command with its own control point. You can set up the access-control system to require the participation of at least three individuals or three groups of individuals.

You can check the contents of any of the master-key registers, and the key parts as they are entered into the new-master-key register, using the Key Test verb. The verb performs a one-way function on the key-of-interest, the result of which is either returned or compared to a known correct result.