The master keys, which are stored securely inside the Crypto Express HSM and can never be extracted, are the top-level keys in the key hierarchy. Your application-level keys are stored outside the HSM, encrypted by the master keys. Thus, if the HSM fails, you still have the externally-stored application keys, and all you need is to restore the master key into a new HSM card - then, all of those application keys will again be usable. There are well-known and well-documented procedures for securely backing up and restoring the master keys. In general, they follow the principles of dual-control and split-knowledge. What this means is that the key value is mathematically broken into two or more separate values, such that none of those tells you anything at all about the value of the complete key. You need to combine them in order to obtain the complete master key. In most cases, the process that is used is to use "key components", which are sometimes called "key parts" - the components must all be exclusive-ored (XORed) together to form the master key, and that XOR only takes place inside the secure HSM card. Each component is protected by a separate person - a key component custodian - who keeps it safely locked up, and who enters it into the HSM when the master key must be loaded or restored. The other key component custodian(s) do the same for their components, and the HSM creates the complete master key inside. The components can be manually keyed in (typically on the smart card reader of a TKE workstation), or they may be stored on electronically-readable media. The preferred method with Z and TKE is to have TKE store them on secure smart cards, and then read them out of those cards when needed. With this approach, the key components are never outside a secure device in cleartext. Another, similar approach that is sometimes used is to use "key shares" instead of components. The difference is that with components, you must combine ALL of the components to form the master key, but with shares you only need a subset. This is typically called an m-of-n scheme, where you create n shares of the key, but any n of those can be combined to form the complete key. This means that you do not need all of the m key share custodians to be present to load the master key - any n of them will do. Note that Crypto Express does not support this for loading the master keys, but I wanted to include it here for completeness.
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
