friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0332907f0f
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajccloningkeys.htm

144 lines
9.6 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Clone master keys" />
<meta name="abstract" content="Master key cloning is a method for securely copying a master key from one Cryptographic Coprocessor to another without exposing the value of the master key. Read this topic if you are using multiple coprocessors with SSL." />
<meta name="description" content="Master key cloning is a method for securely copying a master key from one Cryptographic Coprocessor to another without exposing the value of the master key. Read this topic if you are using multiple coprocessors with SSL." />
<meta name="DC.Relation" scheme="URI" content="rzajcworking.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="cloningkeys" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Clone master keys</title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="cloningkeys"><a name="cloningkeys"><!-- --></a><h1 class="topictitle1">Clone master keys</h1>
<div><p>Master key cloning is a method for securely copying a master key
from one Cryptographic Coprocessor to another without exposing the value of
the master key. Read this topic if you are using multiple coprocessors with
SSL.</p>
<div class="section"><p>This is performed by a process of splitting the master key into <var class="varname">n</var> shares,
where <var class="varname">n</var> is a number from 1 to 15. <var class="varname">m</var> shares
are required to rebuild the master key in another Coprocessor, where <var class="varname">m</var> is
a number from 1 to 15 and less than or equal to <var class="varname">n</var>.</p>
<p>The
term "cloning" is used to differentiate the process from "copying" because
no one share, or any combination of fewer than <var class="varname">m</var> shares,
provide sufficient information needed to rebuild the master key.</p>
<p>The
Coprocessor containing the master key to be cloned is referred to as either
the master-key-share source node or the Sender. The Sender must generate
a retained RSA key pair. This private key must also have been marked as suitable
for use with cloning when it was generated. The key is known as either the
Coprocessor Share Signing key or the Sender key. The Coprocessor that will
receive the master key is referred to as either the master-key-share target
node or the Receiver. The Receiver must also generate a retained RSA key
pair and must also have been marked as suitable for use with cloning. This
key is known as either the Coprocessor Share Receiving key or simply the Receiver
key.</p>
<p>Both the Sender and Receiver public keys must be digitally signed
or certified by a retained private key in a Coprocessor, referred to as the
public key certifying node or the Certifier. This retained private key is
the Certifier key. It is also referred to as the Share Administration key.
The associated public key must be registered in both the Sender and the Receiver
before shares can be generated and received. A Cryptographic Coprocessor
can take on the role of Certifier only, or can it be both Certifier and Sender,
or it can be both Certifier and Receiver. </p>
<p>As each share is generated
it is signed by the Coprocessor using the Sender private key and encrypted
by a newly generated triple DES key. The triple DES key is then wrapped or
encrypted by the Receiver public key.</p>
<p>As each share is received, the
signature on the share is verified using the Sender public key, the triple
DES key is unwrapped or decrypted using the Receiver private key, and the
share decrypted using the triple DES key. When m number of shares have been
received, the cloned master key will be complete within the new master key
register of the Receiver.</p>
<p>The easiest and fastest way to clone master
keys is to use the Cryptographic Coprocessor configuration web-based utility.
The utility includes the Master key cloning advisor. To start the master
key cloning advisor, follow these steps:</p>
</div>
<ol><li><span>Click on <span class="uicontrol">Manage configuration</span> on the Cryptographic
Coprocessor configuration page.</span></li>
<li><span>Click on <span class="uicontrol">Master keys</span>.</span></li>
<li><span>Select a device.</span></li>
<li><span>Enter a valid Coprocessor profile and password.</span></li>
<li><span>Click on the <span class="uicontrol">Clone</span> button.</span></li>
</ol>
<div class="section"> <p>If you would prefer to write your own application to clone master
keys, you can do so by using the following API verbs:</p>
<ul><li>Cryptographic_Facility_Control (CSUACFC)</li>
<li>PKA_Key_Token_Build (CSNDPKB) (may not be needed depending upon how you
write your application)</li>
<li>PKA_Key_Generate (CSNDPKG)</li>
<li>PKA_Public_Key_Register (CSNDPKR)</li>
<li>One_Way_Hash (CSNBOWH)</li>
<li>Digital_Signature_Generate (CSNDDSG)</li>
<li>Master_Key_Distribution (CSUAMKD)</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcworking.htm" title="After you set up your Cryptographic Coprocessor, you can begin writing programs to make use of your Cryptographic Coprocessor's cryptographic functions.">Manage the Cryptographic Coprocessor</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="exampleprograms"><a name="exampleprograms"><!-- --></a><h1 class="topictitle1">Example programs</h1>
<div><p>Nine pairs of example programs are provided for your consideration. Each
pair contains a program written in ILE C and a program written in ILE RPG.
Both perform the same function.</p>
<div class="note"><span class="notetitle">Note:</span> Read the <a href="codedisclaimer.htm#codedisclaimer">Code license and disclaimer information</a> for
important legal information.</div>
<ul><li><a href="rzajcsetmofnc.htm#setmofnc">Example: ILE C program for setting the min and max values for master key shares in your Cryptographic Coprocessor</a></li>
<li><a href="rzajcsetmofnrpg.htm#setmofnrpg">Example: ILE RPG program for setting the min and max values for master key shares in your Cryptographic Coprocessor</a></li>
</ul>
<ul><li><a href="rzajcgenretainc.htm#genretainc">Example: ILE C program for generating a retained key pair for cloning master keys</a></li>
<li><a href="rzajcgenretainrpg.htm#genretainrpg">Example: ILE RPG program for generating a retained key pair for cloning master keys</a></li>
</ul>
<ul><li><a href="rzajcreghashc.htm#reghashc">Example: ILE C program for registering a public key hash</a> </li>
<li><a href="rzajcreghashrpg.htm#reghashrpg">Example: ILE RPG program for registering a public key hash</a></li>
</ul>
<ul><li><a href="rzajcregpubkeyc.htm#regpubkeyc">Example: ILE C program for registering a public key certificate</a> </li>
<li><a href="rzajcregpubkeyrpg.htm#regpubkeyrpg">Example: ILE RPG program for registering a public key certificate</a></li>
</ul>
<ul><li><a href="rzajccertkeyc.htm#certkeyc">Example: ILE C program for certifying a public key token</a> </li>
<li><a href="rzajccertkeyrpg.htm#certkeyrpg">Example: ILE RPG program for certifying a public key token</a></li>
</ul>
<ul><li><a href="rzajcgetsharec.htm#getsharec">Example: ILE C program for obtaining a master key share</a> </li>
<li><a href="rzajcgetsharerpg.htm#getsharerpg">Example: ILE RPG program for obtaining a master key share</a></li>
</ul>
<ul><li><a href="rzajcputsharec.htm#putsharec">Example: ILE C program for installing a master key share</a></li>
<li><a href="rzajcputsharerpg.htm#putsharerpg">Example: ILE RPG program for installing a master key share</a></li>
</ul>
<p>The remaining two pairs of example programs are not necessary for master
key cloning. They may be useful, however, for developing and testing the
previous example programs.</p>
<ul><li><a href="rzajclistretainc.htm#listretainc">Example: ILE C program for listing retained keys</a> </li>
<li><a href="rzajclistretainrpg.htm#listretainrpg">Example: ILE RPG program for listing retained keys</a></li>
</ul>
<ul><li><a href="rzajcdltrtnkeyc.htm#dltrtnkeyc">Example: ILE C program for deleting retained keys</a> </li>
<li><a href="rzajcdltrtnkeyrpg.htm#dltrtnkeyrpg">Example: ILE RPG program for deleting retained keys</a></li>
</ul>
<p>For more information on cloning master keys, refer to the <a href="http://www.ibm.com/security/cryptocards/library.shtml" target="_blank">IBM<sup>®</sup>
PCI Cryptographic Coprocessor CCA Basic Services Reference and Guide.</a><img src="www.gif" alt="Link outside Information Center" /></p>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink