There are significant business benefits from centralizing and automating key-lifecycle processes. However, for a product offering to do this it must deliver a secure and robust service based on proven and certified technologies.
CKMS is built on a resilient client-server architecture. Hardware Security Modules (HSMs) are used to ensure high quality key material and strong protection of keys.
High availability is ensured through clustering of the servers, database and HSMs. Key management administration can be performed without restrictions on time or place via an intuitive GUI, supported by secure PIN entry devices (PEDs) and smart-cards for strong authentication. The PEDs also support key import/export and key share printing.
Keys are distributed to applications and HSMs in a wide range of formats (key-blocks). All critical operations are recorded in a tamper-evident audit log.
The high-level elements of CKMS are described below.
The CKMS Server is the central part of the system, where the actual key management takes place and from where keys are pushed to the key targets. The CKMS Server connects to its dedicated HSM and a database to provide key management and key requesting services.
The CKMS Client provides a graphical user interface for users to manage and operate the CKMS server. The client is provided as a Windows application.
CKMS stores all data in a standard commercial relational database. All sensitive information stored in the database such as keys and key components are encrypted under the master key of the HSM. Keys only exist in clear text inside the HSM. Other sensitive data, for example settings and logs, are integrity protected by a hardware MAC key so that the data cannot be edited without the server.
Every CKMS instance requires at least one HSM which is used to ensure the generation of good keys & protect sensitive material when stored in the database. Additionally, sophisticated techniques are used to ensure that keys and key components are never exposed in unencrypted form in server memory or client machines.
Key Targets and Clients are the entities that receive keys and other credentials from CKMS. Key Targets receive keys automatically via an on-line protocol; Clients receive keys via manual export-and-import.
CKMS also makes use of PIN-pads and smart-cards. These are used for both user authentication and the secure import of key components.
To support the broadest range of integrations with applications (as ‘Key Targets’ and ‘Clients’) CKMS supports a range of proprietary and standardised ‘Key Block’ formats. These define, at bit level, the formats expected for keys to be exchanged with different systems. Supported formats include.
At the leading edge of security provision within its key markets, Cryptomathic closely supports its global customer base with many multinationals as longstanding clients.