Customer key attributes

This article provides information about the attributes for the customer keys for usage with Authentication Suite Server SDK for Entrust nShield HSM, and as configured when using Key Management Tool.

It is recommended to create FIPS 140-2 Level 3 Security World for higher level of security.
In FIPS 140-2 Level 3 security world, it is required either the ACS or an OCS to authorize most operations, including the creation of keys.

In case of using FIPS 140-2 Level 3 Security World (strict FIPS 140-2 Level 3 mode), the new Entrust nShield HSMs based on PowerPCELF architecture (Entrust nShield XC) does not permit to generate keys being double-length 3DES keys (DES2).
In case of FIPS 140-2 Level 3 Security World, the Entrust nShield XC SMs can use existing DES2 keys already generated previously, but cannot generate new DES2 keys.

Expected values

Table: Attribute values expected for the keys on the customer's side
Key attributes	HSM storage key	HSM transport key	KEK
Key type	DES2 or DES3 or AES128 or AES256(7)	DES2 or DES3 or AES128 or AES256(7)	DES2 or DES3 or AES128 or AES256(7)
Key size	128 (DES2) or 192 (DES3) or 128 (AES128) or 256 (AES)	128 (DES2) or 192 (DES3) or 128 (AES128) or 256 (AES)	128 (DES2) or 192 (DES3) or 128 (AES128) or 256 (AES)
Key module protected (1)	TRUE	TRUE	TRUE
Key SEE protected (2)	TRUE	TRUE	TRUE
Encrypt operational permission	TRUE(3)	TRUE(3)	FALSE(4)
Decrypt operational permission	TRUE(3)	TRUE(3)	FALSE(4)
GetACL operational permission	TRUE	TRUE	TRUE
Export	FALSE	FALSE	TRUE(5)
Exportable	FALSE	TRUE(6)	FALSE

(1): All the keys created by Key Management Tool are protected by the Security world. Key Management Tool creates keys in standalone files (up to 11 key files: vascoStorageKey.txt, vascoTransportKey.txt, and vasco1.txt to vasco9.txt) that contain the key BLOBs protected by the module (Security World Key).

(2): All the keys created by Key Management Tool will have their operational permissions protected by the customer’s SEE code signing key. It is used to sign the user data file working with the Authentication Suite Server SDK SEE machine.

The SEE code signing key used by the customer to sign the userdata.sar file should never be changed.
Indeed, all the OneSpan keys (HSM storage keys, HSM transports keys) generated by the Key Management Tool are protected by this customer’s SEE code signing key that is used to sign the userdata.sar file.
(At startup, the manager tool uses the userdata.sar file located in the nfast key management directory).
In case of changing this customer’s SEE code signing key and signing the userdata.sar file with another new SEE code signing key, the OneSpan keys previously generated would not be usable anymore with the Authentication Suite Server SDK SEE machine that would use on startup such new userdata.sar file signed with the new SEE code signing key. By extension, all the Digipass BLOB records or DPX files encrypted under the former OneSpan keys would become also unusable.

(3): HSM-level BLOB storage keys and HSM-level DPX transport keys will be allowed to perform encrypt and decrypt operations only within the Authentication Suite Server SDK SEE machine.

(4): Key encrypting keys will be allowed to perform neither encrypt nor decrypt operations. These keys will be used outside the Authentication Suite Server SDK SEE machine context, to export one or more HSM-level DPX transport key(s) in encrypted form (See (5)) with Key Management Tool.

(5): Generated key encrypting keys will be able to export keys (only in encrypted form) that will be defined as exportable by this KEK. (HSM-level DPX transport keys).

(6): Generated HSM-level DPX transport keys will be exportable with only one defined KEK. (When using Key Management Tool, the KEK prone to exporting the HSM-level DPX transport key is chosen during the transport key generation.)

(7): 3DES triple-length or AES highly recommended.

Table: Meaning of key attributes
Attribute	Meaning
Key module protected	Indicates whether the key is protected by the security world key. The key will not be usable in another security world.
Key SEE protected	Indicates whether the key operational permissions (Encrypt, Decrypt, GetACL) are protected by the customer’s SEE code signing key used to sign the user data file working with the Authentication Suite Server SDK SEE machine. The key will not allow performing these operations outside the Authentication Suite Server SDK SEE machine started with a correctly signed user data file. The key will not be usable within the Authentication Suite Server SDK SEE machine, if the user data file used to start the SEE machine has been signed with a different SEE code signing key than the user data file used with the manager tool to generate the key.
Encrypt operational permission	Indicates whether the key can be used to encrypt data. This operation will only be possible within the Authentication Suite Server SDK SEE machine started with a correctly signed user data file.
Decrypt operational permission	Indicates whether the key can be used to decrypt data. This operation will only be possible within the Authentication Suite Server SDK SEE machine with a correctly signed user data file.
GetACL operational permission	Indicates whether the key can be used to list all the permitted operations (Encrypt, Decrypt, GetACL). This operation will only be possible within the Authentication Suite Server SDK SEE machine started with a correctly signed user data file.
Export	Indicates whether the key can be used to export an exportable key in encrypted form. The key will be authorized to act as a Wrapping Key in a Raw Encrypt Derivation Mechanism.
Exportable	Indicates whether the key can be exported in encrypted form. The key will be authorized to act as a Base Key in a Raw Encrypt Derivation Mechanism using a specified key as Wrapping Key.

Customer key attributes

Expected values

Resources