Tricryption® KeyServer manages automatic key generation, key storage and retrieval, key integrity checks and authorization and auditing of key usage. Tricryption KeyServer utilizes symmetric keys (AES or 3 DES) to provide maximum performance and reliability. Tricryption Key Server offers a wide range of cryptography, authentication, and authorization options to allow customers to support virtually any global security standard.

Tricryption KeyServer Software Components:

• KS Components CSP Module
• Key Manager Module
• Communications Module
• Authentication Module
• Authorization Module
• Logging Module
• Persistency Module
• Key Database Module
• Tricryption KeyServer Manager

KS Components CSP Module

Functions:

• Generates and protects cryptographic keys.
• Performs encryption, decryption and hashing
• Generates random numbers
• Uses 3rd party CSMs and standard cryptographic algorithms

• Open SSL 0.97l (Library) [FIPS 140-2 Level 1]
• HSMs: Safenet Luna, nCipher nShield [FIPS 140-2 Level 2/3]
• CSM Integration through Wrapper Interface Integration of Proprietary CSMs Supported ERUCES Inc. or SI partner accomplished

Key Manager Module

Functions:

• Utilizes standard cryptographic algorithms (AES 128/192/256, 3DES) provided by the CSP module.
• Executes Tricryption Process
• Performs key life-cycle management
• Orchestrates coordination between other key server modules

Communications Module

Exposes functionality of KeyServer to external world and protects TCP/IP communications (as required) with TLS Multi-threaded, scales effectively.

Manages:

• Pool of TCP/IP sockets
• Pool of worker threads

Authentication Module

Functions:

• Implements Native Authentication through Secure Remote Password (SRP) Protocol
• Participates (with external providers/stores) in execution of additional supported protocols
• Provides authentication for TLS

Supports:

• LDAP (cross platform)
• NIS (cross platform)
• Active Directory (Windows)
• Corporate PKI (can import CA certificate chains and synchronize user certificates) with smart card support
• SAML-2* (Cross Platform) [*Summer 08]
• Can support any authentication provider that resembles GSS API with a facade/wrapper.

Authorization Module

Determines user’s right to execute a specific operation (read, write, update ACL, encrypt…) on a specific object (key) Implements:

• RBAC (Role Based Access Control)
• DAC (Discretionary Access Control)

Integration with SAML2 [Summer 2008]. Ability to ‘Outsource’ Authorization Decision

Logging Module

• Centralized logging
• Logs all operations (with a mandatory logging option)
• Logs stored in log DB (within Key DB)

Persistency Module

• An interface to the key database component
• Performs object-relational mapping
• Supports standard RDBMS: Oracle, Sybase, DB2, SQL Server, PostgreSQL, mySQL

Key Database Module

Architectural component that:

• Uses Standard RDBMS (Oracle, Sybase, DB2, SQL Server, PostgreSQL, mySQL)
• Types of data stored: keys (encrypted), ACLs, logs, user credentials, user rights, roles, groups, configuration information
• All records signed to prevent tampering
• Records time-stamped allowing multi-tiered storage

Supports current installation base (licenses & use familiarization)
Existing backup and fail-over methods/architecture can be re-utilized

Tricryption KeyServer Manager

A GUI application written in Java:

Coded around Tricryption API

• Used By Key Server Administrator(s) to:
• Control operational parameters of a key server (e.g. configure TCP/IP Ports)
• Manage users, groups and roles
• Manage trust between key servers (establish/disable/remove)

Tricryption Manager can provide for separation of roles (Tricryption Admin from System Admin)


Key Hierarchy

Information is protected using symmetrical session keys. They are encrypted using so called system keys and stored in a key database. The number of the system keys is selectable during an installation. During run-time, they are used in a random fashion to encrypt the session keys. The system keys are also stored in the same key database and encrypted using one of so called master keys.

Other master keys are used for tasks like signing rows in the key database, protecting passwords, establishing TLS channel, etc. The master keys reside in the master key container. The master key container is protected with a system protector. The system protector can come in various flavors:

1. Windows protector - the master key container is protected by using Microsoft's CSP:

• an additional 3DES key is generated
• the additional 3DES key encrypts the master key container
• an additional RSA key pair is generated (with the CRYPT_MACHINE_KEYSET flag set)
• the additional 3DES key is encrypted using the RSA key and stored in the system registry (HKEY_LOCAL_MACHINESOFTWAREERUCESTricryption EngineFile Protection EditionCrypto)
• how Microsoft protects private keys is extensively described in their documentation

2. Password protector - master key container is protected with a password (encrypted with a symmetrical key derived from the password using PKCS#5)

3. Shared secret protector – the master key container is protected with k of m shared secret scheme (of LaGrange Interpolating Polynomial type); secret is spread through m (e.g. 5) tokens (or smart cards), and during startup of the system you need to assemble k of them (k