In an increasingly interconnected world, data breaches grab headlines. The security of sensitive information is vital; and new requirements and regulatory bodies such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) create challenges for enterprises that use encryption to protect their information. As encryption becomes more widely adopted, organizations also must contend with an evergrowing set of encryption keys. Effective management of these keys is essential to ensure both the availability and security of the encrypted information. Centralized management of keys and certificates is necessary to perform the complex tasks related to key and certificate generation, renewal, backup and recovery.
The IBM Enterprise Key Management Foundation (EKMF) is a flexible and highly secure key management system for the enterprise. It provides centralized key management on IBM zEnterprise® and distributed platforms for streamlined, efficient and secure key and certificate management operations. The EKMF is well-suited for banks, payment card processors and other businesses that must meet EMV® and payment card industry (PCI) requirements. EKMF serves as foundation on which remote crypto solutions and analytics for the cryptographic infrastructure can be provided.
The IBM DKMS solution that is used by major financial customers worldwide is the engine in the EKMF. IBM DKMS is developed by IBM EMEA Crypto Competence Center in close cooperation with many of these customers. The DKMS functionality is continuously being extended and improved in accordance with customer needs, industry standards, and regulatory initiatives.
High volume certificates and encryption keys can be managed centrally and uniformly with DKMS independent of target platforms. DKMS manages keys and certificates for cryptographic coprocessors, hardware security modules (HSM), software implementations like Java key store, ATMs, and point of sale terminals. DKMS offers an intensive support for EMV® chip cards, both for issuers, acquirers, and for card brands.
The main attributes of DKMS are:
DKMS constitutes a centralized architecture where management for multiple servers is performed from a single operator console: the DKMS workstation; as shown in the figure below. The workstation is connected to servers that are equipped with cryptographic engines and host the certificate- or key-consuming applications. One of the servers holds a central DKMS key repository used as backup for all keys and certificates managed by the system.
Being on-line to the servers enables DKMS to manage keys and certificates centrally and in real-time. Generally DKMS pushes key material to key stores associated with the cryptographic engines on the servers. Alternatively, it is possible for an application to request key material from the central DKMS repository, e.g. for use with third party HSMs that do not implement key stores.
The applications request cryptographic support via application programming interfaces (APIs) on the servers. APIs are usually offered as a part of the crypto HW. However, DKMS offers extensions to these APIs for selected areas that substantially ease the use and provides additional functionality.
The DKMS workstation includes an IBM 4765 Cryptographic Coprocessor that assures high security and high quality of the generated keys.
Basic Key Management
Basic key management functions include key generation, key import, key extraction, key print, and key administration. The functions are controlled by key templates and key policies. Besides controlling functions for a key the key template also predefines the key's attributes which greatly ease daily work. When generating or entering a key it is automatically distributed to the servers specified in the key template.
Clear key parts are often used for initial exchange of symmetric keys with external partners. Entering of clear key parts is done on the DKMS workstation's keyboard or alternatively on a dedicated high security key board.
Printing of key mailers is performed on a printer attached directly to the DKMS workstation. DKMS supports formatting of the key mailers and can add additional data like contact information and key check value.
ACSP is a client/server solution that enables distributed clients to use cryptographic hardware resources on a server. This results in cost effective use of available cryptographic capacity, easy deployment of cryptographic services, and easier key management. The solution is particular well-suited for clients that wish to use System z as a security hub, since z/OS provides RACF protection of cryptographic keys and functions, and keys can be managed by DKMS.View image
CAT for System z is a tool that collects all kinds of crypto information on an IBM System z and presents it in a useful way. CAT lets you have better control of your crypto environment and via CAT' built-in analytics functions gives you a clear indication of policy deviations.
Certificates have become more and more important as many web services and other communication connections rely on a RSA based certificate scheme to assure authenticity and privacy. This scheme requires that certificates are renewed at regular intervals.
DKMS certificate management centralizes and unifies most of the tasks, traditionally performed manually for system components utilizing SSL or other certificate based schemes. Functions are offered that ease administration of a large population of certificates. The DKMS certificate management supports RACF, WebSphere DataPower, WebSphere MQ, and numerous SSL server implementations.
An important function of certificate management is monitoring of certificate expiry. An expired certificate most often means a disrupted service. DKMS monitors certificate expiration and send warning messages in due time before a certificate expires.
Existing certificates can be included easily in DKMS monitoring. DKMS tools scan the system and import the certificate information.
EMV® chip card key management
DKMS offers key management for EMV chip cards as defined by the EMVco organization. Both EMV card issuers, acquirers, and brand certificate authorities can benefit from DKMS's support.
The EMV card issuer and acquirer support consists of:
The brand certificate authority support consists of:
Generation of RSA keys for DDA chip cards is quite time consuming thus making it inappropriate to generate a key at the time it is needed. DKMS offers an elegant solution where keys are pre-generated to a pool utilizing spare crypto capacity during off-peak hours.