Country/region [select]

Security Solutions
Services
Products
Evaluated products
Case studies
Self-assessment
News
Resource Center
Education
Research
Privacy
Events
Contacts

Related links
	Safety & Security Solutions
	Secure Servers & Storage
	Security & Privacy Services
	Software Security
	Tivoli Security
	Digital Media
	Wireless
	Research Security
	Identrus

Security > Products

Security solutions

IBM Distributed Key Management System (DKMS)

A modern cryptographic solution is always based on general accepted key-based algorithms and therefore the security relies on the secrecy and use of keys. So, the introduction of cryptography raises a new issue, namely key management.

Key management is a matter of managing the keys throughout their life cycle, which means from generation to revocation of the keys. During the active part of the key’s life cycle it is important to control the use of the keys such that they are only used for their intended purpose and to control the access to the keys.

In an organization key management is a matter of both procedures and tools. The IBM Distributed Key Management System (DKMS) has all the features needed for key management. Furthermore it supports the organization’s procedures by providing mechanisms for separation of duties and dual control.

Distributed Key Management System (DKMS) offers key management for both symmetric and asymmetric keys. The latter includes functionality intended specifically for the financial sector, like ATM remote key loading and EMV support

DKMS is currently used by several major financial customers in Europe, AP, US, and Africa.

The IBM Distributed Key Management System (DKMS) is developed by IBM EMEA Crypto Competence Center, in tight cooperation with many banks. DKMS functionality is constantly being extended and improved in accordance with the needs and experiences of the customers.

Overview

DKMS is based on a workstation running Windows 2003, an IBM 4764 Cryptographic Coprocessor, and optionally Java smart cards. The DKMS workstation is typically connected to one or more servers that are equipped with cryptographic engines. The servers host the applications that use the cryptographic keys. The applications get the cryptographic support via Application Programming Interfaces (APIs) on the servers.

DKMS supports a variety of cryptographic engines including:

IBM mainframe cryptographic coprocessors (CryptoExpress2, PCIXCC, PCICC, and CCF) on z/OS
IBM 4758 and IBM 4764 on Windows and Linux (IBM 4764 only)
IBM crypto on System p (feature #4764 and #4964)
IBM crypto on System i (feature #4801 and #4806)
Basic support for non-IBM crypto hardware such as nCipher®, Thales®, and Eracom®.

The security officer performs all key administration from the DKMS workstation and manages keys for all crypto engines on the connected servers from this central point.

Basic Features

DKMS is a general key management system with special emphasis on support for the IBM Common Cryptographic Architecture. The basic functionality provided by DKMS is:

Key management on several systems. Many computing centers have several server systems, very often in different geographical locations. DKMS provides the facility to perform all key management functions for all the systems from a single DKMS Workstation.
Maintaining keys in key storage. DKMS can write keys to key storage on the servers it is connected to.
Support of every cryptographic entity on the network (terminals, institutions, cryptographic coprocessor, server). Each entity type has its own key hierarchy, and each of them can be defined and managed in DKMS.
Secure key generation. The security of the system is highly dependent on the method of generation. In DKMS, key generation takes place within the IBM 4764 Cryptographic Coprocessor where a true random generator generates the keys. RSA key generation is in conformance with ANSI 9.31.
Key distribution and exchange. DKMS can generate keys for the supported cryptographic devices as key parts. They can be extracted as key parts from DKMS on paper or diskettes.
Exchange keys between different institutions/installations can be output and input to DKMS, respectively.
Key mailers for distribution of keys. Customer specific key mailers, for distribution of keys, can be defined in DKMS.
Backup of keys. Keys are stored in a database together with pertinent information such as activation dates and usage. By storing all keys in a database, backup is easily achieved by including the database in existing database backup procedures.
Tailoring to the organization. DKMS supports that the keys can be mutually separated on several levels:
- Separation between development and test environments.
- Separation of keys between applications.
- Separation of keys based on usage of the keys.
- Separation on different versions of the same key.
Key administration. The security administrator can define and display information about the keys on the DKMS Workstation. The key hierarchies per cryptographic entity can be displayed, so you always can get an overview of your key set up.
Access Control. The DKMS Access Control System is role based and controls access DKMS functions. The system administrator can for each user define which functions he can use and which keys he can access.
Dual control. Some functions must be performed under dual control. DKMS handles this by requiring that two users be logged on simultaneously.
Audit Logging. Every important activity is logged in a DB2 table and in z/OS SMF, if available.

DKMS also provides high level application programming interfaces (APIs) on the server. The standard CCA APIs implemented for IBM crypto hardware are fairly low level and require a lot of knowledge about cryptography in general and IBM CCA in particular. The DKMS API extensions lift the APIs closer to the business applications and add possibilities to retrieve the correct keys for the requested business function.

Business Focused Functions

On top of the basic functionality DKMS offers a number of business focused features to meet specific needs. These features include:

EMV support
MasterCard on-behalf service
Remote Key Loading for ATMs
SSL certificate management
PIN print support

EMV Support
DKMS offers support for EMV IC cards as defined by the EMVco organization. Both the EMV card Issuers and the Brand Certificate Authorities can benefit from DKMS' support

The EMV card Issuer support consists of:

Issuer signature key generation and certificate handling. The issuer’s signing key is generated, certificate request created, and certificates handled according to the formats and procedures specified by Visa and MasterCard.
Card issuing support functions such as signing static data for Static Data Authentication (SDA), generating card unique RSA keys for Dynamic Data Authentication (DDA), and deriving card unique DES keys from issuer master keys.
Transaction authorization support for verification of application cryptograms, generation of response cryptograms and secure scripts.

The brand certificate authority support consists of:

Management of the EMV root key inclusive publishing the public key.
Reception of certificate request from issuers and certification of the issuer public key.

MasterCard on-behalf service
MasterCard Europe offers an on-behalf service where MasterCard authorizes transactions on behalf of the issuer. In order to do this, MasterCard must possess the verification keys.

The DKMS MasterCard on-behalf service offers the functionality needed to transport the verification keys to MasterCard Europe according to the specification and procedures from MasterCard: ESP On-behalf key management. Both the two-layer and three-layer key hierarchies are supported.

Remote Key Loading for ATMs
Newer ATMs support terminal keys to be exchanged with back-end systems using an RSA key exchange scheme. This is a more cost-effective way of managing the terminals than by having several people traveling to each ATM with key parts

DKMS provides an API that generates and exports a terminal master key under the ATM public key. Further, DKMS has functions for the required exchange of public keys and certificates with the ATM manufacturers according to the manufacturers’ specifications. DKMS’ RKL feature supports major ATM vendors like Diebold, NCR, and Wincor Nixdorf.

SSL certificate management
Many web services and other communication connections rely on a RSA based certificate scheme to assure authenticity and privacy. This scheme requires that RSA keys and certificates are renewed at regular intervals. The DKMS SSL certificate management feature centralizes and unifies most of the tasks traditionally performed manually for components utilizing SSL or other certificate based schemes. Further, functions are offered that ease administration of certificates for a large population of SSL servers. The DKMS SSL certificate management supports numerous SSL server implementations.

PIN print support
DKMS PIN print support controls printing of PIN and password mailers in a secure way. A high level of security is obtained by enforcing dual control for all security sensitive operations. The PINs or passwords to be printed are retrieved from other systems or generated by the DKMS PIN Print system and merged with predefined template mailers before printing.