Untitled :: nShield Docs

Module Private Keys

These aren’t module keys in the sense described previously (for instance, they are not enumerated by Cmd_GetKMList), but they are persistent keys private to the module.

KLF2 (Module Long-Term Signing Key)

KLF2 is the module’s long-term signing key.

It is generated in the factory and fixed for the lifetime of the module (i.e. it survives reinitialization).

Current nShield HSMs use KLF2 as the trusted module long-term signing key. The presence of KLF2 is indicated by the HasKLF2 bit in the EnquiryDataFour flags.

A warrant is a certificate created in the factory that binds the module’s electronic serial number (ESN) to its KLF2 public key. Warrants can be used as part of communication protocols to assure a peer that it is talking to a specific module.

Cmd_GetModuleState and Cmd_SignModuleState can be used to retrieve the public half of KLF2.

KML (Module Per-Initialization Signing Key)

This is a module signing key. It is generated during module initialization (and therefore destroyed when the module is reinitialized). It is a 1024-bit or 3072-bit DSA key, depending on the security world ciphersuite.

The KML type depends on the Security World cipher suite. It can be one of the following:

DSA key (1024-bit or 3072-bit)
ECDSA key (on NIST P-256 or P-521)

In Security World v13.7 or later, the KML type can be selected at world creation and/or loading time using the --kml-type option with new-world.

Cmd_GetKML can be used to get a handle to its public half, and Cmd_GetModuleState and Cmd_SignModuleState can be used to retrieve the public half.

It is used to sign key generation certificates. It is in turn signed by KMC, in CertKMLaESN.

The hkml member of a NFKM_ModuleInfo structure contains the hash of KML, if the module is usable (i.e. in the right security world). The blobpubkml member of an NFKM_WorldInfo or NFKM_Key structure contains the public key blob for the KML of the module that the world or key was generated on.

Example

This example shows the retrieval of the public half of KML:

>>> print conn.transact(nfpython.Command(['GetModuleState',0,1,'attribs_present',['KML']]))
Reply.cmd= GetModuleState
     .status= OK
     .flags= 0x0
     .reply.state.attribs[0].tag= KML
                            .value.hkml= ec0acf3e 74f93c87 17b64c40 8e6525f8 7960ff6b
                                  .kmlpub.type= DSAPublic
                                         .data.dlg.p= 0xcc2d[...]
                                                  .q= 0xfccc[...]
                                                  .g= 0xa870[...]
                                                  .y= 0xa7f1[...]
                                  .mech_i= DSAhSHA256