Untitled :: nShield Docs

Module Private Keys

These aren’t module keys in the sense described previously (for instance, they are not enumerated by Cmd_GetKMList), but they are persistent keys private to the module.

KLF and KLF2 (Module Long-Term Signing Keys)

These are the module’s long-term signing keys. They are generated in the factory and fixed for the lifetime of the module (i.e. they survive reinitialization).

KLF is a 1024-bit DSA keys and KLF2 is a P-521 ECDSA key.

Current HSMs use KLF2, KLF is deprecated. nShield 5s, nShield 5c, and later HSMs use KLF2.

The HasKLF and HasKLF2 bits in the EnquiryDataFour flags indicate whether these keys are present in the module.

A warrant is a certificate make in the factory which binds KLF(or KLF2) to a module’s ESN. It can be used as part of a communication protocol to assure a peer that it is talking to a particular module.

Cmd_GetKLF can be used to get a handle to the public half of KLF. Cmd_GetModuleState and Cmd_SignModuleState can be used to retrieve the public half of KLF or KLF2.

KLF is obsolete and no longer supported from nShield 5.

KML (Module Per-Initialization Signing Key)

This is a module signing key. It is generated during module initialization (and therefore destroyed when the module is reinitialized). It is a 1024-bit or 3072-bit DSA key, depending on the security world ciphersuite.

The KML type depends on the Security World cipher suite. It can be one of the following:

DSA key (1024-bit or 3072-bit)
ECDSA key (on NIST P-256 or P-521)

In Security World v13.7 or later, the KML type can be selected at world creation and/or loading time using the --kml-type option with new-world.

Cmd_GetKML can be used to get a handle to its public half, and Cmd_GetModuleState and Cmd_SignModuleState can be used to retrieve the public half.

It is used to sign key generation certificates. It is in turn signed by KMC, in CertKMLaESN.

The hkml member of a NFKM_ModuleInfo structure contains the hash of KML, if the module is usable (i.e. in the right security world). The blobpubkml member of an NFKM_WorldInfo or NFKM_Key structure contains the public key blob for the KML of the module that the world or key was generated on.

Examples

This example shows the retrieval of the public half of KLF.

>>> print conn.transact(nfpython.Command(['GetModuleState',0,1,'attribs_present',['KLF']]))
Reply.cmd= GetModuleState
     .status= OK
     .flags= 0x0
     .reply.state.attribs[0].tag= KLF
                            .value.hklf= 761403dc de8195f1 e26e3a2d 7d666a76 30229e25
                                  .klfpub.type= DSAPublic
                                         .data.dlg.p= 0xe56e[...]
                                                  .q= 0xbac6[...]
                                                  .g= 0x1af9[...]
                                                  .y= 0x5032[...]
                                  .mech_i= DSA

This example shows the retrieval of the public half of KML:

>>> print conn.transact(nfpython.Command(['GetModuleState',0,1,'attribs_present',['KML']]))
Reply.cmd= GetModuleState
     .status= OK
     .flags= 0x0
     .reply.state.attribs[0].tag= KML
                            .value.hkml= ec0acf3e 74f93c87 17b64c40 8e6525f8 7960ff6b
                                  .kmlpub.type= DSAPublic
                                         .data.dlg.p= 0xcc2d[...]
                                                  .q= 0xfccc[...]
                                                  .g= 0xa870[...]
                                                  .y= 0xa7f1[...]
                                  .mech_i= DSAhSHA256