Common Criteria CMTS Mode Assigned Keys (nShield Solo XC)

Common Criteria CMTS mode includes the concepts of Assigned Keys and General Keys, as defined in EN 419 221-5.

Assigned Keys provide for more restrictive controls which are enforced with ACLs. An Assigned Key is a secret key with a Key Generation Certificate and with the ACL configuration defined in nShield Solo XC Common Criteria Evaluated Configuration Guide, specifically:

  • The Reauthorization conditions and Key Usage attributes cannot be changed.

  • The Authorisation Data attribute can only be changed by presentation of the current Authorisation Data, it cannot be changed or reset by an Administrator.

  • The key cannot be exported by wrapping with another key.

  • The key must be generated. It cannot be imported.

These properties of an Assigned Key enable the sole control that’s required for a secret key used to create a digital signature.

A General Key is one that does not meet the criteria for an Assigned Key.

For both Assigned and General Keys in a Common Criteria CMTS Security World it is not possible to export or import as plain text. This is enforced by the HSM.

The ACL configuration defining an Assigned Key is described in the nShield Solo XC Common Criteria Evaluated Configuration Guide. Determination of the Assigned status of a key uses the nfkmverify utility and the Key Generation certificate recorded in the key when it was created.

The generatekey and mkaclx utilities have been enhanced to offer support for generating Assigned Keys, see Key generation options and parameters for generatekey and the online help for mkaclx.