Robustness
Cryptography must work 24 hours a day, 7 days a week, in a production environment. If something does go wrong, you must be able to recover without compromising your security. A Security World offers all of these features.
Backup and recovery
The Security World data stored on the file system and remote file system of a network-attached HSM or the host of a PCIe or USB HSM is encrypted using the Security World key.
You should regularly back up the data stored in the Key Management Data directory with your normal backup procedures. It would not matter if an attacker obtained this data because it is worthless without the Security World key, stored in your hardware security module, and the Administrator cards for that Security World.
When you create a Security World, it automatically creates recovery data for the Security World key. As with all host data, this is encrypted with the same type of key as the Security World key. The cryptographic keys that protect this data are stored in the ACS. The keys are split among the cards in the ACS using the same K/N mechanism as for an OCS. The ACS protects several keys that are used for different operations.
The cards in the ACS are only used for recovery and replacement operations and for adding extra hardware security modules to a Security World. At all other times, you must store these cards in a secure environment.
| In FIPS 140 Level 3 Security Worlds, the ACS or an OCS is needed to control many operations, including the creation of keys and OCSs. |
Replacing a hardware security module
If you have a problem with an HSM, you can replace it with another hardware security module of the same type by:
-
Network-attached HSMs: loading the Security World data on the remote file system onto the replacement device.
Alternatively, you may be able to erase the Security World from the device that has the problem, return the device to its default state and then reload the Security World on the same device. -
PCIe and USB HSMs: using the ACS and the recovery data to load the Security World key securely.
Use the same mechanism to reload the Security World key if you need to upgrade the firmware in the hardware security module or if you need to add extra hardware security modules to the Security World.
If you have more than one hardware security module on your system or configured with a client and you use one of the load-sharing modes identified above, then your system or client application is resilient to the failure of individual hardware security modules.
If you use HSM Pool mode, then an nShield network-attached HSM can be replaced and returned to the HSM pool without restarting the client application.
For information about replacing a hardware security module, see Adding or restoring an HSM to the Security World.
Replacing the Administrator Card Set
If you lose one of the smart cards from the ACS, or if the card fails, you must immediately create a replacement set using one of the following methods:
-
The front panel controls of an nShield network-attached HSM.
-
The KeySafe Replace Administrator Card Set option.
-
The
racsutility (see racs).
| You should also use one of these methods to migrate the ACS from standard nShield cards to nShield Remote Administration Cards. Authorization needs to take place using the local slot of an HSM. |
When using the racs utility, you cannot redefine the quantities in a K of N relationship for an ACS.
The K of N relationship defined in the original ACS persists in the new ACS.
|
A hardware security module does not store recovery data for the ACS. Provided that K is less than N for the ACS, and you have at least K cards available, a hardware security module can re-create all the keys stored on the device even if the information from other cards is missing.
The loss or failure of one of the smart cards in the ACS means that you must replace the ACS. However, you cannot replace the ACS unless you have:
-
The required number of current cards
-
Access to their passphrases.
| Although replacing the ACS deletes the copy of the recovery data on your host, you can still use the old ACS with the old host data, which you may have stored on backup tapes and other hosts. To eliminate any risk this may pose, we recommend erasing the old ACS as soon as you create a new ACS. |
Replacing an Operator Card Set or recovering keys to softcards
If you lose an Operator Card, you lose all the keys that are protected by that card. To prevent this, you have the option to store a second copy of the working key that the recovery key protects in a Security World. Similarly, you can recover keys protected by one softcard to another softcard.
| The ability to replace an OCS is an option that is enabled by default during Security World creation (see OCS and softcard replacement). You can only disable the OCS replacement option during the Security World creation process. You cannot restore the OCS replacement option, or disable this option, after the creation of the Security World. |
| You can only recover keys protected by an OCS to another OCS, and not to a softcard. Likewise, you can only recover softcard-protected keys to another softcard, and not to an OCS. |
Network-attached HSMs: To create new copies of the keys protected by the recovery key on an OCS, you can use either:
-
The front panel controls of the nShield HSM
-
The
rocscommand-line utility.
It is not possible to recover PKCS #11 keys using the front panel controls of the nShield HSM.
You must use the rocs command-line utility.
|
PCIe and USB HSMs:
To create new copies of the keys protected by the recovery key on a given card set, and to recover keys protected by one softcard to another softcard, use the rocs command-line utility.
The security of recovery and replacement data
Replacing OCSs and softcards requires authorization. To prevent the duplication of an OCS or a softcard without your knowledge, the recovery keys are protected by the ACS.
However, there is always some extra risk attached to the storage of any key-recovery or OCS and softcard replacement data. An attacker with the ACS and a copy of the recovery and replacement data could re-create your Security World. If you have some keys that are especially important to protect, you may decide:
-
To issue a new key if you lose the OCS that protects the existing key
-
Turn off the recovery and replacement functions for the Security World or the recovery feature for a specific key.
You can only generate recovery and replacement data when you create the Security World or key. If you choose not to create recovery and replacement data at this point, you cannot add this data later. Similarly, if you choose to create recovery and replacement data when you generate the Security World or key, you cannot remove it securely later.
If you have not allowed recovery and replacement functionality for the Security World, then you cannot recover any key in the Security World (regardless of whether the key itself was created as recoverable).
The recovery data for application keys is kept separate from the recovery data for the Security World key. The Security World always creates recovery data for the Security World key. It is only the recovery of application keys that is optional.