6.12. Setting Up New Key Sets
This section describes setting up an alternative to the default key set in the Token Processing System (TPS) and in the Token Key Service (TKS).
- TKS configuration
- The default key set is configured in the TKS using the following options in the
/var/lib/pki/instance_name/tks/conf/CS.cfg
file:tks.defKeySet._000=## tks.defKeySet._001=## Axalto default key set: tks.defKeySet._002=## tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=<tokenname>:<nickname> tks.defKeySet._004=## tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.defKeySet.nistSP800-108KdfOnKeyVersion=00 tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=false
The above configuration defines settings specific to a certain type or class of tokens that can be used in the TMS. The most important part are the 3 developer or (out of the box) session keys, which are used to create a secure channel before symmetric key handover takes place. A different type of key may have different default values for these keys.The settings describing thenistSP800
key diversification method control whether this method or the standard Visa method is used. Specifically, the value of thetks.defKeySet.nistSP800-108KdfOnKeyVersion
option determines that the NIST version will be used. ThenistSP800-108KdfUseCuidAsKdd
option allows you to use the legacy key ID value of CUID during processing. The newer KDD value is most commonly used and therefore this option is disabled (false
) by default. This allows you to configure a new key set to enable support for a new class of keys.Example 6.2. Enabling Support for the
jForte
ClassTo enable support for thejForte
class, set:tks.jForte._000=## tks.jForte._001=## SAFLink's jForte default key set: tks.jForte._002=## tks.jForte._003=## tks.jForte.mk_mappings.#02#01=<tokenname>:<nickname> tks.jForte._004=## tks.jForte.auth_key=#30#31#32#33#34#35#36#37#38#39#3a#3b#3c#3d#3e#3f tks.jForte.kek_key=#50#51#52#53#54#55#56#57#58#59#5a#5b#5c#5d#5e#5f tks.jForte.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.jForte.nistSP800-108KdfOnKeyVersion=00 tks.jForte.nistSP800-108KdfUseCuidAsKdd=false
Note the difference in the 3 static session keys compared to the previous example.Certificate System supports the Secure Channel Protocol 03 (SCP03) for Giesecke & Devrient (G&D) Smart Cafe 6 smart cards. To enable SCP03 support for these smart cards in a TKS, set in the/var/lib/pki/instance_name/tks/conf/CS.cfg
file:tks.defKeySet.prot3.divers=emv tks.defKeySet.prot3.diversVer1Keys=emv tks.defKeySet.prot3.devKeyType=DES3 tks.defKeySet.prot3.masterKeyType=DES3
- TPS configuration
- The TPS must be configured to recognize the new key set when a supported client attempts to perform an operation on a token. The default
defKeySet
is used most often.The primary method to determine thekeySet
in the TPS involves Section 6.7, “Mapping Resolver Configuration”. See the linked section for a discussion of the exact settings needed to establish this resolver mechanism.If the KeySet Mapping Resolver is not present, several fallback methods are available for the TPS to determine the correctkeySet
:- You can add the
tps.connector.tks1.keySet=defKeySet
to theCS.cfg
configuration file of the TPS. - Certain clients can possibly be configured to explicitly pass the desired
keySet
value. However, the Enterprise Security Client does not have this ability at this point. - When the TPS calculates the proper
keySet
based on the desired method, all requests to the TKS to help create secure channels pass thekeySet
value as well. The TKS can then use its ownkeySet
configuration (described above) to determine how to proceed.