Keymaster is a component for private keys in a public key infrastructure. It generates, imports and exports keys and supports both key recovery and remote operations in a highly configurable manner. Almost any security concept can be implemented through rights management.
The private key of a user in a public key infrastructure (PKI) is usually stored on the user’s smart card or PC. Since this private key belongs to the user and may only be used by him, it is usually neither necessary nor useful to store it on a server (unlike a public key, which is usually included in a digital certificate and is intended for the public).
However, there are two use cases in which a private key has to be stored centrally. On the one hand, this is necessary if the operator of a PKI wants to enable the recovery of lost keys (key recovery). Key recovery is often required especially when encrypting files and e-mails – for many companies and authorities it is unacceptable that data is no longer available after the loss of a key (for digital signatures, VPN encryption and many other applications, on the other hand, no key recovery is necessary because it is sufficient to issue a new key). In a PKI that is to be approved for VS-NfD information, it must naturally be checked whether key recovery is compatible with the corresponding security requirements.
The second common case in which a private key is stored centrally is so-called key roaming. Key roaming means that the user does not carry a private key with him (on a smart card or hard disk), but downloads it via an online connection as soon as he needs it. Key Roaming is a particularly user-friendly solution because it allows users to use their private key on different computers without having to carry it with them.
Another use case is remote key, if several users use the same private key (e.g. in a group mailbox). The group key does not leave the key server; instead, all private key operations are performed on the key server.
It is clear that centrally stored private keys for key recovery and key roaming must be well protected (e.g. with an HSM), as otherwise considerable security problems arise. In addition to precisely defined processes, there must therefore be a special component for storing and providing the keys that provides appropriate access protection. Such a component is called a key server.
Keymaster from cryptovision is a software for operating a key server for private keys in a public key infrastructure. Keymaster supports key recovery, remote key as well as key roaming in a highly configurable way. Almost any security concept can be implemented. For example, particularly high security hurdles (e.g. mutual security) can be implemented with key recovery, as can a more pragmatic recovery process in which the administrator alone decides whether a particular key is to be recovered.
Accordingly, there are also various options for key roaming and remote key recovery. For example, the user can be granted access to the private key after entering a password, but it is also possible to provide for smartcard authentication (this is usually only useful for group keys, otherwise the private key can also be stored directly on the smartcard).
Keymaster is thus a solution that increases the practicality and user friendliness of a public key infrastructure.
- Secure and easy-to-use key recovery and key roaming
- Access to private keys can be protected in different ways
- Crypto operations can run on Keymaster