IBM 2 Computer Hardware User Manual

Open as PDF

of 508

CCA Release 2.54

┌──────────────────────────────────┐

│Share─Administration Control Point│

3. │ │

││

│ CERT{SA}(SA) H(CERT{SA}(SA)) │

│ ───────┬──── ───┬─────────── │

│ │ │ │

└─────────│─────────│──────────────┘

││

┌────────────────────────┐ │ │ ┌────────────────────────┐

│CCA Cryptographic Engine│ │ │ │CCA Cryptographic Engine│

│(Primary = 'a') │ │ │ │('b') │

│ │ │ │ │ │

│ 1 ──── Roles, Profiles, │ Roles, Profiles,──── 1 │

│ │ m_of_n, EID│ │ m_of_n, EID │ │

│ │ │ │ │ │

│ 2 ──── Audit │ │ Audit ──── 2 │

│ │ │ │ │ │

│ 4 ──────────────────────────┴───────────────────── 4 │

│ │ │ │ │

│ 5 ────────────────┴─────────────────────────────── 5 │

│ │ │ │

│ │ Certify by SA │ │

│ │  ││  │ │

│ Gererate CSS 6 ─────────Pu{CSS}─┘ ││ │ │ │

│ │─CERT{SA}(Pu{CSS})┘│ │ │ │

│ │ │ │ │ │ │

│ │ │ │ └─Pu{CSR_i}──────── 7 Generate CSR │

│ │ │ └CERT{SA}(Pu{CSR_i})─│ │

│ ││ ││ │

│ 8 ─────┼────────────────────────────────────┘ │ │

│ │ │ │ │

│ ──────┼─Pu{CSR_i}(SE_j), │ │

│ │ │ eᑍSE_j(j,mks_j,SIG{CSS}(j,mks_j))───── 9 │

│ │ │ (m times) │ │

│ │ └────────────────────────────────────────── │

│ │ │ │

│ │ Set and Verify ──── 1 │

│ │ the master key ──── │

│ │ │ │

└────────────────────────┘ └────────────────────────┘

Figure 2-2. Coprocessor-to-Coprocessor Master-Key Cloning

Figure 2-2 depicts the steps of a master-key cloning scenario. These steps

include:

1. Install appropriate access-control roles and profiles, m-of-n, and EID values.

Have operators change their profile passwords. Ensure that the roles provide

the degree of responsibility-separation that you require.

2. Audit the setup of the Share Administration, Share Source, and Share

Receiving nodes.

3. Generate a retained RSA private key, the Share-Administration (SA) key. This

key is used to certify the public keys used in the scheme. Self-certify the SA

key. Distribute the hash of this certificate to the source and share-receiving

node(s) under dual control.

4. Install (register) the hash of the SA public-key in both the source and receiving

nodes.

5. Install (register) the SA public-key in both the source and receiving nodes. Two

different roles can be used to permit this and the prior step to aid in ensuring

dual control of the cloning process.

6. In the source node, generate a retained key usable for master-key

administration, the Coprocessor Share Signing (CSS) key, and have this key

certified by the SA key.

2-16 IBM 4758 CCA Basic Services, Release 2.54, February 2005

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

IBM 2 Computer Hardware User Manual