Key Authorization Key
A private key is uniquely linked to a dedicated RSA Key Authorization Key (KAK) and can only be used after it has been authorized by a dedicated user, who is also the key owner. The key owner is in possession of the private part of the KAK.
The KAK can be generated by using the csadm GenKey command or any other key generating tool. It can be stored in aa key file, or in a hardware security modul or smart card.
The minimum size of the KAK is 2048 bit.
The public part of the KAK is used as Key Reference Authorization Data (KRAD) for verifying any attempt to authorize private key. Prior to authorizing the key, a key authorization challenge is requested. The key is authorized by sending the Key Verification Authorization Data (KVAD) which is a signature that is calculated with the private part of the KAK over the challenge data. For the signature verification, the CryptoServer CP5 uses the public part of the KAK (KRAD) of the corresponding private key.
The KAK is be required to re-authorize the private key each time after an CryptoServer CP5 restart or after the maximum number of operations is exceeded (may be set to unlimited). CryptoServer CP5 allows changing the KAK for a given private key.
Private key states
Each private key has the following possible states:
- generated
- initialized
- authorized
- blocked
Initialization and authorization of the key must be confirmed by the proper KAK.
KAK generation
This is the sample KAK generatation using the csadm tool of the CryptoServer CP5:
csadm GenKey=TestKAK.key,2048,TestKAK
You can find more details on how to use the csadm tool in CryptoServer CP5 Administration Manula.