keybridge 3100 platform - geobridge.net · filters to search for keys that match the criteria...

KEYBRIDGE 3100 Platform S O L U T I O N O V E R V I E W

2

© 2018 GEOBRIDGE Corporation

CONTACT INFORMATION GEOBRIDGE Corporation 20110 Ashbrook Place Suite #125 Ashburn, Virginia 20147 +1 (571) 799-0130 [email protected] www.geobridge.net

© Copyright 2005-2018 GEOBRIDGE Corporation. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express prior written consent of GEOBRIDGE Corporation.

GEOBRIDGE Corporation makes no license or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties or fitness for any particular purpose. Please read the software license agreement associated with this product prior to use. GEOBRIDGE Corporation reserves the right to revise this publication and to make changes to its contents at any time without notice. GEOBRIDGE Corporation, nor its agents, accepts any kind of loss resulting from the use of this document or improper use of the KeyBRIDGE product.

GEOBRIDGE, KeyBRIDGE, KeyBRIDGE eKMS, KeyBRIDGE POI, KeyBRIDGE RKL, ARCK and KeyBRIDGE Key Management Appliance are trademarks of GEOBRIDGE Corporation. Thales is a trademark of Thales e-Security. HP and Atalla are trademarks of the Hewlett Packard Company. Utimaco is a registered trademark of Utimaco GmbH. SafeNet is a registered trademark of Gemalto. Microsoft and Windows are registered trademarks of the Microsoft Corporation. Other Microsoft products are registered trademarks or trademarks of the Microsoft Corporation. Other trademarks may exist which are not explicitly noted here and they remain registered to the appropriate organizations.

mailto:[email protected]

http://www.geobridge.net/

3


INTRODUCTION The KeyBRIDGE 3100 appliance is a turnkey solution that serves as a centralized key management platform for the secure storage and exchange of cryptographic keys. KeyBRIDGE provides local and remote key loading capabilities and integrates with third party Host Security Modules (HSMs), providing valuable key generation, import and export functions while providing full key lifecycle tracking with rich automated audit features. KeyBRIDGE supports compliant key management while maintaining an easy to use graphical interface. Built as a TRSM, leveraging an internal FIPS 140-2 Level 3 HSM, KeyBRIDGE utilizes true hardware based encryption and stringent dual control features to establish a secure and compliant key management solution.

KEY PRODUCT FEATURES

Easy to navigate Graphical User Interface for local console access.

Simple JSON Schema RESTful API (ARCK™) – API for Remote Central Key Management.

Enforcement of key separation through the use of dedicated key custodian groups.

Key management support for all TR-31 Key Usage types and optional custom key types and attributes.

Key Import & Export available with third party Host Security Module (HSM) master key and/or ZMK encryption.

Secure key entry, with optional SCD component entry.

Supports generation, import and storage of double and triple length TDES keys, as well as AES 128, 192 & 256-bit keys.

Integrated key bundling - import and export of keys in commonly-adopted key block formats.

DUKPT, Master/Session and EMV key-loading support for over 300 unique payment devices, including key erasure.

Detailed Key Inventory – Track generation, import, export, termination details and optional key expiration dates.

Full life-cycle key management tracks all instances of imported and exported keys; key history is maintained even if the key has been terminated and removed from the system.

Hierarchical user administration. Dual-control required for all sensitive operations.

Extensive audit logging tracks all functional key management activities and access.

Customizable interface for Remote Key Loading (RKL) capabilities.

Secure secret data storage provided a “virtual safe” for sensitive data like passwords, combinations, key components, and door codes.

Configurable network settings enable access to shared network storage for secure file storage and access.

Configurable automated daily backup function.

4


Designed to ensure compliance with:

o ANS X9.24 -2017: Parts 1,2,& 3 (AES DUKPT)

o ANS X9.8: Personal Identification Number Management and Security

o ANS/X9.TR.39-2009: TG-3 Retail Financial Services Compliance Guideline Part 1: PIN Security and Key Management

o ANS X9 TR-31 2010: Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms

o ANS X9.97-2009: Financial Services – Secure Cryptographic Devices (Retail) Part 1: Concepts, Requirements and Evaluation Methods

o ANS X9.52-1998: Triple Data Encryption Algorithm Modes of Operation

o ANS X9 TR-34 Asymmetric Distribution of Keys

o ISO 9564: Banking – Personal Identification Number Management and Security

o ISO 13491-1: Banking – Secure Cryptographic Devices (Retail), Part 1 Concepts, Requirements and Evaluation methods

o Payment Card Industry PIN 2.0 Security Requirements

o FIPS 140-2: Security Requirements for Cryptographic Modules, Security Level 3

PRODUCT BENEFITS

Enables secure storage and access of sensitive keying material within a single, centralized location.

Organize keys, keying materials and sensitive data by creating a logical relationship structure for more compliant handling.

Integrates with third party HSMs, including Thales, Safenet, Utimaco and HP Atalla. This integration allows for users to perform key management activities through the KeyBRIDGE GUI, as well as ARCK™ API (JSON Schema RESTful API) streamlining operational efficiency.

Secure, remote key distribution enables organization to load keys/new keys to deployed Point of Sale terminals and other SCD endpoints without having to remove them from service.

De-clutter safes of paper and other keying materials including PINs, Passwords, IV’s, Safe Combinations, or other sensitive meta-data with the built-in secure secret data storage protected under custodial control.

Offers built-in dual control functions and backup and recovery tools that in the event of a disaster, allow an entire system to be restored in minutes.

Automates activity tracking within the system, capturing key activity details, and user activity, as well as comprehensive audit logging of all sensitive functions.

Physically secure enclosure – opening the enclosure automatically cleans the entire system.

5


PRODUCT SUPPORT

8x5 standard support with optional 24x7 extended support.

Dedicated and knowledgeable U.S. based support team comprised of Level 1 and Level 2 Engineers, Cryto Developers, and Crypto Consultants.

Tailored customer training to ensure end users are well-equipped to use the product and all of its features.

The KeyBRIDGE platform is built on customer feedback, standards and our agile development environment which is based on the requirements of the user community.

OVERVIEW OF PRODUCTS The KeyBRIDGE appliance has three different configurations, including KeyBRIDGE eKMS and POI which includes Direct Connect and RKL.

KEYBRIDGE Enterprise Key Management System™ (eKMS) KeyBRIDGE eKMS enables organizations to securely manage and store all keys and sensitive data for the entire enterprise in a single, centralized location. By enabling integration of HSMs from manufacturers including Thales, SafeNet, Utimaco and HP Atalla, organizations can perform key management functions through a single, easy-to-use interface with both local console or RESTful API access.

The ARCK™ API is a unique Bi-Directional RESTful API service allowing client requests to KeyBRIDGE, but also enabling KeyBRIDGE to distribute keys and associated data to designated endpoints. The ARCK™ API enables a broad range of functions categorized as Global, Administrative, Key Management, Audit Management, and Custom-Specific.

Additional built-in features such as enforcement of dual control, split knowledge and role-based access, and automated logging dramatically streamlines all key ceremonies and key management activities.

Users are able to generate, import and export keys quickly and efficiently through the KeyBRIDGE interface. KeyBRIDGE’s centralized key management allows for tracking of key details in a single location. Keys may be exported under the HSM master key or shared Zone Master Keys (ZMKs)/Key Encrypting Keys (KEKs), saving organizations valuable time and resources by reducing the scope of time-consuming key ceremonies.

Management of the HSMs is performed within the KeyBRIDGE interface allowing users to add/connect additional HSMs, as well as view and manage existing HSMs within their environment. Multiple HSMs from any manufacturer can be linked to KeyBRIDGE as well as logical enpoint applications needing to utilize keys or materials for use on specific HSMs.

KEYBRIDGE Point of Interaction™ (POI)

Direct Connect

KeyBRIDGE Direct Connect caters to organizations that deploy Point-of-Interaction terminals and/or perform key distribution. Over 300 unique Point-of-Interaction terminals are supported, including VeriFone, Ingenico, Equinox, Miura, Poynt and ID Tech products. Organizations can

6


quickly and efficiently load keys and applicable files, security settings, etc. to Point-of-Sale terminals, as well as perform key erasure for previously deployed terminals.

Like all KeyBRIDGE products, robust key management tools allow users to generate, import and export keys from one central location. Users may import and export keys via clear key components with system-enforced validation of dual control and split knowledge. Keys may also be imported or exported as cryptograms or key blocks. KeyBRIDGE supports all TR-31 defined key usages. Additionally, users may define custom key usages to support key types unique to their environment.

KeyBRIDGE POI supports both DUKPT and Master/Session methodologies and key loading, while enabling organizations to load and support EMV keys. Additional terminal-specific functionality is also supported through the KeyBRIDGE injection dashboard for each supported device. Custom wiring diagrams detail all of the necessary features and functions of KeyBRIDGE-certified Point-of-Interaction terminals so that users have all of the necessary details to properly load each device.

Remote Key Loading™ (RKL)

KeyBRIDGE RKL supports the remote distribution of keys to deployed Point-of-Interaction terminals. By enabling remote key loading, organizations save valuable time and resources by securely automating the delivery of keys to Point-of-Interaction terminals. Organizations are better equipped to perform periodic key rotations and contend with a suspected or known key compromise by quickly and efficiently replacing keys Point-of-Interaction terminals in the field.

KeyBRIDGE RKL supports numerous API’s including support for TR-34 for communicating and connecting with client-defined terminal management systems. Through the use of TLS 1.2, communications to and from the KeyBRIDGE RKL appliance are maintained and secured.

THE APPLIANCE KeyBRIDGE is self-contained tamper responsive security module (TRSM). The 256-bit AES System Master Key (SMK), used to encrypt all key data stored on the KeyBRIDGE appliance, is stored and utilized only in the protected FIPS 140-2, Level 3 internal HSM. Physical tampering of the KeyBRIDGE appliance, whether in a powered-on or powered-off state, results in device erasure, rendering all encrypted data on the system to be unrecoverable. Recovery is enabled through the use of backups and availability of System Master Key Components separated on smart cards to be provisioned to dedicated key custodians.

APPLIANCE FEATURES

FIPS 140-2, Level 3 internal HSM

Dual power supplies (field replaceable)

4 USB ports

2 serial ports

2 Ethernet ports

Physical and logical tamper responsive controls

7


Field replaceable Fan Trays

UL & CE Certified

DES, 3DES, AES, ECC, and RSA, along with many regional derivation techniques.

SUPPORTED PERIPHERALS

The KeyBRIDGE system supports the following peripherals:

Mouse & Keyboard

Monitor (VGA)

Printer (IBM Proprinter I and II compatible with provided USB-to Centronics adapter)

Label Printer (Dymo® LabelWriter®400, 400 Turbo, 450, 450 Turbo)

USB Flash Drive (cannot contain any special drivers or firmware)

Barcode Scanner (Symbol® LS4208)

16-channel Serial Switch

Ethernet

SCD for entry of clear key components

SMK component smart cards

KEY MANAGEMENT KeyBRIDGE provides centralized key management capabilities and detailed inventory tracking for all keys that are generated by or imported to the KeyBRIDGE key inventory. All keys are centrally managed based on user-defined Relationships. Relationships allow users to group keys and maintain contact information for each Relationship.

Key details are maintained in a user-friendly interface. To view key details, users may use define custom filters to search for keys that match the criteria provided. At a glance, the key inventory displays high-level key information for all keys, such as the key name, key check value (KCV), key length, key usage, relationship, status, etc. Automated key rotation is supported with Current, Next, and Restore slots. More granular key details may be viewed by selecting individual key records from the key inventory screen. The key details screens include additional information relevant to each key, such as editable key name and comments fields, as well as the entire key history from the point that the key was introduced to the KeyBRIDGE appliance through key termination. The key details also include details for each instance of key export, as well as termination details if the key was terminated. Note that when a key is terminated the key value is erased from the KeyBRIDGE appliance but all key details and activity information are retained for historical tracking purposes. In addition to the standard key attributes, users may define up to twelve custom key attributes per key usage. This allows individual organizations to add and track additional information that is specific to their individual key management needs.

8


Figure 1 - Key Management Functions

All keys are stored in KeyBRIDGE in Key Block format, encrypted under the AES 256-bit SMK. KeyBRIDGE allows users to set TR-31 key attributes to indicate how the key may be used and whether or not the key may be exported.

SYSTEM MASTER KEY The SMK is managed as three components, each of which is written to a PIN protected smart card and under the control of a unique Key Custodian. The SMK is securely stored and utilized within the KeyBRIDGE appliance only in protected memory. Opening the appliance automatically erases the SMK.

Because each SMK component is written to and loaded from smart cards, the KeyBRIDGE appliance also includes smart card management capabilities, as follows:

Format Cards Applies a Card ID and PIN to a blank card.

Duplicate Cards Makes an additional card copy for backup purposes.

Read Card Displays the Card ID and the date/time it was created.

Verify Card Verifies the card has not been corrupted. Displays Card ID, date/time created, Component Check Value and SMK Check Value associated with the card.

Update PIN Allows the PIN associated with the card to be changed.

THIRD PARTY HSM INTEGRATION Third party HSM integration enables organizations to manage and store keys for multiple environments in a single, centralized location, while maintaining critical key history and details through the KeyBRIDGE centralized key store. In addition, generation and export of keys can be performed quickly with minimal resources, while tracking key history details through comprehensive audit logging. By enabling users to

ADD

•Generate in KeyBRIDGE

•Import as Clear Components

•Import as a Cryptogram

•Import as a Key Block File

•Audit Logs & Archive

•Key Custodian Privileges

•Key Loading (POIs or Systems)

EXPORT

•Export as Clear Components

•Export as a Crytogram under KEK/ZMK or HSM Master Key Encryption

•Export as a Key Block File

TERMINATE

•Erase the key value from the system

•Retain the attributes and history

9


generate keys within the KeyBRIDGE interface and export the keys under HSM Master Keys and ZMK/KEK encryption, KeyBRIDGE reduces the number of steps required to perform key management tasks, saving organizations valuable time and resources.

KeyBRIDGE supports integration of HSMs from a number of manufacturers, including Thales, Utimaco, Safenet, and HP Atalla. Setup and administrative functions of the HSMs are controlled directly through the KeyBRIDGE interface. KeyBRIDGE also provides HSM diagnostics and key synching between environments for HSMs that support this functionality.

SECURE SECRET DATA STORAGE KeyBRIDGE enables secure storage of secret data (up to 128 characters), such as HSM master key components, passwords, PINs, safe combinations, access codes, and derivation data. Virtually any piece of information that is frequently stored in physical safes can be securely stored and tracked within KeyBRIDGE.

Each secret is owned by a designated Key Custodian Group. Retrieval of the secure data requires dual control access from two key custodians assigned to the group to which the secret data is associated. Once the credentials have been validated, the secret data may be printed to a secure form.

API KEY REQUEST PROCESSING KeyBRIDGE features the ARCK™ API, (API for Remote Centralized Key management). This is a simple JSON Schema RESTful API that allows for new schemas to be included for support in rapid fashion. Basic generate, import, export, and delete, along with a suite of administrative and audit functions that are all available as GET and POST commands. Additionally, KeyBRIDGE now supports the abiity to serve as the client, allowing for KeyBRIDGE to POST keys to designated endpoints. Through this API, RNG and tokenization functions can also be enabled, allowing KeyBRIDGE to serve as a token vault with customizable token values leveraging a FIPS certified random number generator. The API can even be used for the purposes of fulfilling Cryptographic Signing Requests to third party Certificate Authorities.

The KeyBRIDGE architecture supports the ability to define custom APIs for automated key exchanges to external systems and applications. Baseline key exchange formats leverage X9 TR-34 key payload formats, but APIs may be tailored to support specific requirements of the receiving system. The APIs leverage TLS 1.2 for secure data transport and built-in certificate management supports full trust chain validation for each communicating device.

CERTIFICATE MANAGEMENT KeyBRIDGE allows for the centralized management of X.509 and PKCS #7 certificates. KeyBRIDGE supports the import of multiple Certificate Authority (CA) and Sub-CA certificates as well as CA-signed certificates. KeyBRIDGE uses TLS for session security for API requests. A unique certificate must be designated for TLS authentication in order for incoming requests via the API to be accepted.

10


ACCESS CONTROLS The KeyBRIDGE appliance architecture is rooted in role-based access to ensure appropriate controls and restrictions for performing sensitive functions. There are four user types in KeyBRIDGE: Manager, Key Custodian, Supervisor, and Operator (some user types will not be applicable based on the KeyBRIDGE product line). The assigned role will dictate the access and capabilities of a given user. The privileges associated with each role are as follows:

Figure 2 - KeyBRIDGE User Roles

Accessing the KeyBRIDGE appliance requires authentication of two users. Sessions are initiated through a primary login process that collects the user ID and password of the user that will be performing functions in the appliance. Access privileges are based on the primary user and their appropriate menu will be displayed once the secondary user’s credentials have been authenticated. The primary user is the session owner.

•Key and Secret Data Management

•System Administration

•User Management

•Certificate Management

•Audit Logs & Archive

•Key Custodian Privileges

•Key Loading (PEDS)

MANAGER

•Key and Secret Data Management

•Audit Logs

KEY CUSTODIAN

•User Management (Operators only)

•Audit Logs

•Key Loading (PEDs)

SUPERVISOR

•Audit Logs

•Key Loading (PEDs)

OPERATOR

11


USER MANAGEMENT

Only Managers may create or edit users in the KeyBRIDGE appliance.

User Profiles Each user record contains the following information:

User First Name

User Last Name

User ID

Password

Role

Key Custodian (Y/N)

Key Custodian Group Assignment (if designated as Key Custodian)

Status (Active/Inactive/Locked)

Editing User Profiles Once created, the only items that can be changed on a user profile are role, custodian privilege and status.

De-provisioning Users Users no longer requiring access to the appliance will be set to a status of “Inactive”.

Key Custodian Access Key Custodian privileges can be assigned to users with a role of Manager or Key Custodian.

Once assigned, Key Custodian access may be deactivated and/or reactivated as needed.

Key Custodian Group Numbers are permanent once assigned to a user and cannot be edited.

Key Custodian privileges are required for import and export of clear key components, as well as the ability to add and export secure secret data.

ACCESS CONTROL SPECIFICATIONS Password Rules Password minimum length is set in System Settings. The allowable range is 8-24

characters.

Valid passwords must contain at least one numeric or special character and are case sensitive.

Password expirations are configurable to 1-180 days.

No new password may match any of the previous 16.

Password Management

Users may change their own passwords.

Managers may reset a user’s password if it is forgotten. The user will then be required to change their password on their next login attempt.

In the event the system cannot be accessed due to lost credentials or locked Manager account(s), emergency access to reset a Manager password may be initiated from the login screen, which requires loading of the three SMK components (via smart card).

Account Lockout User accounts are locked after 5 consecutive failed login attempts.

Locked accounts may be unlocked by a Manager.

Session Timeout Session Timeout is configurable from 1-60 minutes.

Session Timeout settings are role specific, allowing a different timeout setting for Manager/Key Custodians vs. Supervisor/Operator roles.

Critical Functions The following functions require the secondary Manager user to re-enter their login credentials:

Adding or editing user accounts.

12


Resetting passwords.

Deleting archived audit records.

Updating the SMK.

Applying system updates.

Terminating keys or certificates.

Adding or removing the SCD for clear component entry.

SYSTEM ADMINISTRATION

BACKUP & RECOVERY Backups may be performed manually through the KeyBRIDGE interface or using the automated backup feature. Automated backups are scheduled to run daily at the desired time specified during the automated backup setup process. Once completed, the backup file, which is encrypted under the AES-256 SMK, is automatically saved to the designated shared network location. The backup file contains all keys, key details, the user database, audit and archive records and system settings and can be used in the event that a system needs to be recovered.

A KeyBRIDGE appliance may be initialized or restored using an existing backup file. When initializing a new or existing system, users will be required to reload the SMK and then load the backup file. For active systems with a loaded SMK, loading the backup file under dual control is all that is required to restore the system.

Figure 3 - System Recovery

13


AUDIT AND ARCHIVE Every user action regardless of status (pass or fail) is logged within KeyBRIDGE. Each record in the audit log will contain the following information:

A unique audit record ID

Date and timestamp

User IDs

Function performed

Relationship

POS Terminal Details (injection only)

Key Serial Number - KSI & DID portion only (injection only)

Status: Pass or Failure

Additional discretionary data (function specific)

Managers may view all audit records and select specific records to be printed or saved to a USB drive or shared network resource using the search filter and selecting the appropriate records. Other roles may only view audit records.

The KeyBRIDGE appliance limits the size of audit logs and requires periodic archival. The range of records may be chosen by either a date or an absolute number. Once the range is chosen, it will be saved to a file on a USB drive or shared network resource. The appliance will assign a batch ID. The appliance will maintain an archive record batch log to keep a record of archive activity.

CONCLUSION Whether supporting HSM integration, remote key loading, or direct key loading, the KeyBRIDGE product line is fully scalable from the smallest to largest of organizations. Built around industry standards and direct customer feedback since 2005, the KeyBRIDGE platform provides robust key management to meet the needs of growing key environments. Organizations can securely store, distribute and access sensitive keying material and secret data within a single, centralized location. With built-in automated tracking, organizations can manage key details and history for all keys within their environment, leading to more effective, secure and compliant key management.

About GEOBRIDGE

Established in 1997, GEOBRIDGE emerged as one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations. Today, GEOBRIDGE is a leading information security solutions and compliance provider that provides Cryptography and Key Management, Payment Security , Compliance, and HSM Virtualization solutions and services to our clients. Our client list includes Fortune 500 companies, financial institutions, healthcare organizations and government clients across North America and around the globe. GEOBRIDGE leverages our team’s expertise in data protection, program development, enforcement and governance to help architect solutions to help mitigate risk for our clients.

For questions or more information, please email us at [email protected].

mailto:[email protected]

keybridge 3100 platform - geobridge.net · filters to search for keys that match the criteria...

Documents