PKI TechNote Server Side Key Generation

From Dogtag
Jump to: navigation, search

Server Side Key Generation

Data Recovery Manager (DRM) supports server-side key generation. The process of the server-side key generation is as the following:

  • TPS receives enrollment request and CID (Card Identification) from the client
  • TPS forwards the CID to TKS
  • TKS derives key-encryption-key (KEK) from the CID and generates key-transport-session-key (KTSK)
  • TKS wraps the key-transport-session-key with the key-encryption-key
  • TKS retrieves the server-transport-key (STK) and wrap the key-transport-session-key with the server-transport-key
  • TKS forwards KEK(KTSK) and STK(KTSK) to TPS
  • TPS forwards STK(KTSK) and the server-side key generation key request to DRM
  • DRM generates subject public (SPubK) and private key (SPrivK) pair
  • DRM retrieves storage key and generates a storage session key (SSK)
  • DRM wraps subject private key with storage session key and wraps the storage session key with the storage key and archives SSK(SPrivK) and SK(SSK)
  • DRM decrypts STK(KTSK)
  • DRM wraps subject private key with transport session key: KTSK(SPrivK)
  • DRM forwards KTSK(SPrivK) and SPubk to TPS
  • TPS forwards KTSK(SPrivK) and KEK(KTSK) to Token
  • TPS sends certificate enrollment requests with SPubK information to CA
  • TPS receives certificates from CA and forwards them to token.