This application provides access to utilities used to securely migrate configuration data, including secret data such as master key values, from one crypto module to another. This application can be used for both CCA crypto modules and EP11 crypto modules. When you select this application, the Configuration Migration Tasks panel is displayed.
When migrating configuration data that includes master keys, the data in transit must be just as secure as if it were still resident inside a host crypto module. To accomplish this, the configuration data is encrypted using a 256-bit AES key (32 bytes), which is split into as many as 10 parts.
Three smart card types support configuration migration that includes master keys: Migration Certificate Authority (MCA) smart cards, Injection Authority (IA) smart cards, and Key Part Holder (KPH) smart cards.
The MCA smart card defines the migration zone. A migration zone is a set of smart cards that can work together to accomplish a migration task. When the migration zone is created, two policies are set indicating the number of smart cards needed for the tasks. The "M-of-N" policy indicates the number of parts the transport key is split into (N), and the number of parts needed to reconstruct the transport key (M). The maximum value for N is 10, and M must be less than or equal to N. The "K" policy indicates the number of IA smart cards required to apply configuration data to a target host crypto module. The maximum value for K is 10.
The MCA smart card is used to create IA and KPH smart cards. These smart cards become part of that migration zone, and can be used only in that migration zone. An unlimited number of migration zones can be created, but each migration zone has its own MCA smart card (and backup MCA smart cards) and set of IA and KPH smart cards.
The IA smart card authorizes application of configuration data to a target host crypto module or domain group.
The KPH smart card authorizes reconstruction of the transport key.
For CCA crypto modules, before configuration data can be collected from a source host crypto module, the source host crypto module must be enrolled in the migration zone using the Enroll source module in migration zone task. EP11 crypto modules do not need to be enrolled in the migration zone.
During the Collect configuration data task, the source host crypto module generates a transport key and splits it into "N" parts. (The key splitting algorithm allows the key to be recovered with only "M" of the original "N" parts. It does not matter which "M" parts are provided.) Each key part is encrypted using the public key from one of the "N" KPH smart cards. The source host crypto module captures the configuration data and encrypts it using the transport key. The encrypted configuration data and "N" encrypted key parts are returned.
During the Apply configuration data task, the target crypto module generates and returns a target decryption public key. It also returns an Outbound Authentication (OA) signature over the target decryption public key and the target host crypto module OA certificate chain.
"K" IA smart cards approve the target crypto module and target decryption public key, with help from the OA proxy (see OA proxy).
"M" KPH smart cards approve reconstructing the transport key, with help from the OA proxy (see OA proxy). KPH smart cards receive the transport key part that was encrypted with their public key, decrypt it using their private key, re-encrypt it using the target decryption public key, and return the result.
The target crypto module receives the encrypted configuration data and the "M" rewrapped key parts. It decrypts the rewrapped key parts using its private key, reconstructs the transport key, and decrypts and applies the configuration data.
The target of the apply task can be either a single crypto module or a domain group. When the target is a domain group, the configuration data is applied to each crypto module with at least one domain in the group.