For CCA host crypto modules, master keys and operational keys are protected by encryption during transfer between the TKE workstation crypto adapter and host crypto modules. The transport encryption keys (key-encrypting keys) are established by means of a Diffie-Hellman key agreement mechanism. The Select Transport Key Policy Window lets you select the policy for the transport key.
For EP11 host crypto modules, master keys are also protected by encryption during transfer between the TKE workstation and host crypto modules, but a different mechanism is used. The policy selected by the Select Transport Key Policy Window does not apply to EP11 host crypto modules.
For CCA host crypto modules, TKE supports two Diffie-Hellman key agreement protocols: Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH). DH is used when TKE sends key material to a CCA host crypto module with a CCA level earlier than 4.2. ECDH is used when the host crypto module has a CCA level of 4.2 or greater.
Using the Select Transport Key Policy window, you can select one of the following:
- Always use current transport key.
This is the default selection. TKE uses the current transport key or establishes a new transport key if one is not available. This avoids other key agreement protocol actions.
- Always establish new transport key using current protocol
parameters.
If TKE is communicating with a host crypto module using DH, it reuses the current Diffie-Hellman modulus and generator values to generate a new transport key for each key transfer. If they are not the correct key length or do not exist, TKE will automatically generate the correct Diffie-Hellman values. This selection avoids the time-consuming generation of the Diffie-Hellman values.
If TKE is communicating with a host crypto module using ECDH, it uses the current ECDH domain parameters to generate a new transport key for each key transfer.
- Always establish new transport key after changing protocol
parameters.
If TKE is communicating with a host crypto module using DH, it will generate a new pair of Diffie-Hellman modulus and generator values and a transport key for each key transfer.
If TKE is communicating with a host crypto module using ECDH, it uses new ECDH domain parameters to generate a new transport key for each key transfer.
Select the required option by pressing the radio button and then press OK.
If you have selected to reuse the current values of Diffie-Hellman modulus and generator, you can force TKE to generate new Diffie-Hellman values by clicking Change protocol parameters. For ECDH, Change protocol parameters forces the TKE to use different ECDH parameters and causes TKE to establish a new transport key when needed using the new ECDH parameters.