5.12. Setting Up New Key Sets

This section describes setting up an alternative to the default key set in the Token Processing System (TPS) and in the Token Key Service (TKS).
TKS configuration
The default key set is configured in the TKS using the following options in the /var/lib/pki/instance_name/tks/conf/CS.cfg file:
tks.defKeySet._000=##
tks.defKeySet._001=## Axalto default key set:
tks.defKeySet._002=##
tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=<tokenname>:<nickname>
tks.defKeySet._004=##
tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
tks.defKeySet.nistSP800-108KdfOnKeyVersion=00
tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=false
The above configuration defines settings specific to a certain type or class of tokens that can be used in the TMS. The most important part are the 3 developer or (out of the box) session keys, which are used to create a secure channel before symmetric key handover takes place. A different type of key may have different default values for these keys.
The settings describing the nistSP800 key diversification method control whether this method or the standard Visa method is used. Specifically, the value of the tks.defKeySet.nistSP800-108KdfOnKeyVersion option determines that the NIST version will be used. The nistSP800-108KdfUseCuidAsKdd option allows you to use the legacy key ID value of CUID during processing. The newer KDD value is most commonly used and therefore this option is disabled (false) by default. This allows you to configure a new key set to enable support for a new class of keys.

Example 5.2. Enabling Support for the jForte Class

To enable support for the jForte class, set:
tks.jForte._000=##
tks.jForte._001=## SAFLink's jForte default key set:
tks.jForte._002=##
tks.jForte._003=## tks.jForte.mk_mappings.#02#01=<tokenname>:<nickname>
tks.jForte._004=##
tks.jForte.auth_key=#30#31#32#33#34#35#36#37#38#39#3a#3b#3c#3d#3e#3f
tks.jForte.kek_key=#50#51#52#53#54#55#56#57#58#59#5a#5b#5c#5d#5e#5f
tks.jForte.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
tks.jForte.nistSP800-108KdfOnKeyVersion=00
tks.jForte.nistSP800-108KdfUseCuidAsKdd=false
Note the difference in the 3 static session keys compared to the previous example.
Certificate System supports the Secure Channel Protocol 03 (SCP03) for Giesecke & Devrient (G&D) Smart Cafe 6 smart cards. To enable SCP03 support for these smart cards in a TKS, set in the /var/lib/pki/instance_name/tks/conf/CS.cfg file:
tks.defKeySet.prot3.divers=emv
tks.defKeySet.prot3.diversVer1Keys=emv
tks.defKeySet.prot3.devKeyType=DES3
tks.defKeySet.prot3.masterKeyType=DES3
TPS configuration
The TPS must be configured to recognize the new key set when a supported client attempts to perform an operation on a token. The default defKeySet is used most often.
The primary method to determine the keySet in the TPS involves Section 5.7, “Mapping Resolver Configuration”. See the linked section for a discussion of the exact settings needed to establish this resolver mechanism.
If the KeySet Mapping Resolver is not present, several fallback methods are available for the TPS to determine the correct keySet:
  • You can add the tps.connector.tks1.keySet=defKeySet to the CS.cfg configuration file of the TPS.
  • Certain clients can possibly be configured to explicitly pass the desired keySet value. However, the Enterprise Security Client does not have this ability at this point.
  • When the TPS calculates the proper keySet based on the desired method, all requests to the TKS to help create secure channels pass the keySet value as well. The TKS can then use its own keySet configuration (described above) to determine how to proceed.