Managing keys with the Distributed Key Management System (DKMS)

The Distributed Key Management System (DKMS) provides online key management to ICSF as well as to IBM cryptographic products on other platforms. DKMS offers centralized key management for symmetric and asymmetric keys and for certificates. DKMS automates the key management process, and exchanges and replaces keys and certificates on demand. Further, to assure continuous operation DKMS maintains backup copies of all critical keys.

With the introduction of Payment Card Industry Data Security Standard (PCI DSS) and other guidelines and requirements key management is much more than a suitable toolbox. DKMS helps enforcing the organization's policies and procedures by offering dual control, split knowledge, audit trail, and key separation between applications and production environments.

The DKMS system is comprised of a workstation that constitutes the user interface and a server component (the DKMS agent) that interacts with ICSF and the backup key repository. The architecture allows for multiple agents, supporting simultaneous management of keys on several servers. The applications get cryptographic support by using ICSF callable services or by utilizing high level DKMS application programming interfaces.

In addition to essential management of symmetric and asymmetric keys, DKMS offers a number of business-focused features to meet specific needs. These features include:
  • Certificate Management

    DKMS manages certificates stored in RACF Key Rings that are accessible online and certificates used by SSL servers or other connection implementations that must be addressed offline.

    DKMS supports all aspects of RACF Key Ring administration. Key Rings can be created or deleted. Further, new keys can be generated and these keys, together with their certificates, can be attached to one or more key rings. All functions are performed online from the DKMS workstation.

    Many web services and other communication connections rely on a RSA based certificate scheme to assure authenticity and privacy. This scheme requires that RSA keys and certificates are renewed at regular intervals. The DKMS SSL certificate management feature centralizes and unifies most of the tasks traditionally performed manually for components utilizing SSL or other certificate based schemes. Further, functions are offered that ease administration of certificates for a large population of SSL servers. The DKMS SSL certificate management supports numerous SSL server implementations.

  • EMV support
    DKMS supports all parties of EMV business: Brand Certificate Authorities (CAs), Integrated Circuit Card (ICC) card issuers, and ICC transaction acquirers.
    • Brand CAs totally support all the security and procedural requirements needed to implement CAs to Visa and MasterCard specifications.
    • ICC card issuers supports generation of the key material to be stored in the EMV ICC card for both the SDA and the DDA/CDA schemes. For the DDA/CDA schemes, DKMS implements a key pre-generation mechanism that utilizes low-load periods of ICSF's cryptographic coprocessors for generation of the huge amount of RSA keys required.
    • ICC transaction acquirers has transaction authorization support for verification of application cryptograms, generation of response cryptograms and secure scripts.
  • Remote Key Loading for ATMs

    Contemporary ATMs support keys to be exchanged with back-end systems using an RSA key exchange scheme defined in ANS X9.24 part 2. DKMS provides all functions to support this scheme. This includes exchange of keys and certificates with the ATM vendors and APIs that supplies the ATM keys in a format suitable for the ATMs. The DKMS RKL feature supports the major ATM vendors.

For further information, contact the Crypto Competence Center, Copenhagen.