User Guide DDOC0099-000-AH
DTS1 CSfC 5 - 5 Encryption
© 2020 Curtiss-Wright Defense Solutions Revision 6.0
5.3.3.2 Access RMC Module (EDEK)
1. Generate an EDEK as follows:
a. To obtain the KEK and associated MAC type cmkey --kek and press E
NTER key.
Example
b. Using a 3rd-party HMAC SHA384 application, generate an HMAC using the KEK and
Curtiss-Wright supplied PSK as the key.
The generated HMAC should be the same as the MAC from the example above.
c. Using a 3rd-party application capable of performing an AES256 key-unwrapping
algorithm, perform an AES key unwrap function on the KEK using the PSK. This will yield
the actual/unwrapped KEK you will use to encrypt your DEK.
d. Using a 3rd-party application capable of performing an AES256 key wrap function, encrypt
the DEK using the unwrapped KEK. This will yield the wrapped/encrypted DEK (EDEK).
e. Using a 3rd-party HMAC SHA384 application, calculate a new MAC using the HMAC
SHA384 function for the EDEK using the unwrapped KEK as the key.
2. To access the RMC, enter the EDEK and MAC.
3. Type
cmkey -s 0 -e [EDEK string] -m [MAC string] -force
and press
E
NTER
key
.
Example
5.3.4 Hardware Encryption Key Storage
NOTE
Encryption keys are associated with individual RMC modules. As a result, up to 32 separate keys
can be saved for 32 individual RMC modules.
The --save option is an optional command that will save the key entered to a specified crypto
module location. There are 32 locations available [0 through 31]. The --save command is used
with either plain text DEK or encrypted DEK (EDEK), depending on which option has been used to
access the RMC module. These stored key locations are reported when a status command is
issued, as shown / explained in paragraph 5.3.4.3 Status Report.
5.3.4.1 Pain Text DEK
Type cmkey --save [0 thru 31] -d [User-generated plain text DEK string] -
p [Curtiss-Wright provided PSK string] and press ENTER key.
Example (DEK / PSK)
5.3.4.2 Encrypted DEK
Type cmkey --save [0 thru 31] -e [EDEK string] -m [MAC string] --force and
press ENTER key.
cw_dts> cmkey --kek
[cmkey]
CMKEY: kek=[KEK] mac=[MAC]
status=OK
[!cmkey] OK
cw_dts> cmkey -s 0 -e [EDEK string] -m [MAC string] -force
[cmkey]
CMKEY: action=inst slot=0 status=ok
[!cmlogin] OK
cw_dts> cmkey --save [0 thru 31] -d [User-generated plain text DEK string] -p
[Curtiss-Wright provided PSK string]
[cmkey]
CMKEY: action=save status=OK
[!cmkey] OK
To Next Page
Loading...
Need help?
General
