For further guidance on using an OCS to share keys across HSMs and share keys between
users, see Creating and maintaining a quorum.
5.2.5.2. Card management guidance
•
When not in use OCS cards must be stored securely by each custodian.
•
See Logical token pass phrase guidance for guidance on choosing strong pass
phrases.
•
pass phrases or hints for each specific card should not be written down in the same
location as the card.
•
A register should be maintained of the custodians and the cards they hold to support
operation and any role transition. In pursuit of this OCSs can be created with a name
of the OCS and names for each card in the OCS.
•
Cardsets should be regularly audited to make sure that they are still present. See
Audit for further information.
•
Sometimes an OCS may be stored in the card reader. See Persistence and non-
persistence for OCS for guidance on this option.
•
The process for managing loss, theft or corruption of cards should be set out in your
security procedures. If a quorum of cards is compromised the application keys
protected by the OCS are vulnerable to attack. See Security Incident and Response
for further guidance.
•
The requirements for the correct identification, use, movement, storage and
protection of cards by trusted, authorized individuals should be set out in your
security procedure. See Audit for further details.
5.2.5.3. Persistence and non-persistence for OCS
If you create a standard (non-persistent) OCS, the keys it protects can only be used while
the last required card of the quorum remains loaded in the smart card reader of the
nShield HSM. The keys protected by this card are removed from the memory of the HSM
as soon as the card is removed from the smart card reader. This mode is more secure as
the user directly controls key usage. If you want to be able to use the keys after you have
removed the last card, you must make that OCS persistent. Keys protected by a
persistent card set can be used for as long as the application that loaded the OCS
remains connected to the HSM (unless that application removes the keys explicitly or any
usage or time limit is reached). Persistent mode should only be used once a threat
analysis of the environment has determined that it is safe for application keys to continue
to be operationally usable once the last OCS card has been removed.
OCSs (both persistent and non-persistent) can also be created with a time-out, so that
they can only be used for limited time after the OCS is loaded. Keys will be forcibly
unloaded when the timeout expires. An OCS is loaded by most applications at start up or
nShield® Security Manual 36 of 90
To Next Page
Loading...
