controls for cards is not implemented. The loss or theft of the quorum of cards means
that all keys protected by the OCS are vulnerable. Therefore, a threat analysis should
identify the additional logical and physical controls required to protect the OCS left in
the card reader.
Alternatively a less secure method of using OCS-protected keys across multiple HSMs is
to set:
•
K to 1
•
N at least equal to the number of the HSMs you want to use.
You can then insert single cards from the OCS into the appropriate card slot of each HSM
to authorize the use of that key.
To mitigate the risk of card failure consider setting N to a greater number than the
number of HSMs. In the event of failure the spare OCS card is retrieved from its secure
location and is deployed whilst arrangements are made to create a new OCS to replace
the existing one.
However, the guidance outlined in Creating and maintaining a quorum regarding quorum
ratios and security controls for cards is not implemented. The misuse, loss or theft of one
card means that all keys protected by the OCS are vulnerable. Therefore, a threat analysis
must identify the additional logical and physical access controls required to protect the
OCS left in the card reader.
An alternative strategy to the configurations listed above is to use a persistent OCS or a
persistent OCS with a time-out. However, both of these options reduce the control the
user has over keys once the OCS has been loaded. A threat analysis should determine
which configuration of persistence/non-persistence/time-out/no time-out is appropriate
for the various sets of keys protected by OCSs.
6.3.2. Share key between users
To share the same OCS-protected key to a set of users, set:
•
K to 1
•
N equal to the number of users.
You can then give each user a single card from the OCS, enabling those users to
authorize the use of that key. However, in this instance, the guidance outlined in Creating
and maintaining a quorum regarding quorum ratios for cards is not implemented. The
misuse, loss or theft of one card means that all keys protected by the OCS are vulnerable.
Therefore, a threat analysis should identify the additional logical and physical controls
required to protect the loss of one card.
nShield® Security Manual 43 of 90
To Next Page
Loading...
