6.9. Discarding keys
To destroy a key permanently you must either erase the OCS that is used to protect it or
erase the Security World completely. There are no other ways to destroy a key
permanently.
6.10. Erasing a module from a Security World
You do not need the ACS to erase a module. However, unless you have a valid ACS and
the host data for this Security World, you cannot restore the Security World after you
have erased it.
6.11. Replacing an OCS
Replacing an OCS requires authorization from the ACS of the Security World to which it
belongs. You cannot replace an OCS unless you have the required number of cards from
the appropriate ACS.
Replacing one OCS with another OCS also transfers the keys protected by the first OCS
to the protection of the new OCS.
When you replace an OCS or softcard and recover its keys to a different OCS or softcard,
the key material is not changed by the process. The process deletes the original Security
World data (that is, the encrypted version of the key or keys and the smart card or
softcard data file) and replaces this data with host data protected by the new OCS or
softcard.
Keys protected by an OCS can only be recovered to another OCS, and not to a softcard.
Likewise, softcard-protected keys can only be recovered to another softcard, and not to
an OCS.
We recommend that after you have replaced an OCS, you then erase the remaining cards
in the old card set and remove the old card set from the Security World.
Deleting the information about an OCS from the client does not remove the data for keys
protected by that card set.
If you are sharing the Security World across several client computers, you must ensure
that the changes to the host data are propagated to all your computers.
6.12. Replacing the ACS
Replacing the ACS modifies the world file. In order to use the new ACS on other
machines in the Security World, you must copy the updated world file to all the machines
nShield® Security Manual 46 of 90
To Next Page
Loading...
Need help?
General
