same client’s IP address/ESN, but the new KNETI hash, and then re-establish the secure
channel to the Connect(s)/RFS.
11.3.10. Compromised Key or Secret: nToken KNETI
Compromise Type
A brute force attack on KNETI encrypted blob held in KNETI file in the KMData folder.
Impact
KNETI is compromised and must not be used
Recovery Action
For every Connect that the affected client has communicated with, use the Front Panel
to remove the client’s configuration data.
For any RFS that the affected client has communicated with, update the RFS’s
configuration filer to remove the client’s configuration data.
Manually delete the kneti file identified as kneti-nToken ESN.
•
On Windows, it is stored in C:\ProgramData\nCipher\Key Management Data\hardserver.d\.
•
On Linux, it is stored in /opt/nfast/kmdata/hardserver.d/.
Reset the nToken.
Isolate client and investigate unauthorized access to KMData file and integrity of client.
Once resolved re-configure the Connects/RFS that this client communicated with using
same client’s IP address/ESN, but the new KNETI hash, and then re-establish the secure
channel to the Connect(s)/RFS.
11.3.11. Compromised Key or Secret: Imported application keys
Application keys can also be imported into the HSM. Any secret/private application key
imported in plaintext should be treated as potentially compromised if:
•
The confidentiality and integrity of an imported secret/private key cannot be verified
•
The provenance of the key is unknown (it has not come from a trusted party).
11.4. Deleting a Security World
You can re-initialise an HSM to use a new Security World if, for example, you believe that
your existing Security World has been compromised. This must be done for all HSMs that
hosted the old Security World, however:
nShield® Security Manual 76 of 90
To Next Page
Loading...
Need help?
General
