297:(CA) is at least one root key or root certificate and usually at least one intermediate root certificate. This “root key” is a unique key that must be generated for secure server interaction with a protective network, often called the "root zone". Prompts for information from this zone can be made through a server. The keys and certificates serve as the credentials and safeguards for the system. These digital certificates are made from a public key and a
334:(MRTDs) require a much higher level of security. When conducting the root key ceremony, the government or organization will require rigorous security checks on all personnel in attendance. Those normally required to attend the key ceremony include a minimum of two administrators from the organization, two signatories from the organization, one lawyer, a notary, and two video camera operators, in addition to the CA software vendor's technical team.
530:
66:
25:
168:
343:
lawyer in charge logs every person, transaction, and event in a root key ceremony log book, with each page notarized. From the moment the vault door closes until its reopening, everything is also video recorded. The lawyer and the organization's two signatories sign the recording, which is also notarized.
516:
Compared with the smart card solution, the workstation solution does not require the procurement of smart card readers and smart cards. This solution uses workstation files encrypted with keys derived from a file password to store master key parts. When the keys are used, file content is decrypted
342:
The actual generation of the root key-pair typically occurs in a secure vault, with no external communication except for a single telephone line or intercom. Upon securing the vault, all present personnel must verify their identity using at least two legally recognized forms of identification. The
375:
key ceremony is a procedure where the master key is generated and loaded to initialize the use of the HSM. The master key is at the top of the key hierarchy and is the root of trust to encrypt all other keys generated by the HSM. A master key is composed of at least two parts. Each key part is
476:
Systems, the HSMs are used to perform cryptographic operations. The HSM has 85 domains, with each having its own set of master keys. Before using the system, the HSM Key
Ceremony must be conducted to load the master key securely and properly. For EP11 HSMs, the master key parts are stored on
318:
Unless the information being accessed or transmitted is valued in terms of millions of dollars, it is generally adequate that the root key ceremony be conducted within the security of the vendor's laboratory. The customer may opt to have the root key stored in a
346:
As part of the process, the root key is divided into up to twenty-one parts, each secured in a safe with a key and numerical lock. The keys are distributed to up to twenty-one people, and the numerical codes are distributed to another twenty-one people.
395:
The IBM Common
Cryptographic Architecture (CCA) mechanism provides many functions of special interest in the finance industry, extensive support for distributed key management, and a base on which custom processing and cryptographic functions can be
512:
that must be entered on a smart card reader pad. Each master key part owner has one smart card, and only the owner knows its PIN. This solution ensures that the master key parts never appear in the clear outside the smart cards.
309:
The following examples A and B are at opposite ends of the security spectrum, and no two environments are the same. Depending on the level of protection required, different levels of security will be used.
568:. For Multiparty Computation (MPC), key ceremonies are used to split parts of keys to participants securely. It is also used in Zero-Knowledge Proofs (zKP) protocols for key generation.
928:
286:
of a system, the generation of the root keys may require notarization, legal representation, witnesses, or “key-holders” to be present. A commonly recognized practice is to follow the
903:
481:
and loaded to the HSM with the
Trusted Key Entry (TKE) workstation. For CCA HSMs, the master key parts can be stored either on smart cards or in files on the TKE workstation.
407:
EP11 symmetric master key: used to encipher all kinds of sensitive materials, including secret key objects and intermediate state information containing secret key materials.
400:
Depending on the cryptographic mechanisms that the HSM supports and the key objects that are encrypted by the master key, the following types of master keys are available:
287:
795:
775:
392:
mechanism, called IBM Enterprise PKCS #11 (EP11), creates a high-security solution for application programs developed for this industry-standard API.
493:(CLI) and smart cards are provided to load the master key parts to the cloud HSM. IBM Cloud Hyper Protect Crypto Services is presently the only
917:
953:
640:
895:
323:, but in most cases, the safe storage of the root key on a CD or hard disk is admissible. The root key is never stored on the CA server.
363:, and Digi-Sign, implement projects of this nature where conducting a root key ceremony would be a central component of their service.
845:
818:
331:
226:
208:
149:
52:
714:
743:
505:
Depending on the key ceremony types, the master key parts can be stored either on smart cards or in files on the workstation.
509:
87:
874:
130:
662:
83:
38:
102:
434:
792:
764:
449:
109:
1018:
416:
372:
320:
186:
611:
116:
1037:
582:
445:
423:
271:
76:
490:
98:
682:
577:
565:
489:
EP11 HSM is currently the only type of HSM that supports Key
Ceremony in the cloud. Both the cloud
294:
1005:
356:
178:
497:
service and cloud HSM in the cloud to provide HSM key ceremony through both CLI and smart cards.
427:
384:
The master key is stored within the HSM. IBM HSMs support two types of cryptographic mechanisms:
283:
1000:
841:
Streamline
Management of the IBM z Systems Host Cryptographic Module Using IBM Trusted Key Entry
632:
282:
is a procedure for generating a unique pair of public and private root keys. Depending on the
275:
248:
190:
44:
995:
839:
812:
1022:
799:
123:
706:
735:
494:
473:
529:
1031:
255:
240:
866:
561:
298:
65:
1010:
478:
1011:
Education videos for using TKE to manage crypto modules on IBM Z and LinuxONE
980:
990:
314:
Possibility A: Identification and non-repudiation for email and web access
663:
Security and
Operational considerations for manufacturer generated IDevID
360:
1015:
389:
259:
683:"Verisign's Role in Securing the DNS Through Key Signing Ceremonies"
603:
984:
469:
438:
524:
161:
59:
18:
814:
Getting
Started with Linux on Z Encryption for Data At-Rest
517:
and appear temporarily in the clear in workstation memory.
376:
normally owned by a different person to enhance security.
669:"The SAS70 audit standard is usually used as a basis..."
541:
791:
Master key is referred to as
Wrapping Key (WK) in the
90:. Unsourced material may be challenged and removed.
1001:IBM Cloud Hyper Protect Crypto Services overview
983:, which took place 13 August 13, 2015, at the
896:"IBM Cloud Hyper Protect Crypto Services FAQs"
765:"Enterprise PKCS#11 (EP11) Library structure"
8:
987:Key Management Facility, El Segundo, CA, USA
918:"EURL: A reliable euro-pegged digital asset"
189:. There might be a discussion about this on
981:Summary of events at DNSSEC KSK Ceremony 22
560:A key ceremony can be used to generate the
53:Learn how and when to remove these messages
665:(Report). Internet Engineering Task Force.
355:The CA vendors and organizations, such as
608:Cryptology ePrint Archive, Paper 2007/399
327:Possibility B: MRTD Cards and e-Passports
227:Learn how and when to remove this message
209:Learn how and when to remove this message
150:Learn how and when to remove this message
247:is a ceremony held to generate or use a
867:"IBM Hyper Protect Services - Overview"
594:
254:A public example is the signing of the
7:
510:personal identification number (PIN)
88:adding citations to reliable sources
934:from the original on 16 March 2022
633:"The DNSSEC Root Signing Ceremony"
444:APKA master key: used to encipher
422:ASYM master key: used to encipher
290:standard for root key ceremonies.
14:
433:AES master key: used to encipher
415:SYM master key: used to encipher
332:Machine Readable Travel Documents
34:This article has multiple issues.
906:from the original on 2023-04-06.
781:from the original on 2020-06-29.
528:
166:
64:
23:
877:from the original on 2020-06-09
848:from the original on 2020-06-26
821:from the original on 2020-10-15
746:from the original on 2020-02-21
717:from the original on 2020-02-21
661:Richardson, Michael; Pan, Wei.
643:from the original on 2022-11-20
614:from the original on 2022-09-01
508:Smart cards are protected by a
75:needs additional citations for
42:or discuss these issues on the
604:"Ceremony Design and Analysis"
373:hardware security module (HSM)
1:
996:IBM 4768 Crypto Card overview
681:Wessels, Duane (2023-03-01).
464:On-premise HSM Key Ceremony
1054:
954:"Key Ceremony Guidelines"
266:Root key signing ceremony
521:In blockchain technology
321:hardware security module
925:uploads-ssl.webflow.com
583:Public-key cryptography
501:Master key part storage
272:public-key cryptography
1006:z/OS Trusted Key Entry
602:Ellison, Carl (2007).
491:command-line interface
485:Cloud HSM Key Ceremony
459:HSM key ceremony types
452:asymmetric key objects
430:asymmetric key objects
293:At the heart of every
578:Certificate authority
566:cryptocurrency wallet
441:symmetric key objects
419:symmetric key objects
295:certificate authority
16:Event in cryptography
667:Section 2.2 para.2 (
367:IBM HSM key ceremony
179:confusing or unclear
84:improve this article
707:"CEX7S / 4769 EP11"
187:clarify the article
1021:2013-10-20 at the
798:2020-06-29 at the
793:EP11 documentation
772:public.dhe.ibm.com
736:"CEX7S / 4769 CCA"
540:. You can help by
284:certificate policy
927:. February 2022.
558:
557:
280:root-key ceremony
276:computer security
249:cryptographic key
237:
236:
229:
219:
218:
211:
160:
159:
152:
134:
57:
1045:
991:IBM Crypto Cards
968:
967:
965:
963:
958:
950:
944:
943:
941:
939:
933:
922:
914:
908:
907:
892:
886:
885:
883:
882:
863:
857:
856:
854:
853:
836:
830:
829:
827:
826:
809:
803:
789:
783:
782:
780:
769:
761:
755:
754:
752:
751:
732:
726:
725:
723:
722:
703:
697:
696:
694:
693:
678:
672:
666:
658:
652:
651:
649:
648:
629:
623:
622:
620:
619:
599:
553:
550:
532:
525:
380:Master key types
232:
225:
214:
207:
203:
200:
194:
170:
169:
162:
155:
148:
144:
141:
135:
133:
92:
68:
60:
49:
27:
26:
19:
1053:
1052:
1048:
1047:
1046:
1044:
1043:
1042:
1028:
1027:
1023:Wayback Machine
977:
972:
971:
961:
959:
956:
952:
951:
947:
937:
935:
931:
920:
916:
915:
911:
894:
893:
889:
880:
878:
865:
864:
860:
851:
849:
838:
837:
833:
824:
822:
811:
810:
806:
800:Wayback Machine
790:
786:
778:
767:
763:
762:
758:
749:
747:
734:
733:
729:
720:
718:
705:
704:
700:
691:
689:
680:
679:
675:
660:
659:
655:
646:
644:
631:
630:
626:
617:
615:
601:
600:
596:
591:
574:
554:
548:
545:
538:needs expansion
523:
503:
487:
466:
461:
382:
369:
353:
340:
329:
316:
307:
268:
233:
222:
221:
220:
215:
204:
198:
195:
184:
171:
167:
156:
145:
139:
136:
93:
91:
81:
69:
28:
24:
17:
12:
11:
5:
1051:
1049:
1041:
1040:
1038:Key management
1030:
1029:
1026:
1025:
1013:
1008:
1003:
998:
993:
988:
976:
975:External links
973:
970:
969:
945:
909:
887:
858:
844:. 2016-09-30.
831:
817:. 2016-09-30.
804:
784:
756:
727:
698:
673:
653:
624:
593:
592:
590:
587:
586:
585:
580:
573:
570:
556:
555:
535:
533:
522:
519:
502:
499:
495:key management
486:
483:
465:
462:
460:
457:
456:
455:
454:
453:
442:
431:
420:
410:
409:
408:
398:
397:
393:
381:
378:
368:
365:
352:
349:
339:
336:
328:
325:
315:
312:
306:
303:
267:
264:
235:
234:
217:
216:
174:
172:
165:
158:
157:
99:"Key ceremony"
72:
70:
63:
58:
32:
31:
29:
22:
15:
13:
10:
9:
6:
4:
3:
2:
1050:
1039:
1036:
1035:
1033:
1024:
1020:
1017:
1014:
1012:
1009:
1007:
1004:
1002:
999:
997:
994:
992:
989:
986:
982:
979:
978:
974:
955:
949:
946:
930:
926:
919:
913:
910:
905:
901:
900:cloud.ibm.com
897:
891:
888:
876:
872:
868:
862:
859:
847:
843:
842:
835:
832:
820:
816:
815:
808:
805:
801:
797:
794:
788:
785:
777:
773:
766:
760:
757:
745:
741:
737:
731:
728:
716:
712:
708:
702:
699:
688:
687:Verisign Blog
684:
677:
674:
670:
664:
657:
654:
642:
638:
634:
628:
625:
613:
609:
605:
598:
595:
588:
584:
581:
579:
576:
575:
571:
569:
567:
563:
552:
543:
539:
536:This section
534:
531:
527:
526:
520:
518:
514:
511:
506:
500:
498:
496:
492:
484:
482:
480:
475:
471:
463:
458:
451:
447:
443:
440:
436:
432:
429:
425:
421:
418:
414:
413:
411:
406:
405:
403:
402:
401:
394:
391:
387:
386:
385:
379:
377:
374:
366:
364:
362:
358:
350:
348:
344:
337:
335:
333:
326:
324:
322:
313:
311:
304:
302:
300:
296:
291:
289:
285:
281:
277:
273:
265:
263:
261:
257:
256:DNS root zone
252:
250:
246:
242:
231:
228:
213:
210:
202:
192:
191:the talk page
188:
182:
180:
175:This article
173:
164:
163:
154:
151:
143:
132:
129:
125:
122:
118:
115:
111:
108:
104:
101: –
100:
96:
95:Find sources:
89:
85:
79:
78:
73:This article
71:
67:
62:
61:
56:
54:
47:
46:
41:
40:
35:
30:
21:
20:
960:. Retrieved
948:
936:. Retrieved
924:
912:
899:
890:
879:. Retrieved
870:
861:
850:. Retrieved
840:
834:
823:. Retrieved
813:
807:
787:
771:
759:
748:. Retrieved
739:
730:
719:. Retrieved
710:
701:
690:. Retrieved
686:
676:
668:
656:
645:. Retrieved
636:
627:
616:. Retrieved
607:
597:
559:
546:
542:adding to it
537:
515:
507:
504:
488:
467:
399:
383:
370:
354:
345:
341:
330:
317:
308:
292:
279:
269:
253:
245:key ceremony
244:
241:cryptography
238:
223:
205:
196:
185:Please help
176:
146:
140:January 2021
137:
127:
120:
113:
106:
94:
82:Please help
77:verification
74:
50:
43:
37:
36:Please help
33:
962:14 December
871:www.ibm.com
740:www.ibm.com
711:www.ibm.com
562:private key
479:smart cards
299:private key
881:2020-06-24
852:2020-06-24
825:2020-06-24
750:2020-06-24
721:2020-06-24
692:2024-04-02
647:2022-11-20
637:Cloudflare
618:2023-08-13
589:References
549:April 2022
404:EP11 HSMs
199:April 2022
181:to readers
110:newspapers
39:improve it
474:Linux One
412:CCA HSMs
351:Providers
305:Instances
45:talk page
1032:Category
1019:Archived
938:18 April
929:Archived
904:Archived
875:Archived
846:Archived
819:Archived
796:Archived
776:Archived
744:Archived
715:Archived
641:Archived
612:Archived
572:See also
361:VeriSign
338:Overview
390:PKCS#11
177:may be
124:scholar
1016:SAS 70
564:for a
396:added.
288:SAS 70
260:DNSSEC
126:
119:
112:
105:
97:
985:ICANN
957:(PDF)
932:(PDF)
921:(PDF)
779:(PDF)
768:(PDF)
470:IBM Z
131:JSTOR
117:books
964:2023
940:2022
472:and
468:For
439:HMAC
388:The
278:, a
274:and
258:for
243:, a
103:news
544:.
450:ECC
446:PKA
435:AES
428:RSA
424:PKA
417:DES
357:RSA
270:In
239:In
86:by
1034::
923:.
902:.
898:.
873:.
869:.
774:.
770:.
742:.
738:.
713:.
709:.
685:.
639:.
635:.
610:.
606:.
437:,
371:A
359:,
301:.
262:.
251:.
48:.
966:.
942:.
884:.
855:.
828:.
802:.
753:.
724:.
695:.
671:)
650:.
621:.
551:)
547:(
448:-
426:-
230:)
224:(
212:)
206:(
201:)
197:(
193:.
183:.
153:)
147:(
142:)
138:(
128:·
121:·
114:·
107:·
80:.
55:)
51:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
