Key Management Details

Description Detail:

Tricryption key management has unique capabilities that enable flexible secure solutions without workflow disruptions:

	Keys: Tricryption uses centrally generated, controlled, and securely stored symmetrical keys. Keys can be concurrently managed supporting AES (128,192,& 256), 3DES, Blowfish and customer proprietary algorithms. Symmetrical keys are secured by use of a four-tier key hierarchy and stored in relational databases that can be backed up through standard failover and other procedures. Keys are encrypted and stored in the key database and back-ups. Only copies of keys are sent to encryption clients for authenticated and authorized session usage after which the copies are destroyed (’zeroized’). From key creation and storage, to encryption client session usage, keys are always protected within FIPS accredited Crypto Modules and secure communication links.
	Key Identification: Key ID pointers are created, assigned to each unique key, and stored along with their associated keys in the key database. When a key copy is required to be sent to a Tricryption client for cryptographic actions, the associated encrypted key identifier is also sent becoming a ‘Hidden Link’ to the key. The ‘Hidden Link’ is appended to the encrypted file/data allowing key associations when future encryption sessions are required. Use of the Hidden Links allows secure key referencing from the clients to the key server without risk of association by unauthorized users or administrators.
	Access Control List: Each key in the Tricryption system is assigned a Access Control List (ACL) allowing the encrypting originator to select the groups, individuals, systems, and conditions to access the key and therefore the encrypted information. The originator of the encrypted files/data owns the ACL and may manage or delegate that management to another by use of template. The ACL can be dynamically modified resulting in users being added or revoked immediately as changing use environments dictate. Access can be granted to entities (groups, individuals, and systems) and conditioned by accessibility factors such as time/date, location, and number of opens.
	Secure Communications: Communications between the Key Server and their clients are secured by use of Open SSL supporting Elliptical Curve Cryptography - Transport Layer Security (ECC-TLS). The Key Server communicates to clients either over a TCP/IP network or by internal system communications when collocated on the same compute platform. Secure communications are enabled after authentication and authorization steps are satisfied. Network communication loading is low with packet counts generally under 15 packets (including TLS overhead) for key request & send transmissions.
	Logs: All key actions are logged by the Key Server and are stored either in a partitioned element of the key database or in a separate logging database. Key logging data is available to both reporting and dynamic monitoring functionalities. Key logs can be periodically queried and converted to tailorable reports either by an organic report capability or by user tailored report mediums such as Crystal Reports. Dynamic key logging information can be securely sent to industry standard security console systems such as IBM Tivoli through use of a standard API.
	Scaling & Federation: Tricryption key management will scale and federate to allow high availability and optimized operations on decentralized architectures: Scaling for High Availability Operations - Key management software scales horizontally with simple load balancer functionality. Tricryption key servers are stateless; all state information is contained in the key database, allowing multiple key servers to effectively point to a single key database. The key database uses most standard relational databases (RDB) which also scales through standard failover, mirroring and other procedures. Federation through Trust Relationships - Federation of key servers, each supporting different encryption client enclaves or groups of clients, allows the Tricryption key management solution to simply and effectively support multiple Communities of Interest (CoI). This is particularly essential when geographic separation, enterprise segmentation, or multiple information access levels are required. Key servers support certificate based one-way or dual-way Trust Relationships to allow multi-access level architecture implementations.
	Key Import & Export: In the event that keys need to be imported from or exported to a system outside the network or Tricryption software installation base, the Key Server can send keys secured by asymmetric key (Public Key Infrastructure/PKI) cryptography. This supports common infrastructure cross domain exchange of encrypted files/data. In support of this capability, the Tricryption system can also import certificates (CAs) that allow the system to seamless integrate into existing certificate management procedures.