User's Guide: Group Cryptographic Policy

Introduction

The Fortanix Data Security Manager (DSM)supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. Policies are specified at the Account or Group level.

Fortanix Data Security Manager Cryptographic Policy Structure

Allowed Keys

By default, all types of keys are selected for the policy: AES, DES, DES3, DSA, RSA, EC, HMAC, SECRET, CERTIFICATE, and OPAQUE.

Key Sizes

The key sizes allowed for any given key are:

  • AES: 128, 192, or 256 bits
  • DES3: 168 bits or 112 bits (for 2-key triple DES)
  • DES: 56 bits only
  • DSA: 2048 bits (subgroup size: 224, 256 bits) or 3072 bits (subgroup size: 256 bits)
  • RSA: minimum 1024 to 8192 bits
  • HMAC: minimum 112 to 8192
  • EC: Choose any of the following curves: SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224,NistP256, NistP384, NistP521, Gost256A, X25519, Ed25519

Key Operations

The default key operations allowed for any given key are:

  • AES/DES3: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE
  • DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
  • RSA: SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, APPMANAGEABLE
  • EC: SIGN, VERIFY, APPMANAGEABLE, AGREEKEY
  • DES: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE
  • HMAC: DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE

When setting a Cryptographic Policy, a user can restrict which of the above key operations are allowed in an account or group. By default, all operations are allowed.

Create / Edit a Cryptographic Policy

Create a Group Level Cryptographic Policy

A group-level cryptographic policy restricts what types of security objects can be added to the group and defines restrictions for other key parameters – size, curve, padding, and key permissions.

The groups that have a cryptographic policy set will be marked with an icon in the group’s table view.

Group_having_crypto.png
Figure 12: Group Having a Cryptographic Policy

To add a cryptographic policy at the group level:

  1. Create a new group or open an existing group. Create_Open_Existing_group.png
    Figure 13: Create New / Open Existing Group
  2. In the INFO tab in the group detailed view, click ADD POLICY in the cryptographic policy section. Add_Crypto_for_Group.png
    Figure 14: Add Cryptographic Policy for Group
  3. Select the key types that you want to allow for this group. CryptoGroup_keyTypes.png
    Figure 15: Select Allowed Key Types
  4. Select the allowed key size (s) for the keys. CryptoGroup_keysizes.png
    Figure 16: Select Allowed Key Size
  5. To handle existing non-compliant keys, refer to the section Policy Enforcement.
  6. Select the permitted key operations that will be allowed for the keys.
  7. To enable audit logs for the object in the group, enable the toggle for Keep detailed log for the object. The initial state of the toggle is based on the parent crypto policy if any. Crypto6.png
    Figure 17: Key operations and audit log
  8. Click SAVE POLICY.
NOTE
  1. If a cryptographic policy was set at the account level before the group level, then the account level cryptographic policy takes precedence over a group level cryptographic policy.
  2. A cryptographic policy set at the account level can be narrowed for each group in the account to further restrict Security Object parameters. Crypto7.pngFigure 18: Account policy pre-applied

In this example, some of the key types and key operations are unavailable when creating a cryptographic policy at the group level. This is because an account-level cryptographic policy was applied before the group-level policy.

If a group already contains keys that are not compliant with the Cryptographic policy being added, an error message is displayed in the policy section as seen below.
Error1.png
Figure 19: Error Message for Non-Compliance

There is also an indication next to the group name in the table view of the Groups page as seen below.
Error4.png
Figure 20: Error Message for Non-Compliance

Delete a Group Level Cryptographic Policy

To edit or delete a group level cryptographic policy:

  1. Go to the detailed view of a group.
  2. In the INFO tab, under the Cryptographic policy section, click the EDIT POLICY button. Crypto1.png
    Figure 21: Edit group cryptographic policy
  3. Click the DELETE POLICY button, to delete the cryptographic policy. Crypto8.png
    Figure 22: Delete group cryptographic policy
    NOTE

    If an account-level cryptographic policy was set, then the account cryptographic policy rules will still be applicable for the group, even after deleting the group cryptographic policy.

Policy Enforcement

  • All new keys will be allowed/denied based on the cryptographic policy rules.

  • Any existing keys that are not compliant with the policy will still exist in the group. However, these keys will be marked separately as policy-violating keys. For these keys the following conditions are applicable:
    • Cryptographic Operations that are classified as “protect operations” will not be allowed: For example: Sign, Encrypt, Wrapkey, Derivekey, MacGenerate, AgreeKey.
    • Cryptographic Operations which are classified as “process operations” will still be allowed: For example: Verify, Decrypt, UnwrapKey, MacVerify.

If a group contains keys that are not compliant with the policy being added, an error message is displayed where the key can either be grandfathered, forbidden, or partially grandfathered. When a cryptographic policy is created at an account or group level, there are 3 options provided to handle non-compliant keys. These options are detailed in the section Handling existing non-compliant keys:

Crypto9.png
Figure 23: Handling Non-Compliant Keys

  1. Forbid to use: Forbid any use of non-compliant objects. If this option is selected, you are forbidden from using the non-compliant keys for any operation.
  2. Accept: Accept non-compliant objects even though they violate the current policy. If this option is selected, you may continue to use existing non-compliant keys, but you may not generate or import new non-compliant objects.
  3. Limit usage: Restrict non-compliant objects so that they may only be used for “process operations” such as Decrypt, Unwrap, Verify, and MacVerify operations. The “protect operations” such as Encrypt, Wrap, Sign, and Mac are forbidden.
NOTE
If the non-compliance setting for account-level Cryptographic policy is different from the group-level Cryptographic policy, then the more restrictive setting is applied for the existing keys.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful