Abnormal end of task (abend)
A software or hardware problem that terminates a computer processing task.
Advanced Encryption Standard (AES)
A FIPS-approved NIST cryptographic standard used to protect electronic data.
Agent
Various types of encryption agents can be created to interact with the OKM for creating and obtaining keying material. The StorageTek T10000 models A and B, T9840D, and the HP LTO Gen 4 and Gen 5 tape drives are types of encryption agents when enabled for encrypting.
Audit Log
The OKM Cluster maintains a log of all auditable event occurring throughout the system. Agents may contribute entries to this log for auditable events.
Auditor
A user role that can view system audit trails (Audit List events and KMA security parameters).
Autonomous Lock
When autonomous unlock is enabled a quorum of Security Officers is required to unlock a locked KMA. When disabled, the KMA can be unlocked by any Security Officer.
Backup File
The file created during the backup process that contains all the information needed to restore a KMA. Encrypted with a key generated specifically for the backup. The key is contained in the corresponding backup key file.
Backup Key File
A file generated during the backup process containing the key used to encrypt the backup file. This file is encrypted using the system master key. The master key is extracted from the core security backup file using a quorum of the Key Split Credentials.
Certificate
A Certificate is a digitally-signed document that serves to validate the holder's authorization and name. The document consists of a specially formatted block of data that contains the name of the certificate holder (Subject DN), a serial number, validity dates, holder's public key, Issuer's DN, and the digital signature of the Issuer for authentication. The Issuer attests that the holder's name is the one associated with the public key in the document.
Certificate Authority (CA)
A Certificate Authority registers end-users, issues their certificates, and can also create CAs below them. The KMAs themselves act as the certificate authority to issue certificates to users, agents, and other KMAs.
Cluster
A Cluster is a set of Key Management Appliances that are grouped together into a single system to enhance fault tolerance, availability, and scalability.
Communications key
Adds another layer of encryption and authentication during transmission over a LAN from the token to the drive.
Compliance Officer
A user role that manages the flow of data through your organization and can define and deploy data contexts (Key Groups) and rules that determine how data is protected and ultimately destroyed (Key Policies).
Critical Security Parameter
Security-related information (for example, secret and private cryptographic keys, and authentication data such as passwords and PINs) whose disclosure or modification can compromise the security of a cryptographic module.
Crypto-Accelerator
A Crypto-Accelerator is a hardware device (a card) that can be used to increase the rate of data encryption/decryption, thereby improving system performance in high demand conditions.
Crypto-active
And encryption-capable tape drive that has had the encryption feature turned on in the drive.
Crypto-ready
A tape drive that has the ability to turn on device encryption and become encryption-capable.
Cryptography
The art of protecting information by transforming it (encrypting) into an unreadable format, called cipher text. Only those who possess a special key can decipher (decrypt) the message into its original form.
Cryptoperiods
The length of time in which a key can be used for encryption. It starts when the key is first assigned to the drive. This value corresponds to the ”Originator Usage Period” in NIST 800-57.
Data Unit
Data units are abstract entities within the OKM that represent storage objects associated with OKM policies and encryption keys. The concrete definition of a data unit is defined by the Encryption Agent that creates it. For tape drives, a data unit is a tape cartridge.
Encryption
The translation of data into a secret code. Encryption is one of the most effective ways to achieve data security. To read an encrypted file, you must have access to a special key or password that enables you to decipher it.
FIPS
Federal Information Processions Standards. The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration and Laboratories, which develops and promotes standards and technology, including:
Computer Security Division and Resource Center (CSRC)
Federal Information Processing Standards (FIPS)
For more information visit:
http://www.nist.gov/
Hash Message Authentication Code (HMAC)
In cryptography, a keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key.
Internet Protocol (IP)
A protocol used to route data from its source to its destination in an Internet environment.
Internet Protocol (IP) address
A four-byte value that identifies a device and makes it accessible through a network. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be from 0 to 255. For example, 10.172.145.23 could be an IP address.
Also known as TCP/IP address.
Key
A key in this context is a symmetric data encryption key. Agents can request new key material for encrypting data corresponding to one or more Data Units. A key belongs to a single Key Group so that only Agents associated with the Key Group can access the key. Keys have encryption and decryption cryptoperiods that are dictated by the Key Policy associated with the Key Group of the particular key. The type of key (that is, its length and algorithm) is specified by the Encryption Agent.
Keys
A random string of bits generated by the Oracle Key Manager, entered from the keyboard or purchased. Types of keys include:
Device keys enable the tape drive encryption feature.
Media keys encrypt and decrypt customer data on a tape cartridge.
PC Keys enable the tape drive for encryption.
Communication key adds another layer of encryption (authentication) to the media key during transmission over the LAN from the token to the drive.
Split keys are unique to each drive and work with the wrap key for protection.
Wrap keys encrypt the media key on the LAN and the token.
Key Group
Key Groups are used for organizing keys and associating them with a Key Policy. Key Groups are also used to enforce access to the key material by the Encryption Agents.
Key Management Appliance (KMA)
A Netra SPARC T4-1, Sun Fire X2100 M2, X2200 M2, or X4170 M2 server preloaded with the OKM software. The appliance delivers policy-based key management and key provisioning services.
Key Policy
A Key Policy provides settings for the cryptoperiods to be applied to keys. Each Key Group has a Key Policy, and a Key Policy may apply to zero or more Key Groups. The encryption and decryption cryptoperiods specified on the policy limit the usage of keys and trigger key life cycle events, such as the deactivation or destructions of keys.
Key Policies also control where keys governed by the Key Policy can be exported to other Key Transfer Partners or imported from other Key Transfer Partners.
Key Transfer File
A file containing keys and associated data units (if defined) used to move key material from one OKM Cluster to another. Both parties to the transfer must configure a key Transfer Partner of the other party to the exchange. The key transfer file is signed and encrypted to ensure both privacy of the transferred information as well its integrity.
Key Transfer Partner
The Key Transfer Partner is the recipient of keys being exported from one OKM to another.
network
An arrangement of nodes and branches that connects data processing devices to one another through software and hardware links to facilitate information interchange.
OKM Cluster
A set of one or more interconnected KMAs. All the KMAs in a OKM Cluster should have identical information. This is not be the case only when a OKM is down, or when a newly created piece of information has not yet propagated through all KMAs in the OKM Cluster. An action taken on any KMA in the OKM Cluster eventually propagates to all KMAs in the OKM Cluster.
Oracle Key Manager (OKM)
A system providing key management. The Oracle system has a OKM component providing key management on behalf of encryption agents.
Rijndael algorithm
An algorithm selected by the U.S. National Institute of Standards and Technology (NIST) for the Advanced Encryption Standard (AES). Pronounced ”rain-dahl,” the algorithm was designed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen, whose surnames are reflected in the cipher's name.
RSA
In cryptography, RSA is an algorithm for public-key cryptography created by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT. The letters RSA are the initials of their surnames.
Secure Hash Algorithms (SHA)
Secure Hash Algorithms are cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard.
Security Policy
A rigorous statement of the sensitivity of organizational data, various subjects that can potentially access that data, and the rules under which that access is managed and controlled.
Shamir's Secret Sharing
An algorithm in cryptography where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. Counting on all participants to combine together the secret might be impractical, and therefore a quorum or threshold scheme is used.
Site
A site is an attribute of each OKM and Encryption Agent that indicates network proximity, or locality. Encryption Agents should try first to contact a KMA at the same site, then try to contact a KMA at a different site if no KMA at the local site responds.
System Dump
A user-invoked operation that results in all the relevant data being collected into a single file and then that file being downloaded to the machine from which the user invoked this operation. Once the download is complete, this file is deleted from the KMA.
T10000 tape drive
The T10000 tape drive is a small, modular, high-performance tape drive designed for high-capacity storage of data. T10000A stores up to 500 gigabytes (GB) of uncompressed data, T10000B 1 terabyte, T10000C 5 terabytes, and T10000D 8 terabytes.
Token
KMS Version 1.x term.
Tokens are handheld, intelligent devices that connect to a token bay with an Ethernet connection. The two roles of the tokens are:
Enabling key token
Operational key token
Token bay
KMS Version 1.x term.
A chassis that houses the physical tokens and provides power and connectivity for one or two tokens through the rear blind-mating connector. The token bay is compatible with a standard 19-inch rack—a 1U form factor. The token bay comes in two styles: desktop and rack-mount.
Transparent Data Encryption (TDE)
A feature of Oracle database management systems that provides the services for encrypting and decrypting sensitive database information.
Transport Layer Security (TLS)
A cryptographic protocol that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.
Ultra Tape Drive Encryption Agent
Ultra-compliant encrypting tape drives utilize Ultra Tape Drive Encryption Agent software for key management. These drives acquire key material from the OKM to be used with tape volumes. Each write from BOT results in the use of fresh key material being used for encryption of data on the volume. Consequently, the definition of a data unit maps to a tape volume where the external ID of the data unit is the volume serial number.