Skip Headers
Oracle® Key Manager 3 Administration Guide
Release 3.0
E41579-02
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

Glossary

Abnormal end of task (abend)

A software or hardware problem that terminates a computer processing task.

Advanced Encryption Standard (AES)

A FIPS-approved NIST cryptographic standard used to protect electronic data.

AES

See Advanced Encryption Standard.

Agent

Various types of encryption agents can be created to interact with the OKM for creating and obtaining keying material. The StorageTek T10000 models A and B, T9840D, and the HP LTO Gen 4 and Gen 5 tape drives are types of encryption agents when enabled for encrypting.

Agent API

See Agent Library API.

Agent Library

The Agent Library is used by an Agent to retrieve key material from a OKM.

Agent Library API

The API provided by the Agent Library. Agents call this API.

Audit

See Audit Log.

Audit Log

The OKM Cluster maintains a log of all auditable event occurring throughout the system. Agents may contribute entries to this log for auditable events.

Auditor

A user role that can view system audit trails (Audit List events and KMA security parameters).

Autonomous Lock

When autonomous unlock is enabled a quorum of Security Officers is required to unlock a locked KMA. When disabled, the KMA can be unlocked by any Security Officer.

Backup File

The file created during the backup process that contains all the information needed to restore a KMA. Encrypted with a key generated specifically for the backup. The key is contained in the corresponding backup key file.

Backup Key File

A file generated during the backup process containing the key used to encrypt the backup file. This file is encrypted using the system master key. The master key is extracted from the core security backup file using a quorum of the Key Split Credentials.

Backup Operator

A user role that is responsible for securing and storing data and keys.

BOT

Beginning of Tape.

CA

See Certificate Authority (CA).

Certificate

A Certificate is a digitally-signed document that serves to validate the holder's authorization and name. The document consists of a specially formatted block of data that contains the name of the certificate holder (Subject DN), a serial number, validity dates, holder's public key, Issuer's DN, and the digital signature of the Issuer for authentication. The Issuer attests that the holder's name is the one associated with the public key in the document.

Certificate Authority (CA)

A Certificate Authority registers end-users, issues their certificates, and can also create CAs below them. The KMAs themselves act as the certificate authority to issue certificates to users, agents, and other KMAs.

Cluster

A Cluster is a set of Key Management Appliances that are grouped together into a single system to enhance fault tolerance, availability, and scalability.

Communications key

Adds another layer of encryption and authentication during transmission over a LAN from the token to the drive.

Compliance Officer

A user role that manages the flow of data through your organization and can define and deploy data contexts (Key Groups) and rules that determine how data is protected and ultimately destroyed (Key Policies).

Critical Security Parameter

Security-related information (for example, secret and private cryptographic keys, and authentication data such as passwords and PINs) whose disclosure or modification can compromise the security of a cryptographic module.

Crypto-Accelerator

A Crypto-Accelerator is a hardware device (a card) that can be used to increase the rate of data encryption/decryption, thereby improving system performance in high demand conditions.

Crypto-active

And encryption-capable tape drive that has had the encryption feature turned on in the drive.

Crypto-ready

A tape drive that has the ability to turn on device encryption and become encryption-capable.

Cryptography

The art of protecting information by transforming it (encrypting) into an unreadable format, called cipher text. Only those who possess a special key can decipher (decrypt) the message into its original form.

Cryptoperiods

The length of time in which a key can be used for encryption. It starts when the key is first assigned to the drive. This value corresponds to the ”Originator Usage Period” in NIST 800-57.

Data Unit

Data units are abstract entities within the OKM that represent storage objects associated with OKM policies and encryption keys. The concrete definition of a data unit is defined by the Encryption Agent that creates it. For tape drives, a data unit is a tape cartridge.

Device key

Enables the tape drive for encryption. KMS Version 1.x term.

EKT

Enabling key token (device keys). KMS Version 1.x term.

Enable key

Unique 64 character key used to enable the tape drive. See also PC Key.

Encryption

The translation of data into a secret code. Encryption is one of the most effective ways to achieve data security. To read an encrypted file, you must have access to a special key or password that enables you to decipher it.

FIPS

Federal Information Processions Standards. The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration and Laboratories, which develops and promotes standards and technology, including:

  • Computer Security Division and Resource Center (CSRC)

  • Federal Information Processing Standards (FIPS)

For more information visit:

http://www.nist.gov/

GUI

Graphical User Interface.

Hash Message Authentication Code (HMAC)

In cryptography, a keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key.

Internet Protocol (IP)

A protocol used to route data from its source to its destination in an Internet environment.

Internet Protocol (IP) address

A four-byte value that identifies a device and makes it accessible through a network. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be from 0 to 255. For example, 10.172.145.23 could be an IP address.

Also known as TCP/IP address.

Key

A key in this context is a symmetric data encryption key. Agents can request new key material for encrypting data corresponding to one or more Data Units. A key belongs to a single Key Group so that only Agents associated with the Key Group can access the key. Keys have encryption and decryption cryptoperiods that are dictated by the Key Policy associated with the Key Group of the particular key. The type of key (that is, its length and algorithm) is specified by the Encryption Agent.

Keys

A random string of bits generated by the Oracle Key Manager, entered from the keyboard or purchased. Types of keys include:

  • Device keys enable the tape drive encryption feature.

  • Media keys encrypt and decrypt customer data on a tape cartridge.

  • PC Keys enable the tape drive for encryption.

  • Communication key adds another layer of encryption (authentication) to the media key during transmission over the LAN from the token to the drive.

  • Split keys are unique to each drive and work with the wrap key for protection.

  • Wrap keys encrypt the media key on the LAN and the token.

Key Group

Key Groups are used for organizing keys and associating them with a Key Policy. Key Groups are also used to enforce access to the key material by the Encryption Agents.

Key Management Appliance (KMA)

A Netra SPARC T4-1, Sun Fire X2100 M2, X2200 M2, or X4170 M2 server preloaded with the OKM software. The appliance delivers policy-based key management and key provisioning services.

Key Policy

A Key Policy provides settings for the cryptoperiods to be applied to keys. Each Key Group has a Key Policy, and a Key Policy may apply to zero or more Key Groups. The encryption and decryption cryptoperiods specified on the policy limit the usage of keys and trigger key life cycle events, such as the deactivation or destructions of keys.

Key Policies also control where keys governed by the Key Policy can be exported to other Key Transfer Partners or imported from other Key Transfer Partners.

Key Transfer File

A file containing keys and associated data units (if defined) used to move key material from one OKM Cluster to another. Both parties to the transfer must configure a key Transfer Partner of the other party to the exchange. The key transfer file is signed and encrypted to ensure both privacy of the transferred information as well its integrity.

Key Transfer Partner

The Key Transfer Partner is the recipient of keys being exported from one OKM to another.

KMA

See Key Management Appliance.

Media key

Encrypts and decrypts customer data on a tape cartridge.

network

An arrangement of nodes and branches that connects data processing devices to one another through software and hardware links to facilitate information interchange.

NIST

National Institute of Standards and Technology.

OKM

See Oracle Key Manager.

OKM Cluster

A set of one or more interconnected KMAs. All the KMAs in a OKM Cluster should have identical information. This is not be the case only when a OKM is down, or when a newly created piece of information has not yet propagated through all KMAs in the OKM Cluster. An action taken on any KMA in the OKM Cluster eventually propagates to all KMAs in the OKM Cluster.

OKT

Operational key token (media keys). KMS Version 1.x term.

Operator

A user role responsible for managing the day-to-day operations of the system.

Oracle Key Manager (OKM)

A system providing key management. The Oracle system has a OKM component providing key management on behalf of encryption agents.

PC Key

Enables the tape drive to read and write in encrypted mode.

Quorum Member

A user role that views and approves pending quorum operations.

Read key

This is a media key that is used when reading data from a tape.

Rijndael algorithm

An algorithm selected by the U.S. National Institute of Standards and Technology (NIST) for the Advanced Encryption Standard (AES). Pronounced ”rain-dahl,” the algorithm was designed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen, whose surnames are reflected in the cipher's name.

RSA

In cryptography, RSA is an algorithm for public-key cryptography created by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT. The letters RSA are the initials of their surnames.

Secure Hash Algorithms (SHA)

Secure Hash Algorithms are cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard.

Security Officer

A user role that manages security settings, users, sites, and Transfer Partners.

Security Policy

A rigorous statement of the sensitivity of organizational data, various subjects that can potentially access that data, and the rules under which that access is managed and controlled.

Shamir's Secret Sharing

An algorithm in cryptography where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. Counting on all participants to combine together the secret might be impractical, and therefore a quorum or threshold scheme is used.

Site

A site is an attribute of each OKM and Encryption Agent that indicates network proximity, or locality. Encryption Agents should try first to contact a KMA at the same site, then try to contact a KMA at a different site if no KMA at the local site responds.

System Dump

A user-invoked operation that results in all the relevant data being collected into a single file and then that file being downloaded to the machine from which the user invoked this operation. Once the download is complete, this file is deleted from the KMA.

T10000 tape drive

The T10000 tape drive is a small, modular, high-performance tape drive designed for high-capacity storage of data. T10000A stores up to 500 gigabytes (GB) of uncompressed data, T10000B 1 terabyte, T10000C 5 terabytes, and T10000D 8 terabytes.

TDE

See Transparent Data Encryption (TDE).

Token

KMS Version 1.x term.

Tokens are handheld, intelligent devices that connect to a token bay with an Ethernet connection. The two roles of the tokens are:

  • Enabling key token

  • Operational key token

Token bay

KMS Version 1.x term.

A chassis that houses the physical tokens and provides power and connectivity for one or two tokens through the rear blind-mating connector. The token bay is compatible with a standard 19-inch rack—a 1U form factor. The token bay comes in two styles: desktop and rack-mount.

Transparent Data Encryption (TDE)

A feature of Oracle database management systems that provides the services for encrypting and decrypting sensitive database information.

Transport Layer Security (TLS)

A cryptographic protocol that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.

UID

A string that serves as a unique identifier for a OKM entity, e.g. an encryption agent or user.

Ultra Tape Drive Encryption Agent

Ultra-compliant encrypting tape drives utilize Ultra Tape Drive Encryption Agent software for key management. These drives acquire key material from the OKM to be used with tape volumes. Each write from BOT results in the use of fresh key material being used for encryption of data on the volume. Consequently, the definition of a data unit maps to a tape volume where the external ID of the data unit is the volume serial number.

UTC

Coordinated Universal Time.

Volume Serial Number

A six­character alphanumeric label used to identify a tape volume.

Wrap key

Encrypts the media keys on the LAN and on the token.

Write key

This is a media key that is used when writing data to a tape.

Zeroize

To erase electronically stored data, cryptographic keys, and Critical Security Parameters by altering or deleting the contents of the data storage to prevent recovery of the data.