Entrust nShield Security Manual page 35

5.2.5. OCS protection
OCSs provide the tightest control over application key usage. Token protected keys use
physical tokens in the form of smart cards (ISO 7816 compliant). These belong to a
specific Security World and only an HSM within the Security World to which the OCS
belongs can read, erase or format the OCS. There is no limit to the number of OCSs that
you can create within a Security World. OCSs can be created and deleted at any time.
5.2.5.1. Creating and maintaining a quorum
Each card set consists of a number of smart cards, N, of which a smaller number, K, is
required to authorize an action. The required number K is known as the quorum. Each
card in an OCS stores only a fragment of the OCS keys. You can only re-create these keys
if you have access to enough of their fragments. Because cards sometimes fail or are lost,
the number of fragments required to re-create the key (K) should be less than the total
number of fragments (N).
To make a robustly secure OCS, it is recommended that the value of K is relatively large
and the value of N is less than twice that of K (for example, the values for K/N being 3/5
or 5/9). The customer security procedures should determine the values of K and N which
should be based on a threat analysis of the protected data.
The customer security procedures should identify the role holders for the different cards.
Roles should be assigned based on area of responsibility.
The customer's security policy should determine whether the pass phrases are required
for the cards. pass phrases provide an additional barrier to the attacker. This requirement
may be necessary based on the value of the data protected and the security around the
storage location of cards. A timing delay feature is applied to password retries to add
further protection.
The customer's security policy should determine whether persistent or non-persistent
(default) mode is required and whether a time-out is required. See Persistence and non-
persistence for OCS for guidance on this option. Once set at creation the mode cannot
be changed.
The customer's security procedures should determine whether OCS can be recovered if
lost to a new OCS. This is enabled by default during Security World recreation.
The customer's security procedures should determine whether OCS pass phrases can be
replaced if lost. This is disabled by default during Security World recreation.
Lost or damaged cards should be replaced as you discover the loss or damage to
prevent a potential scenario where a quorum of cards are not available to authorize
operations.
nShield® Security Manual 35 of 90