Application Keys - Entrust nShield Security Manual

when the user supplies the final required pass phrase. After an OCS has timed out, it is
not loadable by another application unless it is removed and reinserted. Time-outs
operate independently of OCS persistence.
You can manually remove all keys protected by persistent cards by clearing the HSM. For
example, you could:
1. Run the command:
nopclearfail --clear --all
2. Press the Clear button of the HSM
3. Turn off power to the HSM.
A persistent OCS with no timeout is suitable for a web server. However, using this option
is dependent on the level of security of any running application. For example anyone that
is able to gain unauthorized application access can use the key.
A non-persistent OCS with no or a short time-out would be suitable for a root Certificate
Authority. It provides complete control over key availability – the key is unloaded when
the card is removed from the card reader and becomes inactive after an assigned
timeout, if it has been mistakenly left in the card reader.
A threat analysis should determine which configuration of persistence/non-
persistence/time-out/no time-out is appropriate for the various sets of keys protected by
OCSs.
5.2.5.4. Application independence
Although keys belong to specific client applications performing different functions (with
possibly different sensitivities), OCSs do not. You can protect keys for different
applications using the same OCS. However, you must not use the same OCS to protect
keys for many different applications as a compromise of the OCS could lead to a
compromise of all application keys protected by it. Assigning different OCSs to different
applications mitigates this threat. Additionally assigning more than one OCS to an
application key helps maintain operation in the event of a compromise against an OCS.

5.3. Application keys

When you generate an nShield key (or create it from imported key material), that key is
associated with an Access Control List (ACL). This ACL prevents the key from being used
for operations for which it is unsuited, and can enforce requirements that certain tokens
be presented, before the key can be accessed. For example, the ACL can specify that a
key can only be used for signing, with a specific signing mechanism/algorithm. Your
nShield® Security Manual 37 of 90