Entrust nShield Security Manual page 75

11.3.8. Compromised Key or Secret: nShield Connect KNETI
Compromise Type
Attacker has subverted nToken memory OR A brute force attack on KNETI file held in the
KMData folder.
Impact
KNETI is compromised and must not be used
Recovery Action
Remove the compromised Connect's data (IP address/ KNETI and H(KNETI)) from any
client hardserver's configuration file that has communicated with the compromised
Connect.
Destroy the nShield Connect as its integrity can no longer be guaranteed.
Configure a new nShield Connect to communicate with a client.
11.3.9. Compromised Key or Secret: Soft KNETI
Compromise Type
A brute force attack on KNETI file held in obfuscated form in the KMData folder
Impact
KNETI is compromised and must not be used
Recovery Action
For every Connect that the affected client has communicated with, use the Front Panel
to remove the client's configuration data.
For any RFS that the affected client has communicated with, update the RFS's
configuration filer to remove the client's configuration data.
Manually delete the kneti file identified as kneti-hardserver.
• On Windows, is stored in
• On Linux, is stored in /opt/nfast/kmdata/hardserver.d/.
Reboot the client.
Isolate client and investigate unauthorized access to the KMData file and the integrity of
the client.
Once resolved re-configure the Connects/RFS that this client communicated with using
nShield® Security Manual
C:\ProgramData\nCipher\Key Management Data\hardserver.d\.
75 of 90