RSA Key Recovery Manager

Introduction: RSA Key Recovery Manager

Many companies deploying a public key infrastructure (PKI) must be able to retrieve encrypted data as part of their disaster recovery operations or to meet regulatory requirements. For example, through a hard disk crash, an employee's private encryption key may be destroyed and the employee needs to recover this key in order to access encrypted e-mail. The challenge is to sustain tight security while complying with business or regulatory requirements. The RSA Key Recovery Manager (KRM) meets this challenge.

RSA Key Recovery Manager is an optional package for the RSA Certificate Manager, RSA Security's full-featured certificate authority for creating, issuing and managing PKI digital certificates. RSA Key Recovery Manager provides a way to securely archive and recover encryption keys of users thereby eliminating the risk of serious data loss in the event that the encryption key is lost, misplaced, corrupted or if a user leaves an organization.

Feature and Benefits

• Hardware-Security-Module-based key generation and protection
• Collaborative system of key recovery (M of N)
• Prevents loss of valuable data

• The RSA Key Recovery Manager (KRM) features a hardware-based key generation process handled through a Hardware Security Module (HSM), offering a more secure key generation technique than software-based generation. HSMs provide secure management of private keys in that the keys never leave the module unencrypted; they are in dedicated hardware while in use and encrypted with triple DES (Digital Encryption Standard) when idle. The use of an integrated HSM enables RSA Key Recovery Manager to deliver the highest standard for security and data integrity while providing key recovery services
• With RSA Key Recovery Manager, only a certain minimum number of duly constituted Key Recovery Operators (KROs), acting together, can recover a stored private encryption key. The RSA Key Recovery Manager utilizes a smart card-based "m of n" system in which the private key used for recovery is divided up among the cards of several individual KROs. Each one holds a portion of the divided private key with the stipulation that a certain number (m) out of a total (n) of them must come together to participate in the key recovery. This multi-tiered approach provides tightly controlled access to private encryption keys, ensuring additional security to the key recovery process and minimizing opportunities for abuse of the KRO privileges
• Data storage requirements vary from organization to organization. For example, the U.S. Securities and Exchange Commission (SEC) requires a minimum of seven years storage for transaction data in the brokerage industry. In the healthcare industry, the storage requirements can be much longer. The RSA Key Recovery Manager is completely configurable to meet different storage period requirements. Private encryption keys are kept strongly encrypted in secure storage on the hardware security module such that even compromises to the server's operating system will not jeopardize the security of the key database

• Provides data recovery while ensuring non-repudiation
• Certificate and key delivered to user as part of normal enrollment

• RSA Key Recovery Manager only archives private encryption keys, since it is not desirable to archive authentication (signing) private keys ,as this would compromise non-repudiation. While it is vital for many companies to be able to recover encrypted data, it is critical to ensure that the integrity of nonrepudiation is maintained. Given that non-repudiation is delivered through the user's signing key pair (i.e., digital signature) it is extremely important to have only one matching signing key pair which remains the sole responsibility of the end-user. The ability of anyone other than the apparent signatory to access the private key of that person's signature key-pair would make legal recognition of digital signatures very difficult to achieve in many jurisdictions
• The encryption key and certificate are delivered to the user along with their authentication certificate. The encryption certificate is standards-based and can work with various applications requiring encryption certificates, such as secure e-mail or file encryption

RSA Digital Certificate Solutions Product Range

• RSA Technology Applications
• RSA Certificate Manager
• RSA Registration Manager
• RSA Validation Solution
• RSA Key Recovery Manager
• RSA Root Signing Service