6.6.3 Distributed Key Management System (DKMS)
Figure 80. Distributed Key Management System (DKMS) - Key Points
Key Points
Distributed Key Management System provides a general key management
facility to customers using the Transaction Security System and ICRF.
Presentation Script
The objectives of the IBM Distributed Key Management System are to:
Provide customers using the Transaction Security System products and the
Integrated Cryptographic Facility (ICRF) a general key management system,
which takes advantage of the built-in security functions of these two
cryptographic products and automates the key management process. This
system will ensure that all operations are performed with the highest
possible level of security and will:
Enforce the separation of key usage
Exchange and replace keys on demand
Maintain backup copies of all critical keys
Provide keys for a broad range of devices including Automated Teller
Machines (ATMs) and Point-Of-Sale (POS) terminals.
170 Security P-Guide
Share keys between the host environment and other DES-based non-control
vector systems, or systems that implement different control vector principles
(for example, key variants).
Keep growth and change as simple as possible. This includes adding more
devices, adding new device types and changing key characteristics.
Allow each customer to tailor DKMS, because organizations installing DKMS
must be able to retain their existing security strategies.
Provide for the definition and separation of test and production keys.
Separate the development of cryptographic systems and application
development. This separation will increase the productivity of the
application programmers who should have no need to know anything about
Provide easy key management support for the cryptographically secured
interchange of transactions between financial institutions.
Maximize system throughput via load balancing as required.
See the
IBM Distributed Key Management System, Installation and
Implementation Guide,
GG24-4406 for further details.
Chapter 6. Cryptographic Security 171
Figure 81. Distributed Key Management System (DKMS) - Architectural Overview
Key Points
Distributed Key Management System provides:
Key management function in central location
Distribution of keys to remote locations
Secure key management & distribution
Easy operation and administration
Separation between test and production keys
Separation between development of cryptographic systems & applications
Tailorability to retain existing security strategies
Scalability to allow growth and change
Presentation Script
DKMS Functional Overview:
The Distributed Key Management System (DKMS)
is IBM‘s strategic solution for cryptographic key management. It manages
cryptographic keys from a central location with an easy to use, menu driven
interface. There are two offerings available: a stand-alone version and an online
172 Security P-Guide
DKMS provides key management for a variety of terminal types including:
Most Automated Teller Machines (ATMs)
IBM 4737 noncash terminal
IBM 4718 PIN Pads
IBM 4778 PIN Pads
Workstations containing cryptographic HW or SW
DKMS provides the following functions:
Generate new versions of keys with new activation dates
Generate and print terminal keys
Generate and print exchange keys (XKK) for other institutions
Verify the status of keys
Recover keys into IBM 4753 Network Security Processor key storage
Monitor active state of attached IBM 4753 Network Security Processors
Enter received key parts
Access to DKMS function is through menus. DKMS allows each installation to
customize the menus to its specific needs. At the lowest level of the menu, the
specified function is performed by calling a program in the Key Management
PS/2. The installation can define menu access tables for groups of people or
individuals. Each specified table includes only the functions that are allowed for
that particular group or individual.
DKMS Versions:
The DKMS stand-alone version is based on a PS/2 with OS/2
Application Manager (AM) and the IBM 4755 Cryptographic adapter. It offers the
same functionality as the DKMS online version except for those functions directly
related to the host. The initial logon to DKMS optionally requires an IBM
Personal Security card (PSc).
See the
IBM Distributed Key Management System, Installation and
Implementation Guide,
GG24-4406 for further details.
Chapter 6. Cryptographic Security 173
174 Security P-Guide

Get Enterprise-Wide Security Architecture and Solutions Presentation Guide now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.