Cryptographic keys are the cornerstone of almost all security applications and protection mechanisms. It is essential that they are protected and used with the outmost care, so that all the infrastructures, services and business critical applications remain secure. The MTG KMS enables different applications in a company to access a remote, central security system that can perform all necessary crypto operations.
The MTG KMS architecture is part of the overall MTG ERS® system. This means that the system can be expanded with further important security components whenever required. This includes the MTG Certificate Lifecycle Manager, MTG Certificate Authority and the appropriate Hardware Security Module.
The targeted solutions which are based on KMS (e.g., BYOK, Code & Document Signing, Time Stamping, etc.) can be optimally accessed and managed via standard APIs (KMIP, PKCS#11, REST). The MTG KMS includes a specific Java SDK that provides a simple, user-friendly Java interface for easy client integrations. MTG-specific services and adapters are available for specific use cases, like IoT, Secure Boot or Smart Metering for example.
MTG KMS manages the complete Key Management Lifecycle
Secure Key Storage
Central key storage is essential to keep control of all keys in a well-protected location. This prevents keys from being distributed nontransparent across the entire company.
Support for multiple on-premise and cloud Hardware Security Modules (HSM)
- Support for database-stored, HSM-encrypted keys for better performance
- Support for key import and export through various formats
- Secure Key Generation for all modern cryptographic algorithms
- Support for Post-Quantum Cryptography
Secure Key Operations
- Support for all KMIP 2.x and PKCS11 operations
- Generic Cryptographic REST API that enables both simple and advanced cryptographic operations
- Symmetric & Asymmetric encryption
- Digital Signatures
- Random Number Generation
Key Lifecycle Management
- Support for Key Expiration Dates
- Support for multiple business domains
- Secure Key Archival & Destruction
- Strict cryptographic policy enforcement about allowed algorithms and parameters for different use cases
- Enterprise Roles & Rights System
The OASIS Standard Key Management Interoperability Protocol (KMIP) was developed as an interoperable protocol that defines the standard communication between key management servers and clients.
KMIP specifies all management operations for objects (e.g., digital certificates, private keys) stored and managed by a cryptographic key management system. The KMIP standard includes operations for symmetric and asymmetric cryptographic keys, digital certificates and templates that simplify the creation and control the usage of objects.
KMIP has already been implemented by leading companies (e.g. Dell, HP, IBM, Oracle, SafeNet) and is specifically supported in the Internet of Things (IoT). The KMS services (microservices) and adapters from MTG that are plugged in above the KMIP interface simplify the connection of the applications even further.