In the future each intelligent "measuring device" will have to receive one or more individual keys, in order to meet the growing security and data protection requirements. Instead of managing a few keys for many devices, a large number of individual keys must now be generated, assigned to the individual devices and managed. This faces meter manufacturers and their customers to new challenges.
MTG KMS Solution
The MTG KMS Server enables different applications in production and operations to access a detached, central security module that can perform all necessary crypto operations. The MTG KMS platform supports multiple independent clients. Rights management ensures the correct distribution of access rights to the respective keys.
The entire life cycle of keys in the MTG KMS is already supported and can be utilized via the standardized KMIP interface. KMS users are also prepared for future developments. For example, HSMs from different manufacturers can be flexibly integrated, depending on changed performance and availability requirements. Encryption and cryptography methods are constantly being further developed and updated. Even if, for example, post-quantum cryptography is required one day, only a single, central system needs to be updated without any significant changes on the application side.
The MTG KMS can also be connected to Hardware Security Modules (HSM) for the secure storage of encryption keys and/or a Public Key Infrastructure (PKI) for certificate management.
As an option, communication (TLS/DLMS) can also be offered as an additional component.
The OASIS Standard Key Management Interoperability Protocol (KMIP) was developed as an interoperable protocol that defines the standard communication between key management servers and clients.
KMIP specifies all management operations for objects (e.g. digital certificates, private keys) that are stored and managed by a key management system. The KMIP standard includes operations for symmetric and asymmetric cryptographic keys, digital certificates and templates that simplify the creation of objects and control their use.
KMIP is already implemented and specifically supported by leading companies (e.g. Dell, HP, IBM, Oracle, SafeNet) on the Internet of Things. (OASIS KMIP Implementation).
Electronic Shipment Files
For the en- and decryption of an electronic shipment file we offer all necessary "crypto functionalities". The application for the electronic delivery note can be connected quickly and easily to fulfill all encryption tasks. For the eLS, we rely on common standards such as OMS-XKE (OMS XML Key-Exchange of the Open Metering System Group) and FNN eLS 2.1 (Germany). Thanks to the key transfer via standardized interfaces, it is always possible to work with a non-MTG KMS on the side of the manufacturer or energy supplier.
The smartHSM ensures that high-quality key material is generated during key generation. The KMS also uses the HSM to protect the sensitive key material from external access. The HSM used here is particularly secure because it has been certified according to Common Criteria EAL 4+. In addition, the legal requirements BSI-CC-PP-0095-2017 (protection profile Mini-HSM), BSI TR-03109 and CP Smart Metering PKI are fulfilled.
MTG KMS is compatible with HSM from UTIMACO and SafeNet Luna. Other HSM manufacturers can be connected on request.
Other KMS Industries
The MTG-KMS is also available for other industries and applications on request. These include, for example, the banking and financial sector, automotive, healthcare and industry 4.0 applications.