SKI Wrapper

The Crescendo Manager Secure Key Injection (SKI) Wrapper allows you to protect your secrets under transfer to tokens in compliance with the Secure Key Injection protocol.

Secure Key Injection is a FIPS certification-compliant protocol that ensures data protection while importing private keys, OTP secrets, and managements keys to tokens.

The protocol involves the following steps:

  1. SKI Transport Key Generation:

    An SKI Transport Key is generated on the token. The private part of the key is securely stored on the token and cannot be retrieved. The public part of the key can be used to encrypt (wrap) secrets before they are transferred to the token.

  2. Encryption of a Secret:

    A secret (such as a management key, private key, or OTP secret) is generated and needs to be transferred to the token. The token holder provides the public part of the SKI Transport Key, which is used to encrypt (wrap) the secret.

  3. Secure Injection:

    The encrypted (wrapped) secret is then imported to the token, where the token uses the private part of the SKI Transport Key to decrypt and securely store the secret.

Tip!
  • Once the sensitive data (e.g., the private key, management key, or OTP secret) is encrypted using the SKI Wrapper, it becomes impossible to retrieve and only the intended device can access and use it. This ensures that even if the encrypted data is intercepted, the actual secret remains protected.

  • A key benefit of the SKI protocol is its full asynchronicity, i.e., no continuous connection is required between the server and the client (unlike when using a secure channel). The encrypted data can be transferred by any means, such as via email.

Encrypting Secrets Using the SKI Wrapper

To encrypt a secret that needs to be transferred to a token, the public part of the token's SKI transport key is needed. This key is always an RSA-3072 key. Each SKI transport key is uniquely bound to a specific token and can only be used to securely transfer data to that token.

If the token supports this function, the holder can generate and export an SKI transport key in Crescendo Manager.

Tip! To use the SKI Wrapper functionality, no token is required. You only need to provide the SKI transport key corresponding to the target token.

To wrap your secret:

  1. Go to the Tools section in the navigation pane and select SKI Wrapper.

    The Secure Key Injection Wrapper view.

  2. Provide the SKI transport key (RSA-3072 public key). Other key types are not accepted in this field.

    Enter the key directly into the SKI Transport Key field, browse for a file, or drag and drop it into the field.

    Note: If the token supports this function, the token holder can generate an SKI Transport Key in Crescendo Manager.
  3. Select the Wrapped Object Type (private key, management key, or OTP secret).

    The Secure Key Injection Wrapper view with the Wrapped Object Type dropdown highlighted.

  4. Enter the secret to be encrypted directly into the Private Key Data to Wrap field, browse for a file, or drag and drop it into the field. Available formats are listed in the context help.

  5. Click Wrap to encrypt (wrap) your secret.

  6. Click Save to save the encrypted (wrapped) secret to a desired location.

    The Secure Key Injection Wrapper view with the Save button highlighted.

  7. The wrapped secret can then be imported onto the intended token or used for one-time password configuration as a .json or .txt file.