Frequently Asked Questions: General CKM
Q: What is CKM®?
A: Constructive Key Management (CKM) technology, now in its seventh generation, is a standards-based cryptographic key management technology that provides information security, information management and access control through cryptography. CKM was invented at TecSec®, Incorporated. TecSec owns the patents and builds the CKM® line of products.
Q: Why is it called "Constructive" Key Management?
A: TecSec's Key Management technology is called "Constructive" because the key used for encryption is created at time of encryption and then destroyed. This key is then reconstructed at decryption.
Q: What kinds of files can be encrypted/decrypted using CKM?
A: You can encrypt virtually any type of file (doc files, wav files, graphic images, etc.). You can decrypt files if you hold the proper access, called Credentials, to do so.
Q: What are Credentials?
A: From an end-user's view, a Credential is simply one of many items in a Category. However, behind the scenes, each Credential is associated with a Cryptographic key pair. Access to information is limited by giving certain Credentials to certain Members-depending on the access to information that you wish them to have. Furthermore, you can limit access even further by specifying whether a Member will have read and write access to a Credential, or just write access.
Q: What is a Token?
A: In very basic terms, in the CKM environment a Token is a storage device for a Member's Profile and Credentials. It can take on the form of a Software Token, a Hardware Token such as a Smart Card or floppy, or even be on a PC Card for use with a PDA. TecSec has its own CKM-enabled™ hardware Token called the Smart Token™.
Q: How does CKM work?
A: Constructive Key Management (CKM) is a cryptographic system that constructs keys as needed and immediately destroys them after each use. This method provides greater security than other systems that store keys in public or private directories, or that include the key with the encrypted information.
CKM uses encryption not only to ensure information privacy, but also to provide selective access to information. When encrypting with CKM, users or applications label information with Credentials, defining the rights required to access the information. Users holding matching Credentials will be able to decrypt the information while those who do not will be unable to view the information. For example, a document may be labeled 'Proprietary' or 'Sensitive', and it may be labeled to require certain other Credentials.
Behind the scenes, each Credential is associated with binary information. Since this binary information becomes a piece of a cryptographic key, it is called a key value or, more simply, just a value. When encrypting, each of these values is combined with other values and random information to construct a key - the Working Key. This Working Key is used with any number of cryptographic algorithms to encrypt the information, and is then destroyed. The same key will never be used again to encrypt other information.
Once encrypted, the information is unreadable until it is decrypted using the same key and the same algorithm. Since CKM immediately destroys the key, it must later reconstruct it to decrypt the information. It does this by using a header that it attaches to the encrypted information, along with data retrieved from the user's Member Profile.
In the header, CKM includes identifiers to the Credentials applied, but not the actual values. When decrypting, CKM attempts to retrieve the values needed to build the key from the receiver's set of Credentials. If the receiver holds the appropriate Credentials, CKM will be able to construct the key needed to decrypt the information. If not, the information will remain unreadable. This process is transparent and requires no instructions or intervention from the user.
Q: Is CKM exportable?
A: Yes. Key recovery is central to the export approvals that TecSec has received from the Department of Commerce. CKM legacy implementations have been approved with key lengths of 392 bits!
Q: What kinds of security does CKM provide?
A: CKM provides information privacy through encryption as well as differentiated access control to information based on a Member's Role.
Q: What makes TecSec's CKM different from other Cryptography products on the market?
A: CKM not only provides strong encryption of information, it also solves the differentiated access control problem encountered by many large organizations. Existing key management systems were largely derived from encryption techniques developed in the 1960s before personal computers, networks and the Internet existed. They were designed for one-to-one, point-to-point communications and are not well suited to today's large-scale, distributed client and server-based computing and communications environments. CKM was developed in the 1990s in anticipation of expanding information security and management requirements in large network systems. CKM is an integrated role-based access, key management, and object management system that can be applied to data both at rest and in transit.
Q: How could CKM benefit my organization?
A: Medium and large companies typically have internal information technology departments seeking to protect the enterprise's information assets and applications, while optimizing extranet communications. While certain vertical markets such as healthcare and financial services are more security conscious than others, protecting data-at-rest is an important issue for all enterprises with significant information assets.
Q: I have a small company that is growing rapidly. Can CKM accommodate my needs as the company grows?
A: CKM works well for all organizations of all sizes. Scalability is inherent to the design of CKM applications, so CKM grows with an organization. While CKM is especially suited to large distributed networks, it supports both client and server based models and applications. A client-based architecture and deployment of CKM moves the bulk of the load to the client and can significantly reduce the reliance on a certificate authority. It becomes unnecessary for every transaction to obtain authentication from the centralized server for certificate verification. This makes CKM highly scalable, in that it is effective with both large and small companies and can accommodate growth.
Q: Does TecSec have desktop software for CKM?
A: Yes, although it is currently in limited release. The CKM Administration Pack included in this release provides an extremely flexible and scalable solution for an organization's information security and access control needs.
It allows you to mirror your organization's current hierarchical structure and flow of information while enhancing communications security. Using the CKM Admin Tool, the Domain Authority sets up Categories and Credentials, creates Roles, enrolls Members, assigns Members to Roles, and creates Tokens for Members.
TecSec's core product package based on CKM technology is the Constructive Key Management Runtime Environment (CKM RTE). The CKM RTE is the collection of software components required to utilize CKM technology. The RTE is designed to mask the detailed inner workings of CKM, making the results simple and user-friendly for the end user.
In addition, various web-based products are currently under development.
Q: Are CKM applications easy to use?
A: All CKM applications are easy to use. However, in case you do have questions, you can consult the online help, the help desk, or the provided help documentation that is shipped with all products.
Q: Does TecSec provide technical support for its products?
A: Yes, it does. You can contact us and we will promptly respond to any question or problem you may have.
Q: How about training?
A: TecSec is currently putting together training seminars for Administrators and end users, as well as integrators who wish to use the CKM Software Developers Kit.
Q: How can I get CKM?
A: Just send us a message and we will contact you to see if CKM is the right solution for your information security needs. Visit our contact page.
