FAQ Page

/FAQ Page

“Identity is a global event, permissions are always local”

Aside from the direct challenges of managing the taxonomies and their usage, we often face two organizational problems that have been shared by our colleagues in other organizations: creating a shared understanding the value of taxonomies across the organization and deciding how to pay for taxonomy development. The first problem is often addressed as a matter of internal marketing of our own expertise. We try to give semi-regular presentations to folks across our organization – technology, product management, marketing, and sales – to explain how indexing and cataloging with controlled vocabularies improves the user experience and gives our products a competitive edge. Creating that shared understanding helps create a positive environment for addressing the second problem: how to pay for the work. The cost of much of the taxonomy work done in our organization is shared across multiple departments and product lines. So it’s important to us that everybody understands what they’re paying for and why it helps their bottom line.

CKM has been reviewed for cryptographic accuracy and conformance through a FIPS 140-2 evaluation. A copy of the certificate can be found here. In addition, the following algorithms have been tested and certified for FIPS 140-2 compliance.

FIPS-approved algorithms: AES (Certs. #345 and #379); Triple-DES (Certs. #407 and #422); SHS (Certs. #420 and #450); HMAC (Certs. #149 and #167); RNG (Certs. #165 and #181); RSA (Certs. #116 and #131); DSA (Certs. #155, #163, and #165)


You can download the CKM and Standards document in the Reference Papers section of our Library which provides links to various standards organizations.


CCKM was developed in compliance with multiple security standards and was selected for incorporation into a new American National Standards Institute (ANSI) Standard. In 1996 the Federal Reserve Bank, along with IBM, Citibank, Chase and the Digital Equipment Corporation sponsored CKM before ANSI to be considered for the next generation of security technology for banking transactions (e.g., Electronic Funds Transfers). Following two and a half years of peer review by over 100 companies, ANSI X9.69 was approved in March of 1999.

Constructive Key Management® technology is inherent to the ANSI Standard X9.69 Framework for Key Management Extensions, and its technology is based upon a number of other standards. For more information, please see TecSec®Incorporated’s CKM and Standards documents.

In addition, the CKM Software Developer’s Kit interfaces with the PKCS#11 Cryptographic Token Interface Standard.

CKM permits the segregation of data and the denial of access to information unless specifically permitted. CKM enabled Smart Tokens™ also have these attributes. Consequently, access to the data stored on the card is governed by security rules defined by the card issuer. Excluding unauthorized access reduces liability exposures in major ways.


The performance of any computing platform depends upon many variables. Our architecture and operational design make optimum use of the computing resources on both the card and the host PC, while vigilantly enforcing sound security policy. The trick is to make sure the card is capable of doing what the architect asks it to do and that the host PC is secure enough to do what it may be asked to do. Our products use practical solutions to resolve these trade-offs. For small amounts of data, the Smart Token will do the decrypting itself. For large amounts of data, the Smart Token provides the desktop with a working key and the desktop performs the encryption/decryption with its much faster processing speed. In general, however, for most information access operations, the encryption/decryption time is insignificant.

You do not have to use a Smart Token with Constructive Key Management®(CKM®), but it is recommended that you do so. All of the CKM functions can be performed on a desktop computer, but all of the protocols and keying material would have to be stored on the hard drive in the form of a virtual software Token.

One of these “virtual” Tokens is less expensive and more convenient to send over a network for pilot and test phases than a Smart Token. It is not, however, convenient to move from computer to computer, it cannot serve as portable data storage and it does not provide the same high level of security that a Smart Token does. The Smart Token is specifically designed to resist attack and will not divulge its secrets or permit modification of its contents.

Only if the card issuer’s design specifications permits such use. Ordinarily, to maintain adequate security, a Smart Card should only be used by the individual to whom it was assigned. Access to the card can be a simple PIN or password. If the card also included a biometric match (i.e. a fingerprint or voice print), as is available on the TecSec Eagle card, it would be impossible for anyone else to use the card.

Virtually none. Simply insert a Smart Card into the reader.

TecSec designs to standards and PCSC compatible readers, available in serial port and USB configurations. For example, Athena Smartcard Solutions ASEDrive smart card readers, SCM Microsystems readers and Precise Biometrics readers, all of which are FIPS 201 certified and on the GSA APL are available options. Interoperability is inherent to the design of CKM, so most Smart Cards and readers may be adapted to operate with CKM-enabled applications. For a list of interoperable cards and readers, please contact us at info@tecsec.com.

No. The card’s Credentials and critical keying information are not accessible to an unauthorized individual. It takes a user’s PIN or password to activate the card. Various additional security features can be designed into the product including biometric features (fingerprint, voice print, etc.). In addition, the card can be written to electronically (for cancellation or rekeying purposes, etc.). Credentials also have built-in timeouts such that if a Smart Card is not periodically updated, it won’t work.

Smart cards are extremely secure owing to a critical design feature which was identified by the Task Force on the Security of Electronic Money. This feature involves the degree of tamper-resistance of the embedded microchip. Another critical safeguard is the use of Cryptography to authenticate devices and messages, which further serves to protect data from unauthorized observation and alteration. CKM-enabled devices can be created to achieve these and other higher security features, maintaining efficiency and continued ease of operations.

The CKM-enabled® Eagle Smart Card offered under the FIPS 201/PIV program has been reviewed and certified by NIST as a FIPS 140-2 Level 4 for physical security, Level 3 for Key Management and Design Assurance.

Physically, the cards are quite reliable. They are more reliable than traditional magnetic stripe cards (credit cards, ATM cards, etc.), simply because magnetic strips become worn and eventually stop functioning after prolonged use. The contacts on Smart Cards are embedded within the card giving a longer, useful life.


Smart Token is TecSec®, Incorporated’s secure, multi-application, multi-owner, CKM-enabled™ Smart Card device also known as the TecSec Eagle card.


A Smart Card is akin to a credit card, but it typically has a microchip instead of (or in addition to) a magnetic strip. The microchip is used to store data. Smart Cards can securely store as much as 500 times more data than traditional magnetic-stripe cards.


Actually, not protecting your electronic information will prove to be more costly.


A digital signature is a non-forgeable transformation of data that allows proof of the source with non-repudiation and the verification of the integrity of that data.


The term “digital signature” applies to the technique of adding a string of characters to an electronic message that serves to verify the identity of the sender. Some digital signature applications check against any changes made to the text of the message after the digital signature was originally added.


Typically, an organization’s security needs are threefold:

  • To protect data-at-rest
  • To protect data-in-transit
  • To enforce Role-Based Access Control (RBAC), that is, to ensure that only those individuals authorized to see specific information actually do.

TecSec®, Incorporated’s Constructive Key Management® (CKM®) technology and administrative system is designed to protect sensitive information – both at rest and in transit – through encryption, and to provide access control based on a Member’s right-to-know. CKM allows you to assign access privileges, known as Credentials, to Members, and is ideally suited for large organizations where different parts of the organization have a need to access different parts of an information repository, and where that access needs to be conditional based upon the Member’s Role.


Unauthorized Access: An unauthorized person gains access to a computer system, or a person authorized to use a system for one purpose uses it for another.

Planting: An attacker leaves behind a mechanism to facilitate future attacks, such as a Trojan Horse.

Communications Monitoring: An attacker learns confidential information without necessarily penetrating the victim’s computer.

Spoofing: An attacker tampers with the data to the communications process to learn confidential information. For example, a bogus server system is installed to trick a user into voluntarily divulging information.

Repudiation: A party to a transaction falsely denies that the transaction occurred or was authorized, after the fact.

Confidentiality (or Privacy): Information is unavailable to those who are unauthorized to see it.

Integrity: Information cannot be modified in unexpected ways.

Availability: Maintains the availability of data while preventing resources from being deleted or becoming accessible to unauthorized persons.

In today’s networked society, Information Security is becoming more and more important. Everyone knows that it is important to protect your information and system by installing a firewall to keep intruders out, and by loading anti-virus software onto your workstation to protect your PC from malicious viruses, worms, and Trojan horse viruses. However, reports show that the majority of security breaches occur from within an organization. Therefore, CKM – combining with these traditional measures – offers a higher level of information security by encryption of the actual information and role based access within the organization.

Adequate security is the belief that there is an acceptable balance of threats against safeguards for a particular circumstance.


Yes, because CKM provides you with the enhanced security technologies of Role-Based Access Control (RBAC) and Information Privacy.

RSA Conference 2002 Presentation: CKM Enabling PKI

Constructive Key Management® is highly complementary to PKI. PKI was derived from Public-Key or Prime-Key, Derived-Key encryption techniques developed in the 1960s for individual identification and authentication. The techniques were developed before personal computers, networks and the Internet existed – and were designed for one-to-one, point-to-point communications. CKM was developed in the 1990s and is especially well suited to large-scale, distributed client and server-based computing and communications environments. PKI pilot and commercial deployments today are primarily designed to meet the following Information Security Objectives:

(a) Identification
(b) Authentication
(c) Non-Repudiation
(d) Data Integrity

The foregoing attributes of PKI combine efficiently with CKM as it excels in enabling the additional Information Security Objectives of Privacy and Confidentiality (in addition to its core access management capabilities). CKM can be deployed in conjunction with existing or planned PKI deployments to enable a complete, end-to-end security solution. CKM can also be deployed on a stand-alone basis to meet a variety of information security and management objectives, especially in closed environments.

PKI stands for Public Key Infrastructure. The X.509 standard defines a PKI as “The set of hardware, software, people and procedures needed to create, manage, store, distribute and revoke certificates based on public-key cryptography.”

PKI has three components in its basic form – Public/Private keys, Digital Certificates, and a Certificate Authority (CA). In a typical PKI deployment, each user is assigned a pair of linked keys – a public key available to others through a CA, and a private key, which is kept secret on the user’s client. A user sending a secure message uses the receiver’s public key to encrypt the transmission so that only the intended recipient can read the message.

CKM® applications are shipped with the following algorithms:

  • P2 Algorithm – P2 is TecSec®, Incorporated’s patented high performance cryptographic algorithm.
  • Data Encryption Standard (DES) Algorithm – The Data Encryption Standard Algorithm, frequently referred to as DES, is widely used within government and financial organizations.
  • Triple-DES (DES3 or 3DES) – In general terms, the 3DES algorithm improves on the standard DES protection by encoding information three times with as many as three different keys.
  • TecSec’s Identity Algorithm – The CKM Admin Tool is also shipped with TecSec’s Identity algorithm. The Identity algorithm does not actually encrypt data but is used for debugging applications.
  • RSA PKCS – The RSA algorithm is an asymmetric algorithm used for encryption and signing. PKCS refers to the padding type applied to the data. This algorithm must be supplied if PKI interoperability is required.


An algorithm is a formalized set of rules for carrying out a computation or solving a problem in a finite number of steps. A cryptographic algorithm is a method for transforming information, so that it is not intelligible until it is decrypted.

Encryption is an important security tool. It can protect information stored on computers, which may be vulnerable to unauthorized access or physical theft, and it provides a secure communications channel even if the underlying system is not secure.

Encryption technology provides a valuable means to enable security, confidentiality, integrity, authenticity, and trust in today’s networked world.


The process of turning ciphertext back into cleartext is called decryption.

Encryption is the process of turning readable information, also referred to as cleartext or plaintext, into unreadable information, also referred to as ciphertext.


Cryptography is the science of writing or solving codes. Cryptography is an essential element in keeping the “secrets” we wish to communicate to a select audience, truly “private” in today’s electronic world.

Just send us a message and we will contact you to see if CKM is the right solution for your information security needs. Visit our contact page.

TecSec is currently putting together training seminars for Administrators and end users, as well as integrators who wish to use the CKM Software Developers Kit.

Yes, it does. You can contact us and we will promptly respond to any question or problem you may have.

All CKM applications are easy to use. However, in case you do have questions, you can consult the online help, the help desk, or the provided help documentation that is shipped with all products.

Yes, although it is currently in limited release. The CKM Administration Pack included in this release provides an extremely flexible and scalable solution for an organization’s information security and access control needs.

It allows you to mirror your organization’s current hierarchical structure and flow of information while enhancing communications security. Using the CKM Admin Tool, the Domain Authority sets up Categories and Credentials, creates Roles, enrolls Members, assigns Members to Roles, and creates Tokens for Members.

TecSec’s core product package based on CKM technology is the Constructive Key Management Runtime Environment (CKM RTE). The CKM RTE is the collection of software components required to utilize CKM technology. The RTE is designed to mask the detailed inner workings of CKM, making the results simple and user-friendly for the end user.

In addition, various web-based products are currently under development.


CKM works well for all organizations of all sizes. Scalability is inherent to the design of CKM applications, so CKM grows with an organization. While CKM is especially suited to large distributed networks, it supports both client and server based models and applications. A client-based architecture and deployment of CKM moves the bulk of the load to the client and can significantly reduce the reliance on a certificate authority. It becomes unnecessary for every transaction to obtain authentication from the centralized server for certificate verification. This makes CKM highly scalable, in that it is effective with both large and small companies and can accommodate growth.


Medium and large companies typically have internal information technology departments seeking to protect the enterprise’s information assets and applications, while optimizing extranet communications. While certain vertical markets such as healthcare and financial services are more security conscious than others, protecting data-at-rest is an important issue for all enterprises with significant information assets.

CKM not only provides strong encryption of information, it also solves the differentiated access control problem encountered by many large organizations. Existing key management systems were largely derived from encryption techniques developed in the 1960s before personal computers, networks and the Internet existed. They were designed for one-to-one, point-to-point communications and are not well suited to today’s large-scale, distributed client and server-based computing and communications environments. CKM was developed in the 1990s in anticipation of expanding information security and management requirements in large network systems. CKM is an integrated role-based access, key management, and object management system that can be applied to data both at rest and in transit.

CKM provides information privacy through encryption as well as differentiated access control to information based on a Member’s Role.

Yes. Key recovery is central to the export approvals that TecSec has received from the Department of Commerce. CKM legacy implementations have been approved with key lengths of 392 bits!

Constructive Key Management (CKM) is a cryptographic system that constructs keys as needed and immediately destroys them after each use. This method provides greater security than other systems that store keys in public or private directories, or that include the key with the encrypted information.

CKM uses encryption not only to ensure information privacy, but also to provide selective access to information. When encrypting with CKM, users or applications label information with Credentials, defining the rights required to access the information. Users holding matching Credentials will be able to decrypt the information while those who do not will be unable to view the information. For example, a document may be labeled ‘Proprietary’ or ‘Sensitive’, and it may be labeled to require certain other Credentials.

Behind the scenes, each Credential is associated with binary information. Since this binary information becomes a piece of a cryptographic key, it is called a key value or, more simply, just a value. When encrypting, each of these values is combined with other values and random information to construct a key – the Working Key. This Working Key is used with any number of cryptographic algorithms to encrypt the information, and is then destroyed. The same key will never be used again to encrypt other information.

Once encrypted, the information is unreadable until it is decrypted using the same key and the same algorithm. Since CKM immediately destroys the key, it must later reconstruct it to decrypt the information. It does this by using a header that it attaches to the encrypted information, along with data retrieved from the user’s Member Profile.

In the header, CKM includes identifiers to the Credentials applied, but not the actual values. When decrypting, CKM attempts to retrieve the values needed to build the key from the receiver’s set of Credentials. If the receiver holds the appropriate Credentials, CKM will be able to construct the key needed to decrypt the information. If not, the information will remain unreadable. This process is transparent and requires no instructions or intervention from the user.

In very basic terms, in the CKM environment a Token is a storage device for a Member’s Profile and Credentials. It can take on the form of a Software Token, a Hardware Token such as a Smart Card or floppy, or even be on a PC Card for use with a PDA. TecSec has its own CKM-enabled™ hardware Token called the Smart Token™.

From an end-user’s view, a Credential is simply one of many items in a Category. However, behind the scenes, each Credential is associated with a Cryptographic key pair. Access to information is limited by giving certain Credentials to certain Members-depending on the access to information that you wish them to have. Furthermore, you can limit access even further by specifying whether a Member will have read and write access to a Credential, or just write access.

You can encrypt virtually any type of file (doc files, wav files, graphic images, etc.). You can decrypt files if you hold the proper access, called Credentials, to do so.


TecSec’s Key Management technology is called “Constructive” because the key used for encryption is created at time of encryption and then destroyed. This key is then reconstructed at decryption.

Constructive Key Management (CKM) technology, now in its seventh generation, is a standards-based cryptographic key management technology that provides information security, information management and access control through cryptography. CKM was invented at TecSec®, Incorporated. TecSec owns the patents and builds the CKM® line of products.