The export and import of key material from or into a SmartCard-HSM requires the configuration of a key domain. While in XKEK Key Domains the Key Encryption Key (KEK) is derived using an authenticated Diffie-Hellman, in a DKEK Key Domain the KEK is the result of importing DKEK Shares.

A DKEK Share is a randomly generated 256 bit value (32 bytes). One or more DKEK Shares are imported in a SmartCard-HSM during DKEK Key Domain configuration and the final DKEK is assembled by xor’ing the DKEK Shares into a single KEK value. See our other blog post for details.

The classical way of storing the DKEK Share is in a password-encrypted file. When creating a DKEK Share, the key custodian is prompted to enter a password. Obviously the security of such a scheme depends on the strength of the choosen password and the complexity of the used password-based key derivation. A complex password is difficult to remember, in particular if it is used very infrequently in key management operations. Further, the encrypted file needs to be stored securely, so that an attacker can not obtain a copy and try to brute-force the password. As a result, the DKEK file is often stored on removable media and the password written down and stored securely.

As an alternative approach to managing DKEK Shares, the Key Manager in the Smart Card Shell now supports generating DKEK Shares as PaperKey. A PaperKey is meant to be printed and the printout to be securely stored, e.g. in a sealed envelope in a vault.

The PaperKey concept is known from archiving PGP Keys. The original paperkey from David Shaw uses hexadecimal (Base16) encoding with a CRC-24 checksum protecting each line:

1: 00 04 E3 63 35 4F A8 1A 5A F9 33 4F 02 EB D6 30 4A F5 02 D9 39 19 494042

The format is suitable for large PGP keys, but quite uncomfortable for shorter DKEK Shares.

The PaperKey format generated by the Smart Card Shell looks different:

The PaperKey below contains 4 lines with 3 by 4 characters that
resemble the DKEK share and a check value for each line.

The following characters are replaced for readability.

    Upper case I -> !
    Upper case O -> *
    Lower case l -> %

Please save this key by writing it down or copying it. Then restart
the PC to remove potential traces of the key material.

----8<------8<----

R%3J - 61/3 - x9kD
TTj9 - J4fQ - QMNa
bEB2 - Z4oU - M5q%
YHFa - B1qG - KRjX

----8<------8<----

The encoding is using BASE64 with a slightly modified alphabet, that avoids misleading characters like O/0 1/I 1/l.

Each line has a LUHN-64 check digit, that aims to detect input errors like swapped characters or missed keys on the keyboard. The encoding also includes a segment counter, so that the wrong order is detected while entering the lines.

To import a DKEK Share from PaperKey, you are prompted for entering the key line by line. You can enter the additional delimiter or leave then out, they are basically ignored when the input is parsed.

The Key Manager also allows to convert a file based DKEK Share into the PaperKey format. Just select “Convert File to PaperKey” when creating the DKEK Share.

The encoding and decoding mechanism is available in the scsh/sc-hsm/PaperKeyEncoding module of the Smart Card Shell.