Blowfish is an additional module in Simphony allowing users to Manage the Keys across different Sites

Introduction of BLOWFISH – Key Management System:

Blowfish is an additional module in Simphony allowing users to Manage the Keys across different Sites

• Blowfish is an online tracker dedicated to Key Management. It allows to track all the Key Operations in Idemia ( Imports , Generations , Transfers…)
• Blowfish caters for both the Key Generation and Key Transfers across each manufacturing site.
• Blowfish also realize functions for Key Ceremony, HSM Management, Key Naming etc.
• Blowfish also manage the External Key Custodians
• Blowfish does not store keys, it only tracks their operations
• Blowfish is only used by IDEMIA and is not open to customers

Why BLOWFISH ?:

• Transparency
• Compliance
• Visibility of Key Ceremonies
• Accelerate Key Transfers

Objective of BLOWFISH:

• The Objective of Blowfish is to bring an easy and transparent way of recording keys operations across IDEMIA sites including Manufacturing Sites and Data Centers
• Keys physical record in HSM remains following the security guidelines, Blowfish scope is limited to operations tracking only

Key Features of BLOWFISH:

• Key Request Creations
• Key Depreciation
• Key History Tracking
• Automatic Notifications
• Management Custodians’

Request History Tracking:

Custodian Management:

New Request with Import Keys:

• New Request will be created by TC using Excel Import Features
• Import Features will inform User if data contains Invalid or Duplicate Data already exist in System or Duplicate Data in Xlsx or Duplicate Data in both System and Xlsx
• This feature has been introduced for TC to upload data in Bulk

Overview List:

• Overview List will display requests created by TC manually

Overview List will display requests which have been uploaded via Import Feature that will contain Group Id

Bulk Transfer List:

• Bulk Transfer List will display requests created by TC using Import Features
• All Request under the same Group Id will be transferred to different Site
• All operations will be taken based upon Group Id created for the multiple Request exists for Single Group Id

Live Keys List:

• Live List will display requests created Manually by TC
• Live List will display all the requests created using Import Features by TC using Group Id
• From the Live List, User can perform Bulk Operation Like Modify, Delete and Transfer with respect to Group Id
• From the Live List, User can perform Operation like Modify, Delete and Transfer with Single request at a time.
• On the Live List, each request will have specific color code for respective Operation performed on the same.
• If any transfer request is raised, then once again none of the operations can be performed until the executed operation gets performed first.
• From Live List, we can export data in CSV as well.

Operation Raised List:

• Operation Raised List will display requests operation done for single request by TC
• Operation Raised List will display all the requests operation done using Import Features by TC using Group Id
• Operation Raised List will show the details related to Operation Performed by TC and then that request gets approved or pending or rejected

External Custodian:

• From External Custodian List, TC can create Custodian for the respective Customer
• If any user selected as Main, then User will be treated as Key Admin else Custodian
• From External Custodian List, TC can update the existing custodian

Blowfish Dashboard:

Pending Operation List at Key Admin Site:

• When any request is sent for Transfer then it goes to Key Admin site for Acknowledgement Post Live
• Key Admin must enter the Key Ceremony date and then do the acknowledgement
• Key Admin can Reject the Request then go back to respective TC
• Key Admin can also Cancel the Request then this request will be stay cancelled.
• Bulk Transfer requests will also be available for bulk Acknowledgement, Rejection and cancellation.

Asymmetric Key Request Creation at Key Admin Site:

• When Asymmetric Key requests get created then it directly goes to Live at Key Destination Site
• Asymmetric Key requests only work with Transport Mode set as Transport Key Encryption

Review List at Key Admin Site:

• When TC Submit request and sent for Review then it appears at Review List
• When Review Acknowledge by Key Admin then Request Live at Target Site
• Key Admin can cancel the Request Key and then Request stays cancelled
• Key Admin can also reject the request while reviewing and then it goes back to TC to reverify the same and send back to Key Admin once again.

Pending Transfer Ack at Key Admin Site:

• When Request Gets Live and then User needs to transfer from one site to another and then Acknowledgement also needed at Source Site
• On this List also Acknowledgement, Reject and cancel can be performed for Transfer Request

Import Key at Key Admin Site:

• Request can be created via Import at Key Admin Site
• Request created at Key Admin Site will go directly to Live
• While Importing Keys ,Application will show message related to Invalid Data, Duplicate Data in System , Duplicate Data in Xlsx and Duplicate Data in Systems and Xlsx.

Pending Operation List at Pre Prod Lead Site:

• Request created by TC with Transfer Request raised with Restricted then It goes to Pre Prod Lead Site for either Approved or Rejected
• Once Approved by PreProd Lead then it will go for Key Admin for Acknowledgement
• Once Rejected by PreProd Lead then Transfer will not be possible.

Not only Transfer Request but also Modify and Delete Request approval / rejection goes via PreProd Lead

Crypto Card Brand & Model at Pre Prod Lead Site:

HSM ( Hardware Security Module ) Pool:

• Manufacturing and Service Business type Pool gets created with different type of Business Type and Area of use along with Different Families Type
• PC workstation equipped with a cryptographic card gets maintained under HSM Pool

HSM Pool getting maintained by Key Admin

Acknowledged by HSM owner each site

Import HSM Inventory :

HSM Inventory getting maintained by Key Admin using Import Feature

Key Ceremony :

• Key Ceremony is being maintained by Key Admin.
• Proper workflow followed for Key Ceremony for the Keys
• As a KC or other related key ceremony team member, he will receive the notification and will check in their key ceremony list to accept, reject and remark 

HSM Hardware (HW) :

• HSM Hardware Getting managed by Idemia Software Team.
• This List will contain all the details related to HSM HW under HSM Inventory List

Overview of HW

Configuration of New HSM Hardware :

HSM Firmware (FW) :

• HSM Firmware Getting managed by Idemia Software Team.

This List will contain all the details related to HSM FW under HSM Inventory List

Overview List :

Configuration of New HSM Firmware :

Idemia Software (SW) :

1. Idemia Software Getting managed by Idemia Software Team.
2. This List will contain all the details related to Idemia SW under HSM Inventory List

Overview List :

Configuration of New Idemia Software :

HSM Inventory List :

• HSM Inventory List Getting Managed by Global Security Team
• This List will contain all the details related to Idemia SW,HSM Hardware, HSM Software, HSM Firmware, HSM Pool under HSM Inventory List
• Export also available under HSM Inventory List

SITE Team Management :

• Site Team Management List Getting Managed by Key Admin.
• This List will contain all the details related to available Custodians and Custodian exchanges details
• From this list we can create new Custodians

Add a New Custodian :

Custodian Exchange Form :

Other Activities :

• Other Activities List Getting Managed by Key Admin.
• This List will contain all the details related to the Key Ceremony Held with Key Custodians and who was the witness

Reports :

• Reports Getting Managed by Key Admin.
• Generate Reports contain Key Ceremony and Other Activities

Access Right for HSM – per category

Work Flow – Generation a Key / Import / Export of a Ciphered Key V1

Work Flow – Generation a Key / Import / Export of a Ciphered Key V2

Thanks