The HYKER Key Distribution System is a key distribution service for clients running HYKER encryption libraries.
The Hyker Key Distribution System (KDS) is a key distribution service for clients running Hyker encryption libraries. The trust in Hyker crypto systems depend on public key cryptography, every endpoint controls private keys used for end-to-end authentication and encryption. The corresponding public keys can be distributed securely between endpoints using Hyker KDS.
The KDS consists of a common certificate storage and a number of stateless servers handling requests. These servers are called the Key Distribution Instances (KDI).
The subjects that a KDI issues certificates for are reffered to as clients. Clients are identified by a UID. A KDI-issued certificate binds a public signing key to this UID. Therefore the certificates are valid for UIDs and what they represent, for example an account in a system. I.e. a KDI-issues certificate is valid for binding UID identities to keys, not actual individuals.
The problem of obtaining a correct UID is left to the developer or user.
The Hyker KDS consists of five major parts:
- A root Certificate Authority for provisioning intermediate CA:s.
- A central storage for certificate data (MYSQL/CASSANDRA)
- A number of Key Distribution Instances
- A DNS load balancer to distribute the requests among the different KDI instances
- A revocation client for pushing revocation of KDI instances to clients.
An illustration of the KDS is provided below. In the illustration, we can see that clients rely upon a number of KDI servers to securely obtain public keys. The traffic to these instances are distributed using a DNS load balancer. The KDI servers handles requests independently of eachother but rely upon the same central storage for fetching keys and registering new EML clients.
All API calls must be accompanied by a whitelisted api-key. This key is issued by the organization responsible for the KDI. If your organization has chosen Hyker as the host, the keys are obtained from the developer dashboard. If you have chosen to host the KDS yourselves, you are responsible for generating API keys and distributing them to the KDI instances.