Unbound CORE Terms
This section specifies the CORE-specific terms used in this guide.
Crypto Terms
Crypto Processing Modes
CORE server software includes two cryptography processing modes:
- non-FIPS mode
UKC system advanced execution mode that hasn't yet received the FIPS certification
- Crypto algorithms may be evolved beyond FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors certification.
- New key types and mechanisms are added.
- FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-hybrid mode
- FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified crypto algorithms are signed and locked as certificated. They are applied to keys configured to use the FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified algorithms. The other keys use the most recent algorithms.
By default, CORE servers are bootstrapped and operate in non-FIPS modeUKC system advanced execution mode that hasn't yet received the FIPS certification. To use a CORE system in FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-hybrid mode, bootstrap the system in FIPS mode
UKC system mode that allows processing FIPS-certified and not-certified keys. You may also start in non-FIPS mode
UKC system advanced execution mode that hasn't yet received the FIPS certification and later upgrade the system to the FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-hybrid mode.
Crypto Operation Classification
All crypto operations are classified as follows (Ref. KMIP v 1.4 section 3.22):
- Crypto-processing
- Decryption
- Unwrapping
- Verification of signature
- Verification of MAC
Message Authentication Code - for example, CMAC, GMAC, HMAC.
- Crypto-protection
- Encryption
- Wrapping
- Signing
- MAC
Message Authentication Code - for example, CMAC, GMAC, HMAC. generation
- Derivation
Key Type Classification
- Crypto object
- Certificate, key, or secret.
Keys are further classified into the following categories:
- Private Key
- Imported or generated private key of an asymmetric key-pair.
- Public Key
- Imported public key of an asymmetric key-pair.
- Secret Key
- Imported or generated symmetric key.
- Split Key
A split key is a symmetric or a private key that has been split into a number of parts,
- A part of symmetric or private key that was split into several parts.
- Other
- Standard keys optimized by Unbound to provide a specific service. For example, PRF keys are generated and used to provide tokenization services.
Key Groups
- Key Group name
- A name-tag attached to a crypto object. Indicates its membership in the group.
- A single crypto object may be a member in multiple key groups.
- Default key group
- All crypto objects are members of the
default
key group. This membership can't be revoked.
Key groups are created implicitly by attaching a new membership tag to a crypto object. Key groups play a pivotal role in specifying the CORE user role. For example, a user may be permitted to execute a specific set of operations as long as the crypto objects used by these operations are members of the specified key group.
CORE Solution Components
Keystores
- CORE keystore
- MPC
Multiparty computation - A methodology for parties to jointly compute a function of their inputs while keeping those inputs private.-secured keystore embedded into a pair of the CORE servers and cloned to other pairs.
- External Keystore
- keystore located and secured outside of the CORE perimeter. CORE users transparently manage and use key material stored there. Two types:
- Cloud keystores.
- On-premise HSMs.
Servers and Devices
A CORE solution is comprised of the following nodes:
- CORE Client - an appliance that uses CORE crypto services. Clients are divided into three categories:
- Clients that depend on the CORE Client software being installed on the device.
- Clients that do not depend on the presence of the CORE Client software on the device.
- KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server clients.
- CORE Server - a server that hosts the CORE server software. CORE solution uses the following servers:
- Entry Point (EP) – the CORE front-end for its clients. It shares MPC
Multiparty computation - A methodology for parties to jointly compute a function of their inputs while keeping those inputs private. computational tasks with its Partner.
- Partner – shares MPC
Multiparty computation - A methodology for parties to jointly compute a function of their inputs while keeping those inputs private. computational tasks with its EP.
- Auxiliary - optional stateless processing engine that is assisting the EP and Partner servers.
Recommended if you plan an intensive use of the symmetric operations in the non-FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors system.
Mandatory in FIPS modeUKC system mode that allows processing FIPS-certified and not-certified keys.
- Entry Point (EP) – the CORE front-end for its clients. It shares MPC
- CORE server pair – EP and its Partner. The smallest deployment in non-FIPS mode
UKC system advanced execution mode that hasn't yet received the FIPS certification.
- CORE server triplet – EP and its Partner linked to their Auxiliary server. The smallest CORE deployment in FIPS mode
UKC system mode that allows processing FIPS-certified and not-certified keys contains one triplet. CORE
Cluster
A CORE Cluster Foundation is the minimum set of servers required to provide CORE functionality.
- A foundation for non-FIPS mode
UKC system advanced execution mode that hasn't yet received the FIPS certification requires a pair of servers.
- A foundation for FIPS mode
UKC system mode that allows processing FIPS-certified and not-certified keys requires a triplet of servers.
Non-FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors and FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors clusters are bonded differently:
- Non-FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors cluster.
- It is composed of server pairs and, optionally, one or more auxiliary servers.
- A single auxiliary server can serve multiple EP and Partner servers.
- It is composed of server pairs and, optionally, one or more auxiliary servers.

- FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors cluster
- It is composed of server triplets.
- Each auxiliary server is assigned to a particular EP-Partner pair.
Types of Client Applications
CORE supports three categories of client-side applications that are classified according to the level of coupling with the CORE client-side software:
- Independent applications that gain CORE services by using standard protocols such as KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server, and generic message-based interfaces such as REST
Representational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API. These applications do not link with or depend on the CORE client-side software.
- Clientless
System that is using Unbound Java Security Provider without dependency on the UKC Client software. applications that link with CORE-provided client-side libraries such as CORE Clientless
System that is using Unbound Java Security Provider without dependency on the UKC Client software. Java Provider without being depend on CORE client software being present on the target device.
- Client Stack-based applications. These applications expect CORE software to be installed on the device that runs the application.
CORE Partitions
CORE partition enables multi-tenancy in a CORE cluster. Each tenant uses a partition where it:
- stores the key material.
- specifies the authorized users and their roles.
- specifies the certified clients.
Each partition spreads across EP and Partner servers. It is replicated across all server pairs.
Partition types:
- Root partition – the default partition accessible by the
root security officer (SO
. Its main purpose is to authenticate devices that may be used to access the partition and its SOs. It doesn't store key material used by applications.Security officer - UKC partition administrator role.)
- Standard partition – stores key material. It is managed by the partition SO
Security officer - UKC partition administrator role..
CORE Users
CORE user is a person or an application that makes CORE service calls. Based on the user authentication method, users are divided into two categories:
- Internal user
- credentials of this user are managed and validated by CORE.
- SSO
Single Sign-On user
- credentials of this user are managed and validated by OIDC
OpenID Connect is identity layer on top of the OAuth 2.0 protocol Provider.
CORE User Roles
To perform a specific operation that uses a particular object, a user must have the appropriate permission. Permissions are further packaged and managed as roles.
- Permission
- It ties up a group of objects with a group of permitted operations.
- The granularity of permission allows pinpointing a specific crypto operation using a specific key.
- Role
- It is a set of permissions.
- It is managed by a partition SO
Security officer - UKC partition administrator role..
- User group
- It ties up a group of users with a set of roles that are granted to members of the group.
A CORE user may have an assigned role and/or be a member of a user group(s) and be entitled to all permissions granted to the group(s).
Default Roles
Each partition is created with two static roles:
- User Role
- This role allows unrestricted management and use of the partition's key material.
- SO
Security officer - UKC partition administrator role. Role
- This role puts no restrictions on managing the partition and key material but doesn't permit using the key material. In particular, it allows creating custom roles and user groups, clients and users, management of the partition's settings, and participation in the partition quorum.
The default roles are static. The permissions specified by these roles cannot be changed.
Default Users
Upon the creation of a partition, the system creates two default users known by the following names:
- user
- it is assigned the USER Role.
- It may be reassigned to a custom and more restricted role, or granted membership in a user group with a subset of permissions reserved to SO
Security officer - UKC partition administrator role..
- so
- it is assigned the SO
Security officer - UKC partition administrator role. Role.
- It can't be reassigned to a different role, but the scope of its permissions may be increased by including it in a user group that allows certain crypto operations.
Besides these users, the system bootstrap creates the Root partition and its SOSecurity officer - UKC partition administrator role.:
- Root SO
Security officer - UKC partition administrator role.
- has the SO
Security officer - UKC partition administrator role. Role in the Root partition
- In addition, the main objective of Root SOs is the creation of partitions, CORE cluster management, and control of the global system settings.
Key Material
Obfuscated Key
The terms obfuscated key and Obfuscated PEMBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" refer to the PEM
Base64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----"-formatted file that contains a handle to the UID of an asymmetric key. The key material may be located in the CORE or external keystore. An obfuscated key serves applications (e.g., OpenSSL) that are
- expecting their key material to be provided in a PEM
Base64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" file, and
- support plug-in crypto providers
To create such a file from an asymmetric key located in the CORE or external keystore, use
A peek into the file shows the Base64 encoding of the handle to the UID and a filler pattern (UNBOUND).
Note
The filler pattern and the title line may change based on the key material type and the scenario that caused the creation of the key.
UB-PGP Proxy Key
UB-PGPPretty Good Privacy - PKI implementation proxy key represents a CORE key in the GnuPG (GPG
GNU Privacy Guard - PGP cryptography implementation) keyring infrastructure. It allows GPG
GNU Privacy Guard - PGP cryptography implementation-based applications transparent use of an RSA key located and processed in the CORE or external keystore.
To create the UB-PGPPretty Good Privacy - PKI implementation proxy key and embed it into PGP
Pretty Good Privacy - PKI implementation key-rings, use the ucl pgp-key command.