Demystifying key management

Modern cryptography

We are surrounded by codes. No longer the domain of spies and espionage, cryptography is now fundamental to our modern information age. It is used to protect everything from credit card numbers for online purchases to corporate secrets over virtual private networks (VPNs).

Cryptography is an enabling technology. It provides a way for two or more parties to communicate securely over an insecure network, like the Internet. No other technology can do this. By providing these services, cryptography opens the door to new possibilities. It provides the basis for secure e-commerce over the Internet and it supports modern ways of doing business, including business-to-business (B2B) and business-to-government (B2G) commerce.

The traditional use of cryptography is restricted to encryption. Encryption protects sensitive information so that it cannot be read by a third party while in transit or in storage. Modern cryptography provides encryption, but goes further by also enabling 'digital signatures'.

Digital signatures replace handwritten signatures in the digital world. They can be used to authenticate the person that applied the signature and even to hold that person responsible for anything they may have committed to, like signing a legal contract. Digital signatures can also be used to check that data has not been modified while in transit or storage, or they can be used solely to authenticate a person, such as to provide access to an online service.

These tools are invaluable, but they do not come without their problems. Unlike codes of the past, modern cryptographic algorithms are, for all practical purposes, impossible to break. The weakest part of the system is instead the security of the keys that the cryptographic algorithm uses. If the key material is compromised, then the security of the data is, in effect, also compromised. This is why protecting the key material is of paramount importance.

This article describes what key management is and how to go about it. It provides an introduction to the types of things that you need to consider to ensure that your organisation's key material is appropriately protected, and some of the ways you can achieve this in practice.

What is key management?

Key management is all about generating, handling, storing, backing up and using keys. In practice it is the most difficult aspect of modern cryptography. To make matters worse, it is becoming increasingly difficult.

The practical uses of cryptography are increasing and so with it are the sheer numbers of keys that must be managed. It is not uncommon for an organisation to have tens or even hundreds of keys for just VPN and Web server purposes. This number can increase to many thousands if employees are also issued keys for applications like remote VPN access, laptop disk encryption and secure email.

Each key must be managed securely throughout its lifetime, from generation and backup to destruction. Both internal and external threats must be identified and addressed. The best way to do this is to allocate a key custodian for each key. The key custodian is a staff member who is responsible for the security of the key. They must be trained and must have their roles defined in such a way that no one person could ever steal the most sensitive key material. Doing this effectively requires careful thought and organisation. These issues make key management a very difficult task for many organisations. Fortunately, there are ways of making life easier.

Identifying keys

The first step in managing your organisation's keys is to determine what keys you already have. It is important to gain a clear understanding of the types and numbers of keys that exist, what each of these keys protects and where each key is used. A key register documents this information and provides the basis of a risk management approach for key material. It enables you to assess the security of each key and put safeguards in place that are commensurate with the value of the key.

The sorts of keys that you may need to consider are listed below.

SSL server keys

Depending on the web traffic being protected, these keys may be high or low value. An important consideration is that, while these keys may protect large amounts of data, they only protect data while it is in transit. They do not protect information long-term and so do not normally need the same level of security as keys used to provide non-repudiation (legal accountability) of a web user's actions. They also do not usually have the same backup requirements as other keys that may be required to recover encrypted data.

VPN server keys

These keys are typically of higher value than SSL server keys due to the sensitivity of the data that they protect.

Data backup keys

These keys are used to protect data backups, such as backups of database or directory contents, or server log files.

Encrypting this information allows it to be stored offsite securely. An important issue to consider is that, if these keys are lost, it may be impossible to recover any data from back-ups. Careful key management is therefore required to ensure that this does not happen.

Data encryption keys

Similar to data backup keys, but used to encrypt data in production instead of backup copies of the data. This has the added advantage of protecting against risks from database or system administrators who may otherwise have free access to all data.

SSH keys

These keys are used to establish point-to-point secure tunnels. SSH keys have the added issue that, unlike conventional X.509 certificates and keys that are used in most other security applications, SSH keys do not expire. They must therefore be updated regularly to limit the value of any single key.

User keys

These keys are normally issued to users for purposes such as document signing, remote VPN access, laptop hard drive encryption, file encryption and secure email. The appropriate level of security for these keys depends heavily on what they are used for. Very high levels of security are needed where an organisation wants to be able to claim non-repudiation of a user's actions, to hold the user personally and legally accountable for any actions they perform using the key. An example of this is where an employee is able to commit the organisation legally or financially through the application of a digital signature, such as on a purchase order or legal contract.

Certification Authority (CA) and Registration Authority (RA) keys

These keys form part of a Public Key Infrastructure (PKI), which many organisations use to issue and certify keys and certificates for identifying employees and devices. CA and RA keys are typically very high-value and must be carefully protected.

The above list is not exhaustive. Depending on your organisation's infrastructure there may also be keys for the digital signing of important application data, or for other purposes. There are also likely to be a host of 'session keys'. These are used in almost all cryptographic systems, are typically managed internally by the application and are often short-lived, but should nonetheless be considered, especially if used to protect sensitive data.

In compiling a key register for your organisation, it is important to be thorough and to be aware of all copies of a key that may exist. A common mistake that many organisations make is to inadvertently back up keys held in software along with other data, without considering the security of the backup media. This can provide an excellent opportunity for an attacker trying to steal your keys.

For each key that you rely upon, you need a clear understanding of the value of the data that the key protects and the security controls that are already in place to protect the key throughout its lifecycle. You can then do a risk assessment to determine whether or not these controls are adequate to protect against the threat of the key being compromised or lost. In risk management terms, the consequence of a key compromise or loss depends on the value of the data that the key protects; the likelihood depends on the controls that protect the key.

Protecting your keys

There are a number of things you can do to reduce the risk of keys being lost or stolen. These 'controls' are the tricks of the trade for key management, and include procedural, technical and structural controls. Many of them are described below.

Effective key management requires an appropriate set of security controls, based on the nature and value of the key material that must be protected. These controls should be documented in a Key Management Plan or similar document, as recommended by standards such as the Defence Signals Directorate ACSI-33.

The Key Management Plan outlines the keys that exist, security classifications (which for key material is typically one grade higher than the data it protects), the policy and procedures that are used to protect keys throughout their lifecycle, key accounting and security incident response procedures.

Procedural controls

Procedural controls include things like keeping an access register for recording any entry to your server room, requiring at least two people to be present when any key material is accessed (so called 'no-lone-zones'), and assigning a Key Manager for each cryptographic key.

A Key Manager is a person responsible for the security of a key and for reporting any possible key compromises. They must typically be present whenever a sensitive key management operation takes place, such as generating a new key or restoring a key from backup. By assigning a Key Manager to each key, you can greatly reduce the risk of a key being forgotten about and not managed appropriately.

Procedural controls that need at least two people for any key management operations, including the Key Manager, can greatly reduce internal threats of key compromise, such as from a single systems administrator. Even if your staff are trusted implicitly, these controls can help ensure that the system is demonstratively secure to a third party, which may be necessary if you later claim non-repudiation of a digital signature, or need to rely on the security of a signature for evidentiary purposes.

Technical controls

HSMs and cryptographic tokens

One of the most effective technical controls you can use to protect against key compromise is to use specialised hardware devices to generate and store the key material. These devices are called Hardware Security Modules, or HSMs. They generate the key internally and do not let it leave the HSM, except perhaps in encrypted form for backup purposes. In most cases the HSM also includes tamper-protection measures. These erase sensitive key material automatically if the HSM is stolen or if an attacker tries to open it.

HSMs are available from manufacturers such as:

Smart cards and USB cryptographic tokens are logically similar in function to a HSM, but designed to be carried around by a person instead of staying in a server rack. These devices are normally protected by a PIN. They provide an effective form of two-factor authentication, requiring the owner of the token to provide something they have (the token) in addition to something they know (the PIN) before the key material can be used.

These tokens are available from numerous manufacturers including:

Which HSM to use?

Choosing between hardware products like HSMs and smart cards can be difficult, particularly if several offerings meet your requirements. An important differentiator is the accreditation status of the product.

Accredited products provide a higher level of security assurance due to the independent analysis and penetration testing that they have stood up to.

In Australia, the Defence Signals Directorate (DSD) manages the security evaluation process and publishes the list of evaluated products.

Other technical controls

Technical controls exist beyond hardware devices. Keys can be split between multiple custodians such that any m of n people are needed to reconstruct the original key value. This approach is particularly useful for securely storing a backup of a HSM contents, or for storing a high-value key such as that for an offline CA.

Another way to reduce the risk of key compromise is by reducing key lifetime. Most keys have defined lifetimes after which they should not be trusted. Reducing the lifetime of a key reduces the quantity of data that it will be used to protect, and therefore the consequence of a key compromise.

Unfortunately, there is normally some over-head in periodically replacing keys. Where large numbers of keys need to be replaced periodically, the task of managing them can be onerous. A number of Castelain's clients have suffered system outages when server keys expired because the keys had not been identified and replaced.

Appropriate key management software can greatly help solve problems such as this.

Examples are:

Structural controls

Structural controls rely on responsibility within an organisation being assigned so that the organisation structure provides a degree of security and accountability. For example, ensuring that the team that audits your production system is independent of the team that runs it.

Similar processes can be followed for key management. A typical approach is to allocate a Key Manager for each key from the business team. This person holds the passwords or other credentials that are required for any key management functions, but they have no access to the server room where the key material is stored. This makes it impossible for either the systems administrators or the business team to perform any key management operations without the co-operation of the other group.

Summary

The single most important aspect of key management is an appreciation of the value of key material. Keys are small and easy to steal, and yet very valuable. It's vital that you know what they are worth and take good care of them. An attacker that copies your keys can gain access to all of the information going in and out of your organisation, can steal your identity, and can change any data that is sent over the Internet. This may sound bad enough, but the worst part is that if it does happen, you may not ever find out about it.

As a parting thought, consider the story of the Enigma machine, used during World War II by the Germans. The Enigma machine was widely considered secure by the Germans, but was broken by the Allies through a combination of extreme effort, luck, mathematical genius and exploiting errors in German key management processes. The intelligence gained from this success was enormously beneficial and is said to have shortened the war by at least two years and saved millions of lives, but was kept secret until the British Government allowed the story to be published in 1974.

A good starting point for more information on key management is the August 2007 Aberdeen report on Encryption and Key Management.

To download a PDF version of this report click here.

About the author

Paul Cuthbert is a Principal Security Consultant for Castelain Pty Limited. Castelain provides specialist IT security consulting services in the Asia-Pacific region, particularly transaction security, identity management and risk management services. Castelain's customers include a number of major banks and Government organisations both in Australia and abroad. Castelain is not aligned with any vendor, does not accept commissions, and does not sell products. Their advice is purely in the interests of their clients.

More information on Castelain, including the services they can provide and previous experience, is available from: