Payment HSM

Practical Key Management in Banking

Today we’re going to be looking at Practical Key Management as it applies to the banking industry. Transactions taking place online obviously have a great need for efficient protection, there’s many ways to approach this need. We’ll be going over different encryption methods, a practical use case of banking encryption, and analysis on what types of encryptions are most useful in this subject.

Some major challenges of symmetric cryptography 

A major problem is the more users you have that require access to the secret key, the more difficult key management becomes. Some ancillary processes may be required for multiple clients to be able to access the same keys.

Symmetric keys also don’t have metadata inherently attached to themselves, so they are vulnerable to expiration. Therefore, a Key Life Cycle Management System can be implemented to automatically rotate expired keys out of the cycle. Furthermore, if one symmetric key is compromised, it makes all users vulnerable – therefore symmetric keys require protection.

The Hardware Security Module (HSM) is a highly advanced and secure storage device specifically for keys. At the end of the key lifecycle, the key must be retired, and a new key must replace it.

Symmetric versus asymmetric cryptography

Symmetric algorithms are very old in concept and revolve around the idea of the same key being used to encrypt and decrypt the information, this can prove useful for speed. However, it is more vulnerable than a newer type of encryption that uses a public and private key for encryption and decryption respectively. This type of encryption, called Asymmetric Encryption, has proved its superiority in security and is now widely implemented to this day.

So why use symmetric encryption at all if asymmetric encryption is more secure? It would be like driving a tank to work instead of a car, sometimes the extra protection can slow you down too much. For differing use cases, such as banking, symmetric algorithms can provide an advantage in making sure the encryption process is done as fast as possible.

How much slower would the world move if internet transactions were several times slower than they are now? How much more expensive would it be to maintain these systems with slower, more complicated algorithms? Hence the need for symmetric encryption.

Asymmetric encryption shines with its uses in digital signing or blockchains, for instance, where absolute data security is paramount. With digital signing, the use of both a public and private key means the identity of the signer of the data can easily be known.

The signer uses their private key for encryption, while the recipient verifies their identity with their public key. As only the public key of the signer can decrypt data encrypted with the signer’s private key, the identity of the signer is verified when the data is decrypted.

Asymmetric encryption algorithms are widely used for protecting online communications nowadays where complex key handling challenges are present. Public Key Infrastructure (PKI) is a major framework that is based on asymmetric encryption. Using HSMs and Key Lifecycle Management, tedious tasks are automated to make it easier to facilitate high availability operations and encryption standard compliance.

How does the symmetric scheme work

Symmetric encryption security devices are highly advanced and secure, but not always the easiest to use. Here’s an example of how a device would work. If two devices need to make a connection, there are three different key types involved:

  • Master Key is Highly protected and long-term key used to decrypt other keysKey Encryption Key (KEK) – used to encrypt keys, also highly protected

  • Session Key is Randomly generated number that ensures an uncompromised connection between the two devices

  • The Master key and KEKs must be updated from time to time, most devices have on board programming that checks key integrity automatically, so this process is made easier. KEKs should always be installed manually by a key custodian or automatically though a preconfigured Key Management System process.

The decryption process is as follows:

  • The devices make a session key using an RNG (random number generator)
  • A small amount of data is encrypted on the session key
  • Encrypts the session key with the KEK
  • Sends the encrypted data to the recipient device
  • Destroys session keys
  • After a certain amount of input data, steps 1-4 are followed for the sake of key variety

However, there are many practical problems arising in this scenario:

  • How long can master keys be kept secret? How often do they require rotation?
  • KEKs also must be rotated periodically, what policies govern them?
  • Every communication link between the two subscribers must use a KEK. How do you ensure availability when many subscribers must be serviced?


Key management can be a complicated process but is important to manage well for the sake of high availability and security, especially with customers and company assets being protected through these encryptions. Both Asymmetric and Symmetric encryption algorithms have their advantages and disadvantages, which makes either type effective depending on the use case. It is important to understand their differences when considering encryption for banking purposes. After breaking down the symmetric encryption process, it becomes an obvious choice for practical key management for banking use cases.

The efficient and secure delivery of keys and certificates, protected by their respective cryptographic standards, is what enables us to conduct our banking business. The integrity and speed information transfer process must be held to the highest priority. At Encryption Consulting, we provide guidance on this framework through education and evaluation to achieve even greater efficiency and security, make sure to check out our blogs and education center for more resources on these topics.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Caedon is a Consultant at Encryption Consulting, working with PKIs, and HSMs, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo