Read time: 8 minutes
Cryptographic keys are a vital part of any security system. They do everything from data encryption and decryption to user authentication. The compromise of any cryptographic key could lead to the collapse of an organization’s entire security infrastructure, allowing the attacker to decrypt sensitive data, authenticate themselves as privileged users, or give themselves access to other sources of classified information. Luckily, proper Management of keys and their related components can ensure the safety of confidential information.
Key management deals with the creation, exchange, storage, deletion, renewal of keys, etc. Key Management is putting certain standards in place to ensure the security of cryptographic keys in an organization.
Types of Cryptographic keys:
Cryptographic keys are grouped into various categories based on their functions. Let’s talk about a few types:
- Master Key
The master key is used only to encrypt other subordinate encryption keys. The master key always remains in a secure area in the cryptographic facility (e.g., hardware security module), and its length will typically be 128 – 256 bits, depending on the algorithm used.
- The Key Encryption Key (KEK)
When a secret key or data encryption is used, it must be “wrapped” with KEK keys to ensure the confidentiality, integrity, and authenticity of the key. The KEK is also known as the “key wrapping key” or the “key transport key.”
- The Data Encryption Key (DEK)
Depending on the scenario and requirements, data may be encrypted with symmetric or asymmetric keys. In the case of symmetric keys, an AES key with a key length of 128-256 bits is typically used. A key length of 1024 – 4096 bits is generally used for asymmetric keys with the RSA algorithm. In simpler terms, you encrypt your data with data encryption keys.
- Root Keys
The Root Key is the topmost key of your PKI hierarchy, which is used to authenticate and sign digital certificates. The Root Key usually has a longer lifetime than other keys in the hierarchy. The private portion of the root key pair is stored securely in a FIPS-140 2 level 3 compliant hardware security module.
Key length and algorithm
Choosing the right key length and algorithm is very important for the security of your cryptography environment. The key length of keys must be aligned with the key algorithm in use. For any keys (symmetric or asymmetric keys), the key length is chosen based on several factors:
- The key algorithm being used
- The required security strength.
- The amount of data being processed utilizing the key (e.g., bulk data)
- The crypto period of the key
Importance of Key Management:
Key Management forms the basis of all data security. Data is encrypted and decrypted via encryption keys, which means the loss or compromise of any encryption key would invalidate the data security measures put into place. Keys also ensure the safe transmission of data across an Internet connection. With authentication methods like code signing, attackers could pretend to be a trusted service like Microsoft while giving victims malware if they steal a poorly protected key. Keys comply with specific standards and regulations to ensure companies use best practices when protecting cryptographic keys. Well-protected keys should only be accessible by users who need them.
Key management systems are commonly used to ensure that the keys are:
- Generated to the required key length and algorithm
- Well protected (security architects generally prefer FIPS 140-2 complaint hardware security modules)
- Managed and accessible only by authorized users
- Rotated regularly
- Deleted when no longer required
- Audited regularly for their usage
Centralized Key Management:
People often ask if it is mandatory to have a 3rd party key management solution to manage encryption keys centrally. As per my opinion, no, it is not compulsory, but it is good to have features for your organization. A centralized key management system offers more efficiency than application-specific KMS.
The benefits of a centralized key management system:
- Reduces operation overhead
- Reduces costs with automation
- With automation, it reduces the risk of human errors
- Automated key update and distribution to any end-point
- Provides tamper-evident records for proof of compliance
- High availability and scalability
- Meets regulatory compliance
- Simplify your key management lifecycle
Compliance and Best Practices
Compliance standards and regulations ask a lot of key management practices. Standards created by the NIST and regulations, like PCI DSS, FIPS, and HIPAA, expect users to follow certain best practices to maintain the security of cryptographic keys used to protect sensitive data.
The following are important practices to ensure compliance with government regulations and standards:
- The most important practice with cryptographic keys is never hard-coding key values anywhere. Hard-coding a key into open-source code, or code of any kind, instantly compromises the key. Anyone with access to that code now has access to the key value of one of your encryption keys, resulting in an insecure key.
- The principle of least privilege is that users should only have access to keys necessary for their work. This assures only authorized users can access important cryptographic keys while tracking key usage. If a key is misused or compromised, only a handful of people have access to the key, so the suspect pool is narrowed down if the breach was within the organization.
- HSMs are physical devices that store cryptographic keys and perform cryptographic operations on-premises. For an attacker to steal the keys from an HSM, they would need to physically remove the device from the premises, steal a quorum of access cards required to access the HSM, and bypass the encryption algorithm used to keep the keys secure. HSMs on the Cloud are also a viable key management storage method. Still, there is always the chance that the Cloud Service Provider’s security fails, allowing an attacker to access the keys stored therein.
- Automation is a widely practiced method of ensuring keys do not go past their crypto period and become overused. Other portions of the key lifecycle can be automated, like creating new keys, backing up keys regularly, distributing keys, revoking keys, and destroying keys.
- Creating and enforcing security policies relating to encryption keys is another way many organizations ensure the safety and compliance of their key management system. Security policies provide the methods everyone within an organization follows and create another method of tracking who can and has accessed specific keys.
- Separating duties related to key Management is another important practice for any organization. An example of separation of duties is that one person is assigned to authorize the new user’s access to keys, another distributes the keys, and a third person creates the keys. With this method, the first person cannot steal the key during the distribution phase or learn the value during the generation phase of the key lifecycle.
Encryption Consulting Assessment
At Encryption Consulting, we ensure your system meets compliance standards and protects data with the best possible methods. We perform encryption assessments, including key Management and cloud key lifecycle management. We also write weekly blogs that can help you find the best practices for your key management needs and learn more about the different aspects of data security.