Crypto U10 (part 1), Key Management & Lifecycle

key lifecycle
1. key generation
  1. direct key generation
    1. symmetric keys
    2. generate (pseudo)random number
    3. careful: for some algorithms certain values should be avoided
  2. key derivation
    1. derive keys from other keys
    2. derivation function should be one way
    3. prolongs life of base key which is expensive to create
  3. component key generation
    1. different entities provide input to the key
    2. components put into a "combiner"
  4. public key pair generation
    1. requires random number generation
    2. only mathematically appropriate values
    3. must consult relevant standard before generating values for keys
2. key establishment
  1. getting the key to the right place
  2. Does it need to be.
    1. shared?
      1. distributed in controlled environment?
      2. distributed in uncontrolled environment?
    2. kept secret?
    3. predistributed?
  3. example methods
    1. key hierarchy
      1. key translation
        key center has master keys for each entity in network and facilitates key exchange between entitites
      2. key despatch
        key center has master keys for each entity in network and generates and dispatches keys for communication between entities
    2. unique key per transaction (UKPT)
      1. a new key is created for each transaction based on value stored in key register and transaction information
        Racal UKPT
        Derived UKPT Scheme (Visa)
    3. quantum key establishment
3. key storage
  1. stored encrypted
    1. can be retrieved with correct passphrase
    2. user enters passphrase, passcode turned into key encrypting key, decrypts key
  2. embed in software
  3. store "in the clear"
    1. hide key
  4. store on hardware device
    1. HSM - hardware security module
      1. tamper resistant
        micro switches
        electronic mesh
        resin
        temperature detectors
        light sensitive diodes
        movement or tilt detectors
        security chips
      2. keys are generally stored encrypted by local master key (LMK)
      3. standard: FIPS 140
  5. store in component form
  6. backup
    1. keep in case key-in-use is destroyed
  7. archival
    1. keep record after key removed from circulation (legal purposes)
  8. recovery
    1. accessing key on a backup device
      1. can be associated with key escrow
basics
1. definition: secure administration of cryptographic keys
  1. control types
    1. technical
    2. process
    3. environmental
    4. human factors
2. requirements
  1. secrecy of key
    1. only the intended audience has access
  2. assurance of purpose
    1. entities must be assured that the key is only used as intended
3. key management system
  1. system for managing the various phase of the key life cycle
  2. dependent on
    1. network topology
    2. cryptographic mechanisms
    3. legacy issues
    4. compliance restrictions
4. key properties
  1. length
  2. lifetime (limited)
    1. against key compromise
    2. against key management failures
    3. enforcement of management cycles
    4. against future attacks
    5. flexibility
    6. limitation of key exposure
    7. "cryptoperiod"

Next up

Crypto U10 (part 1), Key Management & Lifecycle

Description

Resource summary

Similar

	Created by jjanesko about 11 years ago