### RESOURCES

This article looks at the concept of cryptographic key management – what it is, why it’s important, and how an electronic key management system simplifies the task of managing a high volume of keys.

## Let’s start at the beginning – what is a “key”?

A key (in the context of cryptography) is essentially just a very big number. Keys are a fundamental component of cryptography, being used in cryptographic operations such as encryption, hashing and signing to provide desirable properties like confidentiality (keeping information secret), integrity (preventing information being altered) or authenticity (verifying who the information came from).

The length of a key is measured by the number of binary digits (“bits” – i.e. 1’s and 0’s) that it takes to represent its value. Keys are typically hundreds or, in some cases, a few thousand bits long. This provides a balance between security and computational efficiency – too short, and the key is not secure, too long, and it makes cryptography impractically slow.

## What are keys used for?

There are two basic types of key: symmetric and asymmetric

### Symmetric keys

Symmetric keys are typically used for encrypting and decrypting information. They are analogous to physical keys, as they are used to “lock” the information away securely (i.e. encrypted) such that it can only be “unlocked” (i.e. decrypted) by someone with the same key. The term “symmetric” comes from the way the same key is used for both encryption and decryption.

To be secure (i.e. “strong”), symmetric keys must be long and random (i.e. unguessable) and have to be kept secret. Even if an attacker knows what encryption algorithm was used, they cannot decrypt the information without this secret key. A good-quality symmetric encryption algorithm used with a strong key prevents the attacker from guessing (i.e. “breaking” or “brute forcing”) the key in any reasonable amount of time, even with a very powerful computer that can try millions of different key guesses per second.

### Asymmetric keys

Asymmetric keys always come in pairs, each pair comprising a “private key” and a “public key” that are mathematically related to each other. The private key must be kept secret (like a symmetric key), but the public key, as its name suggests, can be shared with anyone. Such keys make “public key cryptography” possible.

The properties of asymmetric keys mean that anyone can encrypt information with the public key, but only the owner of the private key can decrypt it. This is useful for sending a private message to someone, as all they need is your public key. (With symmetric encryption, you would have to send them a copy of the secret symmetric key, with the risk that it might fall into an attacker’s hands.)

Asymmetric keys can also be used to verify the authenticity of a message. The message is first compressed using something called a “hash function”, and the resulting “fingerprint” is then encrypted using the private key, thereby creating a “digital signature”. It is then easy for anyone to decrypt this signature using the originator’s public key to check that it gives the same result as hashing the message themselves, in which case only the owner of the corresponding private key could have signed it.

## Where do keys come from?

Keys are typically generated by computers in software, using random number generator functions built into operating systems and programming language libraries. This is adequate for most day-to-day purposes but can result in weak keys and provides little protection against determined attackers. Therefore, for critical applications such as financial transactions and encrypting very sensitive information, it is preferable to generate and store keys inside a Hardware Security Module (HSM).

HSMs are standalone computing devices running trusted operating systems and firmware, usually designed to be tamper-resistant and certified to international security standards. They use hardware-based random number generators to create very strong keys that are well-protected inside the HSM against potential attackers.

## What is key meta-data?

Key meta-data is information relating to a key, such as what type of key it is, when it expires, who owns it, what it is used for, etc. Without this, the key is just a meaningless number and its purpose (and value) can easily get forgotten.

## What is the key life-cycle?

The key life-cycle refers to the time from when a key is created until it is permanently deleted. During its life-cycle, many things can happen to a key. For example, it can be approved, backed-up, distributed somewhere or revoked. A key can also be updated periodically (i.e. the key value is changed, though it logically remains the same key with the same meta-data) – this is good security practice, as the longer a key is used the more likely it is to be compromised.

## What is key management?

Key management is simply the practice of managing the key life-cycle. In other words, generating keys when they are required, backing them up, distributing them to the right place at the right time, updating them periodically, and revoking or deleting them. This all needs to be done in a secure way to prevent keys being compromised.

## What happens if a key is compromised?

If a key is compromised (i.e. it is lost/stolen/broken in some way), then it means that whatever information it is protecting is also potentially compromised. This can lead to leakage of personal information, trade secrets and other sensitive/valuable information, or to fraudulent financial transactions. For an organization, this in turn can lead to fines and significant reputational damage and can ultimately reduce the value of the company or even put it out of business. Thus, keys must be treated as if they have the same intrinsic value as the thing they are used to protect.

A compromised key must be revoked and replaced as quickly as possible, and an investigation undertaken to discover what damage has been done and how the compromise happened to avoid a repeat.

## What is the role of an electronic key management system?

Keys can be managed manually (e.g. using paper or spreadsheets combined with strict procedures and physical safes), but this is labor-intensive, error-prone and insecure.

An electronic key management system solves this, enabling keys (and their meta-data) to be managed efficiently and securely throughout their entire life-cycle, automatically keeping a permanent electronic record of everything that happens to each key in the form of a secure audit log.

Furthermore, a key management system can enforce best-practice security policies to ensure that keys are managed securely and protected against both internal and external threats.

They will typically make use of an HSM to ensure keys are strong and well-protected.

Such a system is an essential tool to maintain and demonstrate compliance with many different standards (such as PCI-DSS), especially within heavily-regulated sectors such as finance, healthcare and government.

Finally, key management systems provide the opportunity to centralize and automate key management, resulting in a far more efficient way to manage an ever-increasing number of keys that often protect many of a company’s most valuable assets.

## What are the challenges in key management?

Perhaps the biggest challenge is integrating with the thousands, if not millions, of off-the-shelf and in-house cryptographic applications currently in use within the enterprise environment and, increasingly, within the cloud, in order to securely deliver keys to these in an automated fashion.

Unfortunately, there is no ubiquitous standard for key distribution. KMIP (Key Management Interoperability Protocol) was developed as far back as 2010 in an attempt to address this problem, but very few applications support this even today. Thus, most key management systems support a range of off-the-shelf integrations with the most common applications, plus a proprietary API for bespoke integration with other applications.

We see the same problem with cloud infrastructure and SaaS applications. Whilst many now support the concept of BYOK (Bring Your Own Key) – i.e. the ability the generate a key in your key management system and upload it to the cloud, so that you have sole control of the key – each platform or application provides its own proprietary format and mechanism for uploading BYOK keys.

Thus, rolling out a key management system is something that typically has to be phased, and enterprises should work closely with the vendors of their applications and key management system to ensure that integration can be achieved, with the fallback of using manual key distribution (not to be confused with manual key management!) in certain situations.

## Are all key management systems equal?

No! There are many key management systems on the market. Some are designed for specific vertical markets (e.g. banking or defense), while others are vendor-specific or designed for a narrow range of applications (e.g. databases).

The level of functionality, automation, ease-of-use, security and support for regulatory compliance can also vary tremendously.

The reputation and experience of a vendor are generally the best indicators of quality, as are strong customer references in a relevant market sector.