The modern world of cybersecurity can be a confusing place. There are tons of data, regulations, and mandates in addition to the complex technical aspects. This is especially true when it comes to crypto key management systems (KMSs).
Many business professionals, including CISOs and security managers, are eager to comprehend the various elements and implications of crypto keys. The confusion often lies in discerning the differences between managing the life cycle of the keys, Hardware Security Modules (HSMs) that ensure the creation of strong keys and suitable protection when storing and using keys, and applications that make use of cryptographic / encryption keys. Here are a few essential concepts that can help you have a better knowledge of managing cryptographic keys securely.
Key Management Systems - Managing the Key Life Cycle
Understanding the function of the crypto key and why it is essential to manage its lifecycle is the best place to begin. Crypto keys are used as part of the security and confidentiality framework for today’s complex online business applications and processes. Similar to the way we use keys to unlock doors and start cars, crypto keys are used to enable access to sensitive data and initiate processes that utilize this data.
In simple terms, crypto keys are used to encrypt and decrypt sensitive data (for confidentiality) - as well as other security functions, such as digital signatures for data integrity and authenticity. To prevent unauthorized access to information, computer systems will encrypt the data. This procedure transforms the data such that it cannot be recognized. The data then has to be accessed using the proper crypto key to translate it back into a recognizable form. The crypto key can actually be used to encrypt the data, decrypt it, or both depending upon the configuration.
The keys must be controlled efficiently so that only authorized apps can utilize them. Historically, this was a manual process, but as the use of keys continues to increase dramatically, the need for automated management has become necessary. The primary concern is that when keys are not properly maintained and routinely changed, the keys and the encrypted data become increasingly at risk of cyber-attack.
This is when a KMS becomes essential. They help security professionals manage the lifetime of a crypto key. This includes the stages of creation, distribution, and, eventually, destruction of the key. The primary purpose of the KMS is to ensure that the right key is in the right place at the right time. By automating the process with a KMS eliminates the element of human error and improves the level of security associated with controlling the key life cycle and the subsequent cryptography.
Key management systems are often used in combination with HSMs in many organizations, to ensure strong cryptographic key generation and that the keys are used in a secure environment.
For example, a banking-grade KMS will incorporate a dedicated HSM into the system architecture.
The KMS can then distribute these keys to all other secure endpoints, such as business applications and other HSMs, and control the entire life cycle of the keys.
Hardware Security Modules
While the lifecycle KMS is busy managing the creation, distribution, and archival or destruction of keys, the (HSM) incorporates true random number generators (TRNGs) for strong key generation and provides physical safeguarding of the keys when being stored and while they are in use. The HSM is a separate physical cryptographic computing device. For card payment processing systems, an HSM can be used to create a root of trust for all other keys and also provides dedicated cryptographic processing for specific functions.
The HSM ensures that keys do not exist in their unencrypted form (outside of the HSM) while they are being used in the system memory. This includes both the KMS servers and any machines using the KMS client.
Access to the HSM is strictly prohibited. This eliminates the chance of keys being tampered with while in use. Some HSMs also have built-in security features that detect tampering and will promptly delete information about the crypto keys in the event of an attempted breach.
The HSM is usually only accessible by authorized personnel via secure and physical admin interfaces. Even then, key information remains encrypted through the use of a session-specific key.
Crypto Keys and Application Usage
This is where the proverbial rubber meets the road. When your business applications need to interact in a secure manner with other internal applications or external business partners, vendors, and payment processors, they need to be given access to keys. Applications will be unable to access encrypted data without them. The applications that need to access and use the keys are sometimes called key targets. The KMS will then distribute keys to the key targets via secured processing that is protected by the HSMs.
Some applications may not require the level of key protection that an HSM provides, and these applications will, therefore, often use software to store and process the usage of the keys.
Typically, an application requiring strong cryptography will have its own HSM(s) to securely store and use the keys managed and distributed by the KMS.
Putting It All Together
The process can seem complicated, but it becomes much clear once you understand the role that each individual part plays. In subsequent blog posts, we will go deeper into each of these elements in order to provide you with much greater knowledge.
References and Further Reading
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
- Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
CKMS Product Sheet (2016), by Cryptomathic