For identifying, detecting, and eliminating flaws in a key management system, independent third-party testing is required (KMS). Third-party testing firms frequently have specialised facilities and expertise to conduct testing and provide objective testing reports. These activities should be carried out on each module, including its security functions and protective measures. This article discusses the advantages of third-party key management system testing.
The need for third party testing
Business challenges such as quality of key management system, accuracy of internal assessments, accuracy of metrics and system deployment, reduction of production defects and risks. Third party testing provides optimum solution to help organizations improve their test processes. Trained and skilled professionals in the software testing sector perform the testing procedure in an appropriate manner, thereby reducing the chances of errors or other complexities while the software is implemented or used. Moreover, the third party testing company will have a specialized team that can handle any worst case scenario to improve the quality of the key management system software.
The software will be tested on various platforms and browsers by the professionals. Furthermore, they can reduce the time required for the entire testing cycle, which is extremely beneficial in the event of an emergency or urgent requirement. The professional testing team will also ensure that each stage of third-party testing is carried out correctly. This saves money by utilising a third-party test infrastructure, eliminates the need to acquire and maintain a test bed, and avoids the time and money required to train test engineers to gain expertise. Subsequent engagements with the same third party, the value of which has been validated by previous engagements, become even more cost-effective and efficient.
A third party functional test should verify that an implementation of cryptographic function operates correctly in the KMS system. A functional test might determine that a cryptographic algorithm implementation correctly computes the cipher text from the plaintext, given the key.
A third party penetration testing of key management system is a specific type of security testing in which a team of penetration testing experts develops penetration scenarios for the system as a whole and then evaluates the risk of a successful penetration. The scope of penetration testing should include personnel, facilities, and procedures. The testing team attempts to bypass the security safeguards with the goal of defeating KMS security. Any findings made by the penetration testing team should be addressed before initial deployment of the KMS in the production environment.
Processes involved in a third party testing
- A vendor or customer may request that a third-party tests a Key Management System and device for conformance to a particular standard.
- Functional walkthrough of the Key Management System and device is provided to the third-party testing organization
- The third-party organization verifies that the requirements of a specification and regulation are met
- The customer populates data that is relevant for testing to be carried out
- The third-party organization initiates the test based on test plan, test strategy and test scenario
- An unbiased testing report is provided to the customer
Third-party testing ensures that the vendor did not miss any flaws in its own testing procedures. The testing organization's specialised facilities aid in reducing the time it takes to complete test activities. A third-party test will reduce the number of defects in the production environment because the key management system and device security are critical.
Review of third party validations
Third-party key management system (KMS) testing can include both functional and non-functional testing. Scalability testing, for example, involves putting a device or system through its paces to see how it reacts when the number of transactions to be processed in a given period of time skyrockets. Although every device has limitations, some device designs scale better than others. Scalability testing is used to stress devices and systems in order to identify and mitigate problems before they become fully operational (NIST).
While there are currently no formal validation programs for the security of a KMS, the NIST publication on ‘A framework for Designing Cryptographic Key Management System’ recommends following validation programs for certain devices of a KMS:
- NIST-approved cryptographic algorithm implementations can be validated under the NIST Cryptographic Algorithm Validation Program (CAVP),
- Cryptographic modules can be validated for conformance to [FIPS 140]-2 under the NIST Cryptographic Module Validation Program (CMVP),
- Non-cryptographic security and hardware such as operating systems, DBMS, or firewall can be validated using the Common Criteria Standard under the National Information Assurance Partnership (NIAP)
- A KMS, or parts thereof, could also be validated by a private entity hired by the vendor or a sponsor.
While these validation programs do not guarantee security, they can significantly increase confidence in the security and integrity of the KMS.
References and further reading
- What are the Advantages of Third Party Testing? (2014) by Glen Cory
- A Framework for Designing Cryptographic Key Management Systems (2010), by E. Barker, D. Branstad, S. Chokhani, M. Smid