Key Meta-Data: Why It’s Important and How to Manage It

This article explains the concept of meta-data in the context of cryptographic keys, explaining why it is used and the necessity to manage it well.

Cryptographic keys lie at the heart of cryptography. The protection offered by algorithms such as 3DES, AES and RSA depend on the security of these keys. Thus, the way such keys are generated, protected and managed is of fundamental importance.

However, keys are just large, random numbers and have no meaning in isolation. It’s like having a large bunch of door keys – if they are not labelled, you have no idea which door each key is for. Therefore, we use “meta-data” to label cryptographic keys and ensure that they are protected and managed correctly throughout their life-cycle. Even when a key is deleted, its meta-data remains as a permanent record of its existence.

There are many types of key meta-data, which can be broadly categorized as follows:

Identity & Revision

Each key is typically assigned a label to identify it. For example, when using a key management system, there may be an internal system reference as well as an assigned, human-friendly label. It may also be identified as part of a particular set of related keys. 

In addition, there may be a revision number that is incremented when the key is rotated. (The process of “key rotation” is the periodic refresh of a key’s value to reduce and mitigate the risk of any compromise.) There may also be a Key Check Value (KCV) that acts like a fingerprint – this helps to identify a particular revision of the key (without seeing its secret value) and can be used to validate its integrity after being transported.

Type & Length

This will indicate the basic function of the key (e.g. system key, application key, key encryption key), which algorithm it is intended to be used for (e.g. 3DES, AES, RSA, etc.) and its size (i.e. length in bits or bytes).

Ownership & Usage

This indicates who “owns” the key, which can be used to protect it from unauthorized access or use. The allowed usage of each key can also be defined, e.g. which application(s) are permitted to use the key and for what operations (e.g. encryption, signing, etc.) as well as any imposed restrictions (e.g. how it may be exported or transported).

Status & Expiry

The status of a key is tracked throughout its life-cycle, e.g. when it is created, approved, activated, deployed, archived, etc. Each key also has a “crypto-period” that defines when it expires and should be rotated. The meta-data may also define whether workflow features like auto-renewal are allowed or not.

Custom Meta-Data

Custom meta-data may be associated with each key. This may be data that is required by the application using the key and is distributed with the key, such as PKCS#11 attributes, or it may just be notes or other necessary data that does not fit into any other standard field.