By Jatin Jain
Introduction
In cryptography, a key is a very important piece of information used to combine with an algorithm (a cipher) to transform plaintext into ciphertext (encryption).
The first step of preventive security is not encryption; however, the proper management of a cryptographic key is essential.
Key management includes the generating, using, storing, archiving and deleting of keys. In modern business, encryption plays a vital role in protecting electronic communications and financial transactions.
Successful key management is critical to the security of a cryptosystem. It is a more challenging side of cryptography which involves various aspects of social engineering, such as organization, system policy and departmental coordination.
The best thing about encryption is that, if implemented correctly, it is highly resistant to attack. Unfortunately, the weak point of encryption is the keys. If a key is compromised, all your hard work and complexity is all for nothing. This makes cryptography keys the most precious asset of any company. The value of keys is equivalent to the value of your most crucial information or data.
What is encryption key management?
Encryption Key Management is the management of cryptographic keys in the cryptosystem. Key management concerns itself with keys at the user level, either between user or system. Therefore, a robust key management system is important, and policies must include the following:
- Key life cycle: Key generation, key activation, expiration and destruction
- Physical access to the key server
- Logical access to key servers, which should be on a need-to-know basis for businesses
- Access of user-based roles to encryption keys
We can divide these primarily into three primary key management approaches:
- Decentralized: In this version, end users are 100% responsible for their own key management and the organization is not required to handle key governance
- Distributed: Each team or department in the organization handles its own key management protocol, as per their process and policy. They may or may not contact or coordinate between departments
- Centralized: In this case of centralized key management, there is one policy throughout the entire organization that has to be followed by all. Every team, every department: the user in the organization follows the same key management protocol
Types of encryption keys
There are four basic types of encryption keys: symmetric, asymmetric, public and private.
- Symmetric encryption: In symmetric-key cryptography, a single encryption key is used for both encryption and decryption of data. This encryption is used to protect data and is a fast algorithm
- Asymmetric encryption: In asymmetric keys, a pair of keys are used to encrypt and decrypt the data. Both keys are paired with each other and created at the same time. They are referred to as public and private keys
- Public keys primarily encrypt the data and are only used to encrypt the data, not to decrypt
- Private keys are used to decrypt the data. This is the only key that can decrypt the encrypted data. Should be password-protected
Encryption key management issues
The proper management of cryptographic keys is essential to the safe use of encryption products. Loss of these keys can lead to loss of an access system and data. Unfortunately, key management is a challenge that increases with the size and complexity of your environment. There are many threats that can result in a key being compromised, and typically, you won’t even know the key has been compromised until it has been exploited by the attacker, which makes the threats all the more dangerous!
Here are some of the major threats to be considered:
- Weak keys: The length of the key should be complex for the value of the sensitive data it is securing and the period of time for which it needs to be protected
- Incorrect use of keys: One key should be generated for a single specific purpose/task only
- Reuse of keys: Improper reuse of single keys for multiple purposes can be dangerous and may put the organization at high risk
- Inappropriate storage of keys: This is really important: keys should never be stored at the same place where data is and with the data that they protect, like on a server or database
- Improper protection of keys: Even keys stored only on server memory can be vulnerable to compromise! Keys should be encrypted whenever stored and only be made available in unencrypted form within a secure tamper-protected environment
- Insecure movement of keys: It is important to move a key safely between systems. This should be accomplished by encrypting (“wrapping”) the key under a pre-shared transport key, which can be either symmetric or asymmetric keys
Encryption key management best practices:
- Secure key stores: Key stores must be protected with a complex key in order to achieve optimal security, just like any other sensitive data. They must also be protected wherever they are stored or in transit and especially while in backup. Improper key storage may lead to the loss of all encrypted data
- Access to key stores: Access to key stores must be limited to the entities that need that particular access. There should also be policies governing key stores, which use separation of roles to help control access. An entity that uses a given key should not be the entity that stores that key
- Key backup and recoverability: Loss of keys directly means loss of the data that those keys protect. While this is an unintentionally effective way to destroy data, accidental loss of keys protecting mission-critical data would be devastating to a business. Secure backup and recovery solutions must always be implemented
Conclusion
Security is every employee’s business. To maintain the best practices, every individual organization should manage the keys of their own enterprise or any other credible service. Not all sensitive data should be accessible to anyone and everyone, but should be restricted on a need-to-know basis for people who need it to do their work. The monitoring team should investigate access logs from time to time and secure sensitive areas in order to reduce the chances of data being compromised.
Você sabe a diferença? IAM x PAM
Jatin Jain
With versatile experience in Information Security domain, he has successfully proven himself in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking and also acted as corporate trainer. Have served different government and private organization and provided best security services. Also he has been awarded from world’s best organization like Face book, Apple, etc for providing best security support to them. He included his name in worldwide recognized various hall of fame as well as written article for famous PenTest, Hackin9 Magazine.
Fonte: INFOSEC INSTITUTE
- Cryptography in Modern Business Operations
- NetApp maintains push to data management for AI
- New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials
- Launch a Network with Restaked Security in Minutes: Tanssi and Symbiotic Set New Ethereum Standard
- How Phishing Attacks Adapt Quickly to Capitalize on Current Events
- A chave para proteger seus e-mails: extensões S/MIME
- NIST cancela novo prazo para transição do PQC
- Criptografia Quântica: Você está tratando a confiança digital corretamente?
- Entrevista com Alvin Tedjamulia sobre Criptografia na NetDocuments
- Para 93% dos profissionais de TI, a imutabilidade é essencial para proteger os dados contra Ransomware
Desvende o Futuro da Criptografia com o Crypto ID!
Você está preparado para a era da criptografia pós-quântica?
O Crypto ID é a sua porta de entrada para o mundo fascinante da criptografia, com conteúdos que exploram desde os fundamentos da cripto-agil até as mais recentes inovações em criptografia pós-quântica a geração de chaves baseada em fenômenos quânticos com o comportamento de partículas subatômicas.
Fique por dentro das últimas novidades do NIST e FIPS!
Acompanhe as últimas atualizações dos padrões de criptografia do Instituto Nacional de Padrões e Tecnologia (NIST) e os Padrões Federais de Processamento de Informações (FIPS), que ditam o futuro da segurança da informação. Entenda como ess as novas diretrizes impactam a proteção de dados e a privacidade em um mundo cada vez mais digital.
Dominamos todos os aspectos da criptografia, incluindo: Criptografia de ponta-a-ponta – E2EE, Criptografia simétrica e assimétrica, Criptografia quântica e Criptografia homomórfica.
O Crypto ID é a maior fonte de consulta sobre criptografia no Brasil e na América Latina.
Acesse agora a Coluna Criptografia e mantenha-se atualizado sobre as últimas tendências em segurança da informação.
Gostou? Compartilhe com seus amigos e colegas!