Cryptographic Key Management Practices
304 بار بازدید -
پارسال
-
"Cryptographic keys are used to
"Cryptographic keys are used to encrypt data, and it is crucial to protect these cryptographic keys to ensure the confidentiality and integrity of the encrypted data. In this video, I will discuss cryptographic key management practices, starting from secure key generation, secure key storage and usage, and certain administrative controls related to key management practices like separation of duties, dual control, split knowledge, key rotation, and finally, key destruction.
To securely generate a key, it depends on the encryption algorithm used and the length of the key bits, as well as the randomness among these key bits. For example, the Data Encryption Standard (DES) was introduced in 1977 for e-commerce and banking applications. However, after 22 years, it was broken in 1999, where script analysis or breaking it required 24 hours. Currently, RSA, a public key cryptographic algorithm used for PKI-based applications, suggests 2048 bits for normal web usage and at least 3K or 4K bits for classified data.
Regarding the randomness among key bits, they should be unpredictable and can be implemented using a hardware-based true random number generator. Examples include Trusted Platform Modules or Hardware Security Modules that implement this true random number generator. There are also software-based pseudonym number generators, but they are prone to defects, as seen in the OpenSSL package vulnerability in 2008.
With the increase in computational power and advancements in quantum computing, there should be a relative increase in key length to withstand brute force attacks.
For key storage and usage, the Data Encryption Key must be encrypted or secured using a Key Encryption Key (KEK). This KEK encryption is performed by Hardware Security Modules, which generate, store, and replicate KEKs across multiple HSMs for redundancy. Compliance requirements also mandate hardware-based key backups or key generation processes.
Cloud services also provide Hardware Security Module (HSM) services for crypto acceleration of encryption and decryption processes. For less demanding processes, USB-based keys or password management applications can be used.
Administrative controls on key management practices aim to counter insider threats, rogue employees, or human errors. The objective is to ensure that no single person performs all key management practices. Separation of duties requires at least two persons for encryption or decryption processes, with one having access to data and the other to the key. Dual control involves two persons for specific steps, like accessing key encryption keys in HSMs, while split knowledge divides key knowledge among multiple persons.
Key rotation limits the time span of key usage, detects compromises, or adjusts to personnel changes in key management practices. It minimizes the impact of key loss or unauthorized key usage and reduces data availability for cryptanalysis. Standard and PCI DSS compliance require key rotation at least annually.
During key rotation, previous data is decrypted using the retired key and re-encrypted with the new key. Once ensured no data is left encrypted by the old key, it is retired. The retired key can be archived and encrypted with the new key or securely destroyed. Key destruction methods vary by media type, such as overwriting or physically destroying media containing the retired key. Documenting the key's destruction location and method is essential.
Thank you."
To securely generate a key, it depends on the encryption algorithm used and the length of the key bits, as well as the randomness among these key bits. For example, the Data Encryption Standard (DES) was introduced in 1977 for e-commerce and banking applications. However, after 22 years, it was broken in 1999, where script analysis or breaking it required 24 hours. Currently, RSA, a public key cryptographic algorithm used for PKI-based applications, suggests 2048 bits for normal web usage and at least 3K or 4K bits for classified data.
Regarding the randomness among key bits, they should be unpredictable and can be implemented using a hardware-based true random number generator. Examples include Trusted Platform Modules or Hardware Security Modules that implement this true random number generator. There are also software-based pseudonym number generators, but they are prone to defects, as seen in the OpenSSL package vulnerability in 2008.
With the increase in computational power and advancements in quantum computing, there should be a relative increase in key length to withstand brute force attacks.
For key storage and usage, the Data Encryption Key must be encrypted or secured using a Key Encryption Key (KEK). This KEK encryption is performed by Hardware Security Modules, which generate, store, and replicate KEKs across multiple HSMs for redundancy. Compliance requirements also mandate hardware-based key backups or key generation processes.
Cloud services also provide Hardware Security Module (HSM) services for crypto acceleration of encryption and decryption processes. For less demanding processes, USB-based keys or password management applications can be used.
Administrative controls on key management practices aim to counter insider threats, rogue employees, or human errors. The objective is to ensure that no single person performs all key management practices. Separation of duties requires at least two persons for encryption or decryption processes, with one having access to data and the other to the key. Dual control involves two persons for specific steps, like accessing key encryption keys in HSMs, while split knowledge divides key knowledge among multiple persons.
Key rotation limits the time span of key usage, detects compromises, or adjusts to personnel changes in key management practices. It minimizes the impact of key loss or unauthorized key usage and reduces data availability for cryptanalysis. Standard and PCI DSS compliance require key rotation at least annually.
During key rotation, previous data is decrypted using the retired key and re-encrypted with the new key. Once ensured no data is left encrypted by the old key, it is retired. The retired key can be archived and encrypted with the new key or securely destroyed. Key destruction methods vary by media type, such as overwriting or physically destroying media containing the retired key. Documenting the key's destruction location and method is essential.
Thank you."
پارسال
در تاریخ 1401/12/14 منتشر شده
است.
304
بـار بازدید شده