Key Management

---

Key management refers to operational considerations for the various stages in the lifecycle of an encryption key or key pair.

• stages:
  • Key Generation
    • Creates an asymmetric key pair or symmetric secret key of the required strength
    • using the chosen cipher
  • Storage
    • Prevents unauthorized access to a private or secret key
    • protects against loss or damage
  • Revocation
    • Prevents use of the key if it is compromised
    • If a key is revoked, any data that was encrypted using it should be re-encrypted using a new key
  • Expiration and Renewal
    • Gives the certificate that validates the key a “shelf-life” to increase security
    • Every certificate expires after a certain period
    • can be renewed with the same key pair or with a new key pair

A decentralized key management model means that keys are generated and managed directly on the computer or user account that will use the certificate.

• does not require any special setup, so is easy to deploy
• makes the detection of key compromise more difficult

Key management system (KMS) is the procedures and tools (software) that centralizes generation and storage of cryptographic keys.

• centralized model
• securely manages both public and private keys
  • automating encryption processes and strengthening security within PKI systems
• enhances security by centralizing key management and integrating with:
  • trusted platform modules (TPMs)
  • hardware security modules (HSMs)
• In one type of cryptographic key management system:
  • dedicated server or appliance is used to generate and store keys
  • When a device or app needs to perform a cryptographic operation
    • uses the Key Management Interoperability Protocol (KMIP) to communicate with the server

Types of Keys

• keys provide different forms of security services:

  • Data confidentiality
  • Data integrity
  • Entity authentication (i.e. provide assurance of the identity of a party)
  • Non-repudiation
  • Authorization to access protected physical or logical resources
  • Support services (e.g. key establishment, key agreement, random number generation, etc.)

• Types of keys:

  • Symmetric encryption and decryption keys: they are used with symmetric-key algorithms to provide confidentiality guarantees.
  • Symmetric key-wrapping keys: they are used to encrypt other keys when they are in transit.
  • Symmetric master/key-derivation keys: they are used to derive other symmetric keys.
  • Symmetric authentication keys: they are used with symmetric-key algorithms to provide identity authentication and integrity.
  • Symmetric key-agreement keys: they are used to establish symmetric keys.
  • _Symmetric DRBG_2 keys: they are used to generate random bits or numbers.
  • Symmetric authorization keys: they are used to provide privileges to an entity using a symmetric cryptographic algorithm.
  • Private signature-generation keys: they are used by public-key algorithms to generate digital signatures intended for long-term use.
  • Public signature-verification keys: they are used by public-key algorithms to verify digital signatures.
  • Private authentication keys: they are used with public-key algorithms to provide evidence of the sender identity, when establishing an authenticated session or performing some action.
  • Public authentication keys: they are used with public-key algorithms to verify the identity of the sender, when establishing an authenticated session or performing some action.
  • Private key-transport keys: they are the private keys of asymmetric-key algorithms and are used to decrypt keys that have been encrypted with the corresponding public key, when establishing symmetric keys.
  • Public key-transport keys: they are the public keys of asymmetric-key algorithms and are used to encrypt keys when establishing symmetric-keys.
  • Private static key-agreement keys: they are the long-term private-keys of asymmetric-key algorithms and are used to establish symmetric keys.
  • Public static key-agreement keys: they are long-term public keys of asymmetric-key algorithms. They are used to establish symmetric keys.
  • Private ephemeral key-agreement keys: they are the short-term private keys of asymmetric-key algorithms. They are used only once to establish one or more symmetric keys.
  • Public ephemeral key-agreement keys: they are the short-term public keys of asymmetric-key algorithms. They are used in a single key-establishment transaction to establish one or more symmetric keys.
  • Private authorization keys: they are the private keys of asymmetric-key algorithms and are used to prove the owner’s right to privileges.
  • Public authorization keys: they are the public keys of asymmetric-key algorithms and are used to verify privileges for an entity that knows the associated private authorization-key.

Usage Uniqueness

• each key should be used for only one purpose because:
  1. the use of the same key for two distinct cryptographic applications may weaken the security provided by one or both of the applications
  2. limiting the use of a key limits the damage that could be done if the key is compromised

Cryptoperiod

Cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities.

• may be defined in terms of:
  • time between key generation and its end of use
  • or the maximum amount of data protected by the key
• properties for an adequately defined cryptoperiod:
  1. it limits the number of plaintext and ciphertext pairs encrypted with the same key
     • therefore, it limits the amount of information available to attackers to recover the key
  2. it limits the time for attackers to access resources protected with a key
• enhances security,
  • but adds overhead for management and risk of key exposure during key-distribution

Key Types, Provided Services, and Cryptoperiods

Key type	Provided security services4	Cryptoperiod (years)
Symmetric encryption key	Confidentiality	≤ 2 (*)
Symmetric key-wrapping key	Support	≤ 2 (*)
Symmetric master/key-derivation key	Support	≤ 1
Symmetric DRBG key	Support
Symmetric authentication key	Authentication, Integrity	≤ 2 (*)
Symmetric key-agreement key	Support	1 to 2 (**)
Symmetric authorization key	Support	≤ 2
Private signature-generation key	Authentication, Integrity, non-repudiation	1 to 3
Public signature-verification key	Authentication, Integrity, non-repudiation	Several
Private authentication key	Authentication, Integrity	1 to 2
Public authentication key	Authentication, Integrity	1 to 2
Private key-transport key	Support	1 to 2 (***)
Public key-transport key	Support	1 to 2
Private static key-agreement key	Support	1 to 2 (***)
Public static key-agreement key	Support	1 to 2
Private ephemeral key-agreement key	Support	One transaction
Public ephemeral key-agreement key	Support	One transaction
Private authorization key	authorization	≤ 2
Public authorization key	authorization	≤ 2

* At most two years for originator; and at most three years more than originator, for recipient.
** In some applications (e.g. email) where received messages are stored and decrypted at a later time, the recipient key usage period may exceed the originator-usage period.
*** In some applications (e.g. email) where received messages are stored and decrypted at a later time, the cryptoperiod of private key may exceed that of the corresponding public key.