What is key management in Cryptography?


What is key management in Cryptography?

This is a fundamental question that must be understood when establishing a public key infrastructure (PKI). In basic terms, to perform effective encryption and decryption there are both public and private keys. Public keys, used to encrypt messages, are not sensitive and can be known to any one. Conversely, the private key is used to decrypt messages, is unique and should be safe guarded. This is where key management comes in.

Key management describes the policies, processes and procedures used to safeguard keys that are used to decrypt messages. Keys are generally managed, controlled and communicated via certificate authorities (CA’s) and exist in the form of certificates. In a public key infrastructure, the CA resides at the top of the chain and is responsible for managing all of the keys (or certificates) in that infrastructure. In a client/server architecture both the client and server validate the authenticity of the key/certificate with the CA. The video below gives a good basic overview of key management.

CA’s are usually outsourced to third parties such as Verisign or Nortel Entrust, however, organisations may wish to build their own infrastructure and certificate authority. In this case, the organisation must make sure that they are securing their CA and managing keys appropriately, including limiting/monitoring access securely.

Certificates are used to validate a user is who they say they are and that the private key can be used by that user. However, these certificates can be spoofed so appropriate controls need to be implemented to make sure that certificates are genuine e.g. time of validity and appropriate encryption.

As certificate authorities reside at the very top of the chain, they must demonstrate strong security controls to protect certificates in their possession. Essentially, a compromise of a certificate authority could bring down the whole organisation or result in insecure communications for all parties. It is therefore imperative to lock down CA’s appropriately. As briefly mentioned, certificates should be configured to be revoked after certain time periods at the CA should maintain a certificate revocation list (CRL) that details when a certificate has expired or been revoked. In most cases, it is easier to simply outsource the CA to a trusted entity and ensure communications are appropriately secured rather than building an in-house CA.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *