Key Management Techniqueswww.sisainfosec.com

www.sisainfosec.com

Introduction

• Various Information Security Standard – ISO 27001, HIPAA, PCI DSS…

• Controls can be mapped across all the standards BUT Primary Asset will vary for each standards

◦ HIPAA – ePHI – Electronic Protected Health Information

◦ ISO 27001 – Critical Assets identified as part of risk assessment

◦ PCI DSS – Card number

• Risk based approach versus detailed control specification

• Topic of the session – Key Management

◦ ISO 27001 – A.12.3.2 – Cryptographic controls and key management

◦ HIPAA - Title 2 – Technical Safeguards

◦ PCI DSS – Requirement 3.5 and 3.6

www.sisainfosec.com

Why Encryption and Key Management

• Everyone are aware about Encryption but lacks the in-depth knowledge

• Case study

www.sisainfosec.com

Cryptographic MethodsSymmetric• Same key for encryption and decryption

• Key distribution problem

• 3-DES, AES

Asymmetric• Mathematically related key pairs for encryption and decryption

• Public and private keys

• RSA

Hybrid• Combines strengths of both methods

• Asymmetric distributes symmetric key◦ Also known as a session key

• Symmetric provides bulk encryption

• Example:◦ SSL negotiates a hybrid method

www.sisainfosec.com

Keys – Why?This is a trivialization but…

Encryption is an obfuscation of data whereby everyone knows the algorithm to “encrypt” and “decrypt” data, but only those who know the key used to encrypt the data can actually decrypt it.

So…

If you’re using encryption and your key is compromised, you only need to change the value of your key to re-protect your data.

But …

If your key is compromised and if you do not have a proper key management process for changing the keys, then it’s better to have no encryption at all.

Welcome to Key Management

www.sisainfosec.com

Different type of Keys

The keys need to be changed at the end of the crypto period. Crypto period will vary based on the encryptionalgorithm used.

www.sisainfosec.com

Key Management – What is it?

Key Management is comprised of:

• Creation of keys

• Storage of keys

• Key lifetime (crypto-period)

• Access of keys for encryption/decryption

• Execution of the key lifecycle

• Auditing of key lifecycle

• Managing a compromise of a key or set of keys

www.sisainfosec.com

Key Management - 1

Creation of keys:Look for a cryptographic library that provides for generation of keys using random generation function. That will help you avoid

having to manage multiple parties with independent key parts. This way the keys can be generated by the system and humans will never know them.

Storage of keys:You’ll need at least two keys:

◦ One for encrypting data (called a DEK for Data Encryption Key)

◦ One for encrypting the storage of the DEK (called a MEK for Master Encryption Key)

◦ The DEK and the MEK will need to be stored on separate physical systems so that if one if compromised, the other is not

◦ You might want to think about some kind of encryption or obfuscation of your MEK, but that is not a requirement from a strict PCI standpoint.

Key lifetime (Crypto-period)Keys should have a usage period and lifetime akin to data retention period.

www.sisainfosec.com

Key Management - II

Access of keys for encryption/decryption:You’ll need to decide on how keys are accessed considering:

◦ Keys will need to be transmitted across components of your system due to the physical separation of DEK and MEK storage

◦ Do you embed the crypto routines in the tier using them or do you provide a crypto service, in which case you’ll need to consider how data is securely exchanged between application code and crypto services

Execution of key lifecycle:Keys have the following states at a minimum:

◦ Current (NIST: Active) – used to encrypt and decrypt data

◦ Retired (NIST: Deactivated) – used to only to decrypt data

◦ Expired (NIST: Compromised) – used only to decrypt data of a compromised key

◦ Deleted (NIST: Destroyed) – historical reference to a key that no longer exists

You’ll want to automate the key state transitions in accordance with your key lifetime policy. This is especially true if your data retention period is longer that your combined current and retired key lifetimes as you’ll need to be re-crypting.

www.sisainfosec.com

Encryption / Decryption Process

www.sisainfosec.com

Key Management Solutions

• Oracle Advanced Security – Transparent Data Encryption OR SQL TDE

• Hardware Security Module – HSM

• Key Management Systems like – Safenet Enterprise Key Management, Thales Key Management

www.sisainfosec.com

SISA Synergistic Security Framework

Thank You!renju.varghese@sisainfosec.com

For More Details visit us at http://sisainfosec.com/