Cryptography & key (mis)management


Cryptography is a topic in security discussed by many and understood by few, yet it is the fundamental underpinning of most security controls in place from financial services to government applications.

From protecting PINs to authenticating transactions, cryptography is usually the last layer of defence. Revolutionary developments in the field are few and far in between, hence the reason why most of what we've secured many years ago is still secure today.

Tried and tested public algorithms (e.g. AES, SHA, etc.) are the safest choice in selecting cryptosystems; however many weaknesses in this area tend to be in the implementation and coding of solutions. When cryptography systems are broken, it is primarily due to poor implementation of the algorithms or the key management techniques employed.

When implementing cryptographic controls, procedural controls for performing key management are often overlooked and/or erode over time.

An example of this can be the management of a Hardware Security Module (HSM) which performs bulk encryption activities in a secure tamper resistant environment and the handling of sensitive key material onto the device. Once an HSM is deployed, the key that the device protects must be managed throughout its lifecycle. This includes the secure operating procedures around the loading of keys and zeroing or removing of keys.

These operations are fundamental to ensuring that the device and the keys the device is protecting remain secure throughout their lifecycle. It is often observed that poor procedural controls quickly lead to improper handling of sensitive key material, resulting in keys being considered compromised. Once this happens the only real back out plan is to re-generate these keys - a very costly endeavour!

The people involved in performing these sensitive key management activities also require careful consideration as their activities are crucial to the operation of any organisation which must use these devices.

The team performing these activities effectively have the keys to the kingdom, and as such, there must be appropriate segregation in order to minimise collusion or the risk of insider fraud. Clearly defined roles and responsibilities must exist and individuals handling key material of a certain type must never be allowed to handle material of another type, for example.

A complete chain of custody of all key material must be maintained in order to assure that the keys have not been compromised. Compliance audits typically fail when a proper chain of custody cannot be produced, leaving the keys suspect and also leaving individuals involved in the key handling exposed.

Many organisations will procure plenty of technology solutions but under-invest in the development and implementation of and adherence to secure operating procedures with an appropriately skilled team. The end result is that this significantly diminishes the controls that any cryptographic solution can provide, and many organisations quickly find themselves in a state of non-compliance despite a large initial investment in technology.

Cryptographic controls are all about people, process and technology. Initial and continuous investment must be made in all three areas in order to have effective cryptographic controls. Lack of investment in any of the three areas will create fundamental exposures which can lead to compliance gaps, audit failures, or even worse, costly security incidents.

"Recommended For You"

Schneier on NSA's encryption defeating efforts: Trust no one End-to-end encryption: The PCI security holy grail