Superconductor

There's lots of talk these days about key management. It certainly looks like lots of it is from vendors trying to position themselves as leaders in key management, although it's not always clear what they mean by that. So what exactly is key management and why should you care about it?

A cryptographic key is much like the combination to a safe. If you have the combination, it's easy to open a safe, but it's hard to open one without the combination. Similarly, if you have the right key, decrypting encrypted data is easy, but it's impractical without this key. But if you're careless with the combination to your safe, someone else can easily find it, and once they have it, the protection provided by the safe is compromised. Similarly, the cryptographic keys that you use to encrypt data need to be handled carefully. If you're careless with them then the protection provided by cryptography can be essentially eliminated. Key management covers all the details of how to handle keys carefully enough to ensure that this does not happen. It ensures that you don't do the cryptographic equivalent of writing the combination to your safe on a Post-it note and sticking it to the wall next to your desk.

An example of why key management is important can be seen in the recent news of ATM PINs being hacked. The news stories that covered these security breaches didn't give much detail about exactly what happened, but you can be fairly sure that the cryptography itself wasn't broken. That's just too hard to make it worth doing. On the other hand, there have been cases in the past where ATM systems have suffered security breaches, and these breaches have been caused by poor key management. That's probably what happened in the recent cases of PINs being hacked, too.

ATM systems have been hacked when key installation, generation or storage has not followed the relevant standards developed by the X9F subcommittee of the Accredited Standards Committee X9, the group that defines information security standards for the financial services industry. There have also been cases where inappropriate access to hardware security modules has made it possible for hackers to get keys that they shouldn't have been able to get. None of these is involves an attack on the cryptographic algorithms; they're all attacks that take advantage of poor key management. Keys weren’t handled carefully enough, and hackers took advantage of the careless processes.

So encryption alone isn't enough to protect sensitive data. It's part of a good solution, but it’s not the entire solution. To get a complete solution you also need good key management. It's almost always much easier for hackers to defeat key management than to defeat cryptography, so that’s probably where they'll focus their efforts. They'll attack your key management not your encryption. This means that to to protect your sensitive data you need to ensure that your key management is done carefully and securely. That's why you should care about key management.