Key Lifecycle - Preoperational
• Installing key policies
• Selecting algorithms
• Registering attributes
• Key parameters
Keys are registered (binding them to subject’s identity).
In PKI, it is implemented using x509 certificate.
X.509 certificate binds a public key with subject name (user)
Key Lifecycle - Creation
• Avoid weak keys
• Avoid weak algorithms or weak implementations of algorithms
• Process of key generation
• Type, purpose and crypto applications of keys
Key Lifecycle – Creation (2)
Random Number Generators (RNG)
• Produce a sequence of 0s and 1s for use in cryptography
• Combined into sub-sequences or blocks of random numbers
• Produces sequence based on a known value (seed)
• Produces sequence based on an unpredictable source
Key Lifecycle - Distribution
• Based on the type of the key
• Availability of the keys
• Association of keys with intended use
• Integrity – detection of change during transit
• Confidentiality – split knowledge principle
• Private keys – split knowledge, trusted entities for distribution
• Public keys – X509 certificate
• Manual key distribution (encrypted using key wrapping keys)
• Wrapping keys are generally public keys
• If private keys are used, then a separate distribution channel should be
Keys used only for encrypting data in storage should not be distributed.
Key Lifecycle - Operation
• Backup and recovery mechanisms
• Compromised backups
• Controls for detecting a compromise
• Updates and changes
• Crypto period expiration
• Suspected or real key compromise
• Needs redistribution
• Updating the key
• No redistribution required
• Produced based on the old key
• Known to all parties
Key Lifecycle – Post-operation
• Key not operational
• Access to keys needed
• Decrypt data
• Verify signature
Key Lifecycle - Destruction
• Replacing key material with ‘0’ or ‘o’ or something meaning less
• Not just the key material at rest, other places should also be considered
• Provide Integrity
• Provide Confidentiality
• Association with application and objects
• Assurance of domain parameters
Keys are protected with additional level of access control.
Destroying of key material using zeroization, if required.
• Multiple parties/agencies storing part of the key.
• Generally operates with two components held with two independent agents.
• Failure of reassembling
Ex: SKIPJACK and LEAF method.
An electronic identity issued to a person, system, or an organization by a
competent authority after verifying the credentials of the entity.
In PKI, all digital certificates were issued based on the X.509 standard.