Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Essential Guide to Protect Your Data [Key Management Techniques]

1,046 views

Published on

If you do not have a proper key management process for changing the keys, then it’s better to have no encryption at all. A look inside Key Management Techniques.

Published in: Technology
  • Be the first to comment

Essential Guide to Protect Your Data [Key Management Techniques]

  1. 1. Key Management Techniques www.sisainfosec.com
  2. 2. www.sisainfosec.com Introduction • Various Information Security Standard – ISO 27001, HIPAA, PCI DSS… • Controls can be mapped across all the standards BUT Primary Asset will vary for each standards ◦ HIPAA – ePHI – Electronic Protected Health Information ◦ ISO 27001 – Critical Assets identified as part of risk assessment ◦ PCI DSS – Card number • Risk based approach versus detailed control specification • Topic of the session – Key Management ◦ ISO 27001 – A.12.3.2 – Cryptographic controls and key management ◦ HIPAA - Title 2 – Technical Safeguards ◦ PCI DSS – Requirement 3.5 and 3.6
  3. 3. www.sisainfosec.com Why Encryption and Key Management • Everyone are aware about Encryption but lacks the in-depth knowledge • Case study
  4. 4. www.sisainfosec.com Cryptographic Methods Symmetric • Same key for encryption and decryption • Key distribution problem • 3-DES, AES Asymmetric • Mathematically related key pairs for encryption and decryption • Public and private keys • RSA Hybrid • Combines strengths of both methods • Asymmetric distributes symmetric key ◦ Also known as a session key • Symmetric provides bulk encryption • Example: ◦ SSL negotiates a hybrid method
  5. 5. www.sisainfosec.com Keys – Why? This is a trivialization but… Encryption is an obfuscation of data whereby everyone knows the algorithm to “encrypt” and “decrypt” data, but only those who know the key used to encrypt the data can actually decrypt it. So… If you’re using encryption and your key is compromised, you only need to change the value of your key to re- protect your data. But … If your key is compromised and if you do not have a proper key management process for changing the keys, then it’s better to have no encryption at all. Welcome to Key Management
  6. 6. www.sisainfosec.com Different type of Keys The keys need to be changed at the end of the crypto period. Crypto period will vary based on the encryption algorithm used.
  7. 7. www.sisainfosec.com Key Management – What is it? Key Management is comprised of: • Creation of keys • Storage of keys • Key lifetime (crypto-period) • Access of keys for encryption/decryption • Execution of the key lifecycle • Auditing of key lifecycle • Managing a compromise of a key or set of keys
  8. 8. www.sisainfosec.com Key Management - 1 Creation of keys: Look for a cryptographic library that provides for generation of keys using random generation function. That will help you avoid having to manage multiple parties with independent key parts. This way the keys can be generated by the system and humans will never know them. Storage of keys: You’ll need at least two keys: ◦ One for encrypting data (called a DEK for Data Encryption Key) ◦ One for encrypting the storage of the DEK (called a MEK for Master Encryption Key) ◦ The DEK and the MEK will need to be stored on separate physical systems so that if one if compromised, the other is not ◦ You might want to think about some kind of encryption or obfuscation of your MEK, but that is not a requirement from a strict PCI standpoint. Key lifetime (Crypto-period) Keys should have a usage period and lifetime akin to data retention period.
  9. 9. www.sisainfosec.com Key Management - II Access of keys for encryption/decryption: You’ll need to decide on how keys are accessed considering: ◦ Keys will need to be transmitted across components of your system due to the physical separation of DEK and MEK storage ◦ Do you embed the crypto routines in the tier using them or do you provide a crypto service, in which case you’ll need to consider how data is securely exchanged between application code and crypto services Execution of key lifecycle: Keys have the following states at a minimum: ◦ Current (NIST: Active) – used to encrypt and decrypt data ◦ Retired (NIST: Deactivated) – used to only to decrypt data ◦ Expired (NIST: Compromised) – used only to decrypt data of a compromised key ◦ Deleted (NIST: Destroyed) – historical reference to a key that no longer exists You’ll want to automate the key state transitions in accordance with your key lifetime policy. This is especially true if your data retention period is longer that your combined current and retired key lifetimes as you’ll need to be re-crypting.
  10. 10. www.sisainfosec.com Encryption / Decryption Process
  11. 11. www.sisainfosec.com Key Management Solutions • Oracle Advanced Security – Transparent Data Encryption OR SQL TDE • Hardware Security Module – HSM • Key Management Systems like – Safenet Enterprise Key Management, Thales Key Management
  12. 12. www.sisainfosec.com SISA Synergistic Security Framework
  13. 13. Thank You! renju.varghese@sisainfosec.com For More Details visit us at http://sisainfosec.com/

×