SlideShare a Scribd company logo

Are your crypto keys safe?

Download as PPSX, PDF
R
Rob Stubbs 🔑 ☁ 🔒

All businesses rely on encryption and other cryptographic technologies to keep data safe, so it is critical to understand how to keep your crypto keys safe to prevent a data breach.

Business
1 of 35
My Keys are Safe – Aren’t They? Mitigating Risks and Achieving Compliance Rob Stubbs Sales Director, EMEA Cryptomathic Ltd. The Gold Standard of Security Since 1986
Who are Cryptomathic? • A leading provider of cryptographic solutions - CKMS - crypto key management system - CSG - crypto service gateway - Signer - eIDAS digital signatures - CardInk - EMV card data preparation • Founded in Denmark in 1986 • A trusted partner of many leading banks Find us at Cryptomathic.com
This Seminar will Cover … 1. The nature and lifecycle of cryptographic keys 2. How keys can be compromised 3. The impact of a key compromise 4. How to mitigate risks and comply with PCI-DSS
Uses of Cryptography • Cryptography is used within many applications … from smart toasters to core banking systems - Data encryption - PKI - EMV transactions - Digital signatures - Code signing - Digital rights management - Blockchain - etc., etc., etc.
Cryptographic Keys • Kerckhoffs's principle - A cryptographic system should be secure even if everything about the system, except the key, is public knowledge • Key = random number -----BEGIN RSA PRIVATE KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC BiQKBgQDOSnsipAcr6fUg5IfuxyauuM QSxc+lU3wuiQ9clhM0CVK0oeZFr+pj9 WnflWLA3T98eXsffN1Inl84DwMdmSf8 vxi/gq0edx/eeg7byID1AN4QHzw2zQu aDso2oIPZ+J+W1uugR1Gh8mbyV7fiaj NHSdrlhyC5GYC/dDehF+QA0wIDAQAB -----END RSA PRIVATE KEY----- £(key) = £(data)
Cryptographic Keys • Secret keys - Commonly used for symmetric encryption (e.g. DES, AES) • Private/public key pairs - Commonly used for signing and authentication (e.g. RSA, ECDSA) - May also be used for encryption
What Makes a Good Key? • Unguessable - Highly random - Long enough (depending on algorithm and protection required) • Unique - Generate a fresh key every time • Changed periodically - Depending on algorithm and usage
The Key Lifecycle (Static Keys) Creation Backup Deployment Monitoring Rotation Expiration Archival Destruction
NIST SP 800-57: Recommendation for Key Management “The security of information protected by cryptography directly depends on: - the strength of the keys - the effectiveness of the mechanisms and protocols associated with the keys, and - the protection afforded the keys” Source: NIST (US National Institute of Standards and Technology)
PCI Data Security Standard – Protecting and Managing Keys • Requirement 3.5 (guidance) - “Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data.” • Requirement 3.6 (guidance) - “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution.” Source: PCI SSC (Payment Card Industry Security Standards Council)
Protecting Keys – Against What? • C.I.A. - Confidentiality (keep keys secret) - Integrity (prevent keys being tampered with) - Availability (don’t lose them)
How can Keys be Compromised? • Weak keys  • Use a strong RNG - Preferably hardware-based - Ideally certified to FIPS 140-2 • Real-world horror stories* - Predictable Netscape seed - Microsoft Windows 2000/XP RNG - Possible Backdoor in Elliptical Curve DRBG - MIFARE Crypto-1 - Debian OpenSSL - PlayStation 3 - RSA public key factoring - Java nonce collision [* Source: https://en.wikipedia.org/wiki/Random_ number_generator_attack#Prominent_examples]
Examples • PlayStation 3 (2010) - Sony’s ECDSA private software signing key was compromised - Due to re-using the same random “nonce” when signing software • RSA public key factoring (2012) - Researchers were able to break 0.2% of Internet RSA public keys - This was because multiple keys shared a common prime factor, due to poor initial seeding of pseudo-random number generators
How can Keys be Compromised? • Weak keys • Incorrect use of keys  • Always consider the intended application and algorithm
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys  • Don’t use the same key for multiple purposes
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys  • Keys should be rotated periodically • Older symmetric algorithms are a particular concern - Vulnerable to “Sweet32” (aka “Birthday”) attack
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys  • Always store keys separately from the encrypted data
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys  • Avoid storing keys locally on servers in plaintext - Even keys in server memory are potentially vulnerable - recent attacks include Heartbleed, Flip Feng Shui, Meltdown, Spectre and TLBleed • High-value keys should be stored inside hardware security modules - Ideally use the HSM for performing all crypto operations with the key, so it never needs to leave the HSM - If you must export or store a key outside the HSM, always encrypt it
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys  • Keys should be transported in one of two ways: - As multiple “key components” (aka “key shares”), each handled by a different person - Encrypted under a pre-shared “key encryption key” or KEK (aka “transport key”)
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys  • Keys that are no longer required should be destroyed - Erased fully and permanently - Removes risk of accidental compromise in the future
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats  • Key access should be controlled - Specific individuals - Strong authentication - Segregation of duties - Dual control
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats • Lack of resilience  • High availability - If a key is not available when required, business applications will fail • Business continuity - If a key is irretrievably lost, any associated data may also be lost
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats • Lack of resilience • Lack of audit logging  • Monitoring and audit logging can help detect a compromise before any great harm is done • A lack of audit logs will hamper any forensic investigation after a compromise
How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats • Lack of resilience • Lack of audit logging • Manual key management processes  • Poor protection of keys • High risk of human error • Difficult to avert insider threats
Potential Consequences of Key Compromise • Fraudulent transactions • Data breaches • Theft of intellectual property / trade secrets … leading to: - Financial losses, fines, compensation claims, legal costs - Diminished reputation, loss of competitive advantage - Reduction in share price, lower credit rating, customer churn
The Challenge … • More keys to manage • More zero-day vulnerabilities • More sophisticated & well-funded attackers • More and tougher regulations • More consequences
How to Assess the Risks • Understand the value of your keys - Equivalent to the value of the data they protect • Understand the threats - Who might want to compromise them? How? • Determine the risk - Likelihood & impact of each threat • Consider possible mitigations to reduce the risk
How to Mitigate the Risks • Follow good key management practices - Use high-quality keys - Provide strong physical and logical security for keys - Enforce access control, key usage and governance policies - Utilise secure key distribution - Ensure high availability & business continuity - Maintain high-integrity audit logs
Key Management – the Good, the Bad and the Ugly The Good • Centralised system • Full life cycle • Strong controls • Secure distribution • Protected audit log • HSM root of trust • Simple audits The Bad • Multiple systems • Multiple owners • Inadequate controls • Weak distribution • Vulnerable logs • No root of trust • Complex audits The Ugly • Manual processes • No clear ownership • Weak controls • Weak distribution • Paper logs • Spreadsheets • Failed audits Maturity
Other Benefits of a Centralised Key Management System • Scales easily • Increased efficiency • Fewer skilled resources • Fewer errors • Enables automation • Simplifies compliance • Supports digital transformation
Key Trends • Keys are increasingly at risk - New vulnerabilities every week; network perimeter defences no longer effective - Attackers are smarter, better funded, and going where the money is • Key growth driven by increasing use of cryptography, also regulations • Applications and data are migrating to the cloud - BYOK (Bring Your Own Key) for AWS, Office 365, Salesforce, etc. • Quantum technologies are on the horizon - Quantum computing  “quantum-resistant” algorithms - Quantum key distribution (QKD)
References
White Papers Blog https://www.cryptomathic.com /news-events/blog
Summary • Keys are as valuable as the data/transactions they protect • Keys are easily compromised, and the impact can be massive • This is a challenge that is growing in scale and importance • Thus keys should be protected and managed appropriately • A centralised key management system helps mitigate the risks
Thank You Any Questions?

Recommended

Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
Assumed Breach
Assumed BreachAssumed Breach
Assumed Breach
Andrew Alaniz
 
Secure Storage Encryption Implications_Fornetix
Secure Storage Encryption Implications_FornetixSecure Storage Encryption Implications_Fornetix
Secure Storage Encryption Implications_FornetixBob Guimarin
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection features
MariaDB plc
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]
SISA Information Security Pvt.Ltd
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Security fundamentals
Security fundamentalsSecurity fundamentals
Security fundamentals
SofoklisEfremidisAIT
 
Security Fundamentals
Security FundamentalsSecurity Fundamentals
Security Fundamentals
SecureIoT H2020 funded project
 

Recommended

Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
Assumed Breach
Assumed BreachAssumed Breach
Assumed Breach
Andrew Alaniz
 
Secure Storage Encryption Implications_Fornetix
Secure Storage Encryption Implications_FornetixSecure Storage Encryption Implications_Fornetix
Secure Storage Encryption Implications_FornetixBob Guimarin
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection features
MariaDB plc
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]
SISA Information Security Pvt.Ltd
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Security fundamentals
Security fundamentalsSecurity fundamentals
Security fundamentals
SofoklisEfremidisAIT
 
Security Fundamentals
Security FundamentalsSecurity Fundamentals
Security Fundamentals
SecureIoT H2020 funded project
 
Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniques
MohitManna
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
Bozhidar Bozhanov
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
javagroup2006
 
Security in computer systems fundamentals
Security in computer systems fundamentalsSecurity in computer systems fundamentals
Security in computer systems fundamentals
Manesh T
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
Precisely
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
Olajide Kuku
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
ssuser50c54b
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with Encryption
Ed Leighton-Dick
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
Joseph Wojowski
 
Security in Computer System
Security in Computer SystemSecurity in Computer System
Security in Computer System
Manesh T
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
Cyber security
Cyber securityCyber security
Cyber security
JahirUddinKomol
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Introduction to cryptography part1-final
Introduction to cryptography part1-finalIntroduction to cryptography part1-final
Introduction to cryptography part1-final
Taymoor Nazmy
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
Paul Gillingwater, MBA
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
Neelkamal Gaharwar
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
Corey Perlman, Social Media Speaker and Consultant
 

More Related Content

Similar to Are your crypto keys safe?

Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniques
MohitManna
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
Bozhidar Bozhanov
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
javagroup2006
 
Security in computer systems fundamentals
Security in computer systems fundamentalsSecurity in computer systems fundamentals
Security in computer systems fundamentals
Manesh T
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
Precisely
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
Olajide Kuku
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
ssuser50c54b
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with Encryption
Ed Leighton-Dick
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
Joseph Wojowski
 
Security in Computer System
Security in Computer SystemSecurity in Computer System
Security in Computer System
Manesh T
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
Cyber security
Cyber securityCyber security
Cyber security
JahirUddinKomol
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Introduction to cryptography part1-final
Introduction to cryptography part1-finalIntroduction to cryptography part1-final
Introduction to cryptography part1-final
Taymoor Nazmy
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
Paul Gillingwater, MBA
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
Neelkamal Gaharwar
 

Similar to Are your crypto keys safe? (20)

Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniques
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
Security in computer systems fundamentals
Security in computer systems fundamentalsSecurity in computer systems fundamentals
Security in computer systems fundamentals
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with Encryption
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
 
Security in Computer System
Security in Computer SystemSecurity in Computer System
Security in Computer System
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Cyber security
Cyber securityCyber security
Cyber security
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Introduction to cryptography part1-final
Introduction to cryptography part1-finalIntroduction to cryptography part1-final
Introduction to cryptography part1-final
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
 

Recently uploaded

The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
Corey Perlman, Social Media Speaker and Consultant
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
Kirill Klimov
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
Norma Mushkat Gaffin
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
Workforce Group
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
Digital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and TemplatesDigital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and Templates
Aurelien Domont, MBA
 
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Lviv Startup Club
 
An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.
Any kyc Account
 
VAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and RequirementsVAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and Requirements
uae taxgpt
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdfBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
daothibichhang1
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
marketing317746
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
Cynthia Clay
 

Recently uploaded (20)

The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
Digital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and TemplatesDigital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and Templates
 
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
 
An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.
 
VAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and RequirementsVAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and Requirements
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdfBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 

Are your crypto keys safe?

  • 1. My Keys are Safe – Aren’t They? Mitigating Risks and Achieving Compliance Rob Stubbs Sales Director, EMEA Cryptomathic Ltd. The Gold Standard of Security Since 1986
  • 2. Who are Cryptomathic? • A leading provider of cryptographic solutions - CKMS - crypto key management system - CSG - crypto service gateway - Signer - eIDAS digital signatures - CardInk - EMV card data preparation • Founded in Denmark in 1986 • A trusted partner of many leading banks Find us at Cryptomathic.com
  • 3. This Seminar will Cover … 1. The nature and lifecycle of cryptographic keys 2. How keys can be compromised 3. The impact of a key compromise 4. How to mitigate risks and comply with PCI-DSS
  • 4. Uses of Cryptography • Cryptography is used within many applications … from smart toasters to core banking systems - Data encryption - PKI - EMV transactions - Digital signatures - Code signing - Digital rights management - Blockchain - etc., etc., etc.
  • 5. Cryptographic Keys • Kerckhoffs's principle - A cryptographic system should be secure even if everything about the system, except the key, is public knowledge • Key = random number -----BEGIN RSA PRIVATE KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC BiQKBgQDOSnsipAcr6fUg5IfuxyauuM QSxc+lU3wuiQ9clhM0CVK0oeZFr+pj9 WnflWLA3T98eXsffN1Inl84DwMdmSf8 vxi/gq0edx/eeg7byID1AN4QHzw2zQu aDso2oIPZ+J+W1uugR1Gh8mbyV7fiaj NHSdrlhyC5GYC/dDehF+QA0wIDAQAB -----END RSA PRIVATE KEY----- £(key) = £(data)
  • 6. Cryptographic Keys • Secret keys - Commonly used for symmetric encryption (e.g. DES, AES) • Private/public key pairs - Commonly used for signing and authentication (e.g. RSA, ECDSA) - May also be used for encryption
  • 7. What Makes a Good Key? • Unguessable - Highly random - Long enough (depending on algorithm and protection required) • Unique - Generate a fresh key every time • Changed periodically - Depending on algorithm and usage
  • 8. The Key Lifecycle (Static Keys) Creation Backup Deployment Monitoring Rotation Expiration Archival Destruction
  • 9. NIST SP 800-57: Recommendation for Key Management “The security of information protected by cryptography directly depends on: - the strength of the keys - the effectiveness of the mechanisms and protocols associated with the keys, and - the protection afforded the keys” Source: NIST (US National Institute of Standards and Technology)
  • 10. PCI Data Security Standard – Protecting and Managing Keys • Requirement 3.5 (guidance) - “Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data.” • Requirement 3.6 (guidance) - “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution.” Source: PCI SSC (Payment Card Industry Security Standards Council)
  • 11. Protecting Keys – Against What? • C.I.A. - Confidentiality (keep keys secret) - Integrity (prevent keys being tampered with) - Availability (don’t lose them)
  • 12. How can Keys be Compromised? • Weak keys  • Use a strong RNG - Preferably hardware-based - Ideally certified to FIPS 140-2 • Real-world horror stories* - Predictable Netscape seed - Microsoft Windows 2000/XP RNG - Possible Backdoor in Elliptical Curve DRBG - MIFARE Crypto-1 - Debian OpenSSL - PlayStation 3 - RSA public key factoring - Java nonce collision [* Source: https://en.wikipedia.org/wiki/Random_ number_generator_attack#Prominent_examples]
  • 13. Examples • PlayStation 3 (2010) - Sony’s ECDSA private software signing key was compromised - Due to re-using the same random “nonce” when signing software • RSA public key factoring (2012) - Researchers were able to break 0.2% of Internet RSA public keys - This was because multiple keys shared a common prime factor, due to poor initial seeding of pseudo-random number generators
  • 14. How can Keys be Compromised? • Weak keys • Incorrect use of keys  • Always consider the intended application and algorithm
  • 15. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys  • Don’t use the same key for multiple purposes
  • 16. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys  • Keys should be rotated periodically • Older symmetric algorithms are a particular concern - Vulnerable to “Sweet32” (aka “Birthday”) attack
  • 17. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys  • Always store keys separately from the encrypted data
  • 18. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys  • Avoid storing keys locally on servers in plaintext - Even keys in server memory are potentially vulnerable - recent attacks include Heartbleed, Flip Feng Shui, Meltdown, Spectre and TLBleed • High-value keys should be stored inside hardware security modules - Ideally use the HSM for performing all crypto operations with the key, so it never needs to leave the HSM - If you must export or store a key outside the HSM, always encrypt it
  • 19. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys  • Keys should be transported in one of two ways: - As multiple “key components” (aka “key shares”), each handled by a different person - Encrypted under a pre-shared “key encryption key” or KEK (aka “transport key”)
  • 20. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys  • Keys that are no longer required should be destroyed - Erased fully and permanently - Removes risk of accidental compromise in the future
  • 21. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats  • Key access should be controlled - Specific individuals - Strong authentication - Segregation of duties - Dual control
  • 22. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats • Lack of resilience  • High availability - If a key is not available when required, business applications will fail • Business continuity - If a key is irretrievably lost, any associated data may also be lost
  • 23. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats • Lack of resilience • Lack of audit logging  • Monitoring and audit logging can help detect a compromise before any great harm is done • A lack of audit logs will hamper any forensic investigation after a compromise
  • 24. How can Keys be Compromised? • Weak keys • Incorrect use of keys • Re-use of keys • Non-rotation of keys • Inappropriate storage of keys • Inadequate protection of keys • Insecure movement of keys • Non-destruction of keys • Insider threats • Lack of resilience • Lack of audit logging • Manual key management processes  • Poor protection of keys • High risk of human error • Difficult to avert insider threats
  • 25. Potential Consequences of Key Compromise • Fraudulent transactions • Data breaches • Theft of intellectual property / trade secrets … leading to: - Financial losses, fines, compensation claims, legal costs - Diminished reputation, loss of competitive advantage - Reduction in share price, lower credit rating, customer churn
  • 26. The Challenge … • More keys to manage • More zero-day vulnerabilities • More sophisticated & well-funded attackers • More and tougher regulations • More consequences
  • 27. How to Assess the Risks • Understand the value of your keys - Equivalent to the value of the data they protect • Understand the threats - Who might want to compromise them? How? • Determine the risk - Likelihood & impact of each threat • Consider possible mitigations to reduce the risk
  • 28. How to Mitigate the Risks • Follow good key management practices - Use high-quality keys - Provide strong physical and logical security for keys - Enforce access control, key usage and governance policies - Utilise secure key distribution - Ensure high availability & business continuity - Maintain high-integrity audit logs
  • 29. Key Management – the Good, the Bad and the Ugly The Good • Centralised system • Full life cycle • Strong controls • Secure distribution • Protected audit log • HSM root of trust • Simple audits The Bad • Multiple systems • Multiple owners • Inadequate controls • Weak distribution • Vulnerable logs • No root of trust • Complex audits The Ugly • Manual processes • No clear ownership • Weak controls • Weak distribution • Paper logs • Spreadsheets • Failed audits Maturity
  • 30. Other Benefits of a Centralised Key Management System • Scales easily • Increased efficiency • Fewer skilled resources • Fewer errors • Enables automation • Simplifies compliance • Supports digital transformation
  • 31. Key Trends • Keys are increasingly at risk - New vulnerabilities every week; network perimeter defences no longer effective - Attackers are smarter, better funded, and going where the money is • Key growth driven by increasing use of cryptography, also regulations • Applications and data are migrating to the cloud - BYOK (Bring Your Own Key) for AWS, Office 365, Salesforce, etc. • Quantum technologies are on the horizon - Quantum computing  “quantum-resistant” algorithms - Quantum key distribution (QKD)
  • 34. Summary • Keys are as valuable as the data/transactions they protect • Keys are easily compromised, and the impact can be massive • This is a challenge that is growing in scale and importance • Thus keys should be protected and managed appropriately • A centralised key management system helps mitigate the risks

Editor's Notes

  1. Welcome! I’m going to talk today about cryptographic keys, why they’re important and what you need to do to protect them and ensure compliance with standards like PCI-DSS.
  2. Firstly, I’d just like to introduce Cryptomathic, in case you haven’t heard of us. We are a … A leading provider of cryptographic solutions … for mission critical environments, including banking and financial services – you can see some of our solutions here. We were … Founded in Denmark … over 30 years ago by a group of prominent cryptographers, and we are still headquartered there. We are … A trusted partner of many leading banks … and other large enterprises around the world.
  3. Let’s start off by looking at the uses of cryptography … smart toasters – yes, they do exist! … This is just a small sample of the things that cryptography can be used for. Data encryption is used to protect both data-at-rest (e.g. TDE) and data-in-motion (e.g. SSL/TLS) – and, of course, I hope you’re all using TLS 1.2 now! Blockchain is, as I’m sure you all know, the underlying technology behind cryptocurrencies (like Bitcoin) and distributed ledger technology.
  4. Kerckhoffs's principle … This means that, even though the complete workings of algorithms such as AES and RSA are known publicly, they remain safe from attack as long as the key is kept safe. The key is the only thing that needs to be kept secret. So – what is a key? A key is basically just a random number that is used by cryptographic algorithms. The important takeaway here is that the value of a key is equivalent to the value of the data or transaction that it protects, because compromising the key means compromising the data. - The simplest example of this is Bitcoin, where the Bitcoin wallet is protected by a secret key – whoever has the key can spend all the Bitcoins in the wallet.
  5. DES = Data Encryption Standard AES = Advanced Encryption Standard RSA = Rivest-Shamir-Adleman (named after its inventors) ECDSA = Elliptic Curve Digital Signature Algorithm
  6. It is important to consider the entire life cycle of a key. This diagram applies to long-term static keys, as opposed to ephemeral keys (which are created on-the-fly for encrypting SSL/TLS communication sessions, for example). - Once keys are created, they should always be backed up prior to deployment. - Key usage should be monitored for audit purposes and to detect possible compromise. - In general, it is good practice to “rotate” (i.e. change) keys regularly to avoid over-use. - In any case, keys should have an expiry date, at which point they may be archived in case they are needed again (for example, to decrypt old data). - Finally, once is key is no longer needed, all traces of it should be destroyed.
  7. The NIST special publication on recommendations for key management is a widely-respected repository of good key management practices …
  8. PCI-DSS also recognizes the important of protecting and managing keys. … If you’re interested in the relationship between PCI-DSS and key management, Cryptomathic has a useful white paper on the subject, including a compliance checklist.
  9. This is where the CIA comes in – no, not that CIA! I’m talking about …
  10. There are plenty of real-world horror stories detailed in the Wikipedia article on random number generator attacks. These typically come down to: Using a poor source of entropy (or randomness) Weak or badly-implemented RNG algorithms There’s even one RNG algorithm that many people think has an NSA backdoor
  11. Just to pick a couple of examples …
  12. … this will dictate things like key length and key expiry.
  13. … this can make the key easier to crack.
  14. … over-using a key can make it easier to crack; it also exposes more sensitive data if/when the key is cracked. … don’t encrypt more than 32 GB of data with the same key.
  15. … for obvious reasons – if the encrypted data is exfiltrated, the key is all the attacker needs to decrypt it.
  16. Even keys in server memory are potentially vulnerable … FOR THAT REASON … High-value keys should be stored inside hardware security modules …
  17. Using manual key management processes is a risk on many levels. Firstly, keys are often poorly protected – maybe written on pieces of paper or held in a spreadsheet! Manual processes are inherently prone to human error. Without proper security controls, it is easy for an internal bad actor to compromise a key and go undetected.
  18. … leading to: - Financial costs - Reputational costs - and ultimately undermine the on-going viability of the business
  19. Organisations have to manage more keys today than ever before. There is no let-up in the rate of new IT system vulnerabilities – mostly in software, but we have also seen vulnerabilities in CPUs and even memory chips. Organised crime is an increasingly significant source of cyber attacks, with the profits ploughed back into developing new attacks. New regulations such as GDPR continue to raise the bar in terms of protecting sensitive data. As a result, the consequences of failing to protect your keys are higher than ever.
  20. If the impact is very high then, even if the likelihood is low, you should try to mitigate the risk.
  21. Mitigating the risks fundamentally boils down to … following good key management practices … across the entire life cycle. For example, …
  22. When it comes to key management, there are many ways to do it, but they essentially boil down to these – the good, the bad and the ugly. It’s worth taking a moment to consider where your organization sits on this scale of maturity.
  23. A centralized key management system also provides other benefits … - Scales to address growth in number of keys - Eliminates inefficient manual/paper-based processes - Consolidates operations to optimise use of skills/resources - Reduces errors - Allows certain processes to be automated (such as key renewal and distribution) - Reduces time spent on audits and compliance - Enables the business to be more agile in its use of cryptography in support of a digital transformation agenda
  24. (forgive the pun) Keeping attackers out of your network is increasingly difficult, as we see in the press every day. They will get through eventually. Therefore it is important that keys are given every protection possible. This is increasingly important as the number of keys you have to manage increases. For example, as a result of GDPR, organizations are now encrypting more data, and therefore have more keys to look after. We are seeing increasing adoption of cloud technology, albeit perhaps somewhat slower within the financial industry due to security and regulatory concerns. Managing your keys is just as important, if not more so, within the cloud. And finally, we need to consider the impact of quantum technology. Quantum computing threatens to undermine public key algorithms within the next 10 years, so it is important to consider crypto agility – how quickly could you migrate to new, “quantum-resistant” algorithms? Quantum key distribution promises to provide the ultimate in provably-secure key distribution, and ironically may be part of the solution to defeating the threat of quantum computing
  25. For those of you who wish to dive deeper into the topic of key management, here are a couple of documents that I mentioned are: … NIST Special Publication 800-57 goes into immense detail about key management … there’s also the PCI-DSS standard, which I’m sure you’re all familiar with – requirements 3.5 and 3.6 relate to key management
  26. Cryptomathic also has a couple of white papers on the topic – if you’re interested in obtaining copies of these, then please come and speak to me afterwards. I can also recommend our blog, which has many educational articles about key management.
  27. To summarise: - Many people don’t realize that cryptographic keys are actually one of the most valuable things in any business. - As we have seen, they can be compromised in many different ways, and the impact can be catastrophic. - Organizations are using an ever-increasing number of keys, the threats are increasing, and the consequences of compromise are also getting higher. - So please assess the risks and ensure you protect and manage your keys appropriately. - Above all, if you don’t have a centralized key management system in place, look at implementing one – it really helps to mitigate the risks
  28. Thank you for listening – I hope you found this useful. If you have any questions, I’m happy to take them now, or you can find me on the Cryptomathic stand for the rest of the day.