KEY MANAGEMENT POLICY AND PRACTICE FRAMEWORK

Transcription

1 KEY MANAGEMENT POLICY AND PRACTICE FRAMEWORK RISK AND ADVISORY SERVICES ABSTRACT INTRODUCTION BACKGROUND KEY MANAGEMENT Key Management Controls...5 Key Management Risk Factors...6 Key Management Trends...8 POLICY, PRACTICES, AND PROCEDURES Business Practice Disclosures...10 Environmental Controls...11 Key Management Life Cycle Controls...14 Certificate Management Life Cycle Controls...16 Example Key Generation Ceremony...17 SUMMARY Appendixes...19 Appendix A: Standards Activities...19 Appendix B: Key Generation Ceremony...20 Appendix C: Glossary...22 LIST OF FIGURES Figure 1: Key Life Cycle...4 Figure 2: Software- versus Hardware-Based Cryptography...6 Figure 3: Key Management Risk Factors...7 J A N U A R Y

2 ABSTRACT The secure administration and distribution of cryptographic keys, called key management, is a necessary and critical aspect of business risk mitigation. This white paper describes the significance of sound key management applicable to any application employing cryptography. Readers of this paper should have some familiarity with cryptography and its ability to protect information via data confidentiality, entity and data authentication, data integrity, and even non-repudiation. We have provided a historical perspective of cryptography along with a discussion of security controls, risk factors, and current trends that will affect key management processes. A framework of relevant policies, practices, and procedures is presented regarding business practice disclosures, key life cycle management, certificate life cycle management, and environmental controls. An overview of standards activities is given, along with an example key generation ceremony. This paper takes the position that business risk drives the need for cryptographic solutions, which in turn necessitates establishing and maintaining sound key management policies and practices. Cryptographic hardware, although preferred over software-based solutions due to key management risk factors, can enable good key management schemes, but documented and sensibly enforced key management procedures are still necessary. Furthermore, these key management policies, practices, and procedures should be periodically reviewed by an independent third party using industry-established criteria. ACKNOWLEDGEMENT The support provided by ncipher Incorporated in the development of this white paper is greatly appreciated. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1

3 INTRODUCTION Key management is the secure administration of cryptographic keys. A cryptographic key is merely data, a string of binary zeroes and ones that enable a cryptographic algorithm to manufacture ciphertext output from cleartext input. Cryptographic algorithms can provide encryption and decryption of information for data confidentiality, message authentication codes (MACs) for data integrity and entity authentication, as well as digital signatures for data integrity, entity authentication, and non-repudiation. Cryptography is also used in key management to achieve the confidentiality, integrity, authenticity, and non-repudiation of cryptographic keys, which is an integral part of sound key management practices. There are several ways to securely handle keys and other relevant keying material, and there are even more ways to mishandle and mismanage cryptographic keys. Improper key management is a constant threat to any application employing any form of cryptography, which dramatically and unnecessarily increases business risk. With the advent of public key cryptography, effective management of keys has become even more important, particularly in the case of management of private keys when integrity and authenticity must be provable to a third party (i.e., non-repudiation). A new community of users and integrators is relearning the importance of hardware-based cryptography and the importance of formal security evaluation and compliance testing. 1 This paper discusses some of the historical aspects of cryptography, provides an overview of key management, and presents some current trends that will affect the policy and practices for key management. A synopsis of standards activities is presented, along with an example key generation ceremony that embodies the secure administration of cryptographic keys described in this paper. 1 FIPS PUB Security Requirements for Cryptographic Modules and ISO Banking Secure Cryptographic Devices (Retail). K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 2

4 BACKGROUND Historically, symmetric cryptography (dating from Egyptian hieroglyphics circa 1900 B.C. to more recent use in World Wars I and II circa 1900 A.D.) required that the same cryptographic key, which must be shared between two communicating parties (i.e., the sender and the receiver), be securely exchanged using manual procedures. Today, symmetric keys are distributed electronically from the key-generation point to the operational sites by enciphering these keys with other Assurance concerning the integrity and authenticity of a receiver s public key can be enhanced by using public key certificates, whereby the receiver s identity is cryptographically bonded to his or her public key. In this key management practice, the sender relies on the receiver s public key certificate, which has been issued by a trusted third party called a certification authority (CA). However, life is not so simple as to have one global CA for everyone and everything on the planet. symmetric keys called key enciphering keys (KEKs). Other issues also affect key management practices. The sheer number The primary issue with symmetric key management schemes is of asymmetric key pairs, public key certificates, and symmetric keys is establishing the first KEK, commonly called the initial key. 2 The initial dramatically increasing as cryptography proliferates in network infrastructures, key, in order to maintain its confidentiality, is typically generated and securely exchanged as multiple key components. An organization must designate trusted individuals as key agents, with each key agent assigned a single key component. When all the components are securely combined under the supervision of a security officer, the remote devices, and business applications. Furthermore, cryptographic keys do not last forever; they must be periodically and securely replaced. The scalability and extensibility issues regarding key management are creating new challenges that could very well result in new and interesting problems and innovative solutions. symmetric key is recreated securely, so that no one individual has ever viewed or had access to the symmetric key. This labor-intensive process is still used in today s financial systems. The advent of asymmetric or public key cryptography provided a partial solution to the initial symmetric key problem. A symmetric key can be randomly generated by the sender and encrypted using the public key of the receiver. The receiver can then decrypt the enciphered symmetric key using his or her own private key. Clearly, this simplifies the process for exchanging the initial symmetric key, however it introduces to the sender issues regarding the integrity and authenticity of the receiver s public key. Previously, the symmetric key manual procedures implicitly provided integrity and authentication between both parties. 2 Some systems use multiple KEKs, but only the very first KEK is the initial key. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 3

5 KEY MANAGEMENT Remember that key management is the secure administration and distribution of cryptographic keys throughout the entire key life cycle. Keys are generated, distributed, stored, used, recovered, and eventually terminated or possibly archived. Figure 1: Key Life Cycle depicts eight stages for a symmetric key or a private asymmetric key (the life cycles are the same) and seven stages for the asymmetric public key. The first stage for any key is always Key Generation, where the symmetric key or asymmetric key pair is created. From there, public and private keys take very different paths. Installation is the stage where the key is successfully installed in each device (e.g., a typical Web farm may employ dozens of servers) at each operational site. Key Backup is the stage where the key is securely stored for the unlikely event of key loss due to unexpected power interruption or hardware failure. Thus, key recovery occurs when a key is securely retrieved from Key Backup and re-installed in the Key Installation stage. The next stage is the Key Usage stage, where the correct key is used for its intended purpose in an operational environment and where copies of keys used with multiple Figure 1: Key Life Cycle For an asymmetric private key (and a symmetric key) the next stage devices should be verifiably synchronized. All cryptographic keys have is typically Key Distribution, where the cryptographic key is securely a limited life expectancy; therefore the next stage is Key Termination, transported to one or more operational devices and, potentially, where all instances (including backup) of a key are erased, except for backup systems. Key Distribution is possibly the most critical operation of the key life cycle, and carries the highest risk. The next two keys are not kept forever, so eventually an archived key transfers to the possibility of transferring it to the Key Archival stage. Archived stages, Key Installation and Key Backup, may occur in parallel. Key the Key Termination stage. Whenever an archived key is retrieved to K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 4

6 verify its previous use, the key moves temporarily to the Restricted Key Usage stage, and immediately thereafter is erased, thus migrating to the Key Termination stage. Archived keys should never be used in an operational environment. For an asymmetric public key, once the public key has been created in the Key Pair Generation stage, it should transfer to the Certification Registration stage. Once a certificate has been issued by a certification authority, the public key certificate transfers to the Certificate Repository stage. This stage simply denotes that the certificate is publicly available. Some protocols specify that the certificate be transmitted along with the transaction when a Certificate Repository is not used. The certificate then enters the Certificate Usage stage in parallel with the Key Usage stage for the asymmetric private key. All asymmetric key pairs have a limited life expectancy; therefore public key certificates eventually enter the Certificate Expiration stage. However, unlike Key Termination, certificates merely expire and there is no security or operational necessity to erase any copies of the certificate. Alternatively, if an asymmetric private key is known or suspected to be compromised, the private key must be terminated and the certificate should be automatically revoked, temporarily entering the Certificate Revocation stage. Eventually, even revoked certificates expire according to their validity date; therefore even revoked certificates migrate to the Certification Expiration stage. Note that there are other reasons in addition to an asymmetric key compromise for revoking certificates. 3 3 ANS X9.57 Certificate Management, and ISO Banking Certificate Management. 4 ANS X9.24 Financial Services Key Management Using Symmetric Cryptography, and ISO Banking Key Management (Retail). KEY MANAGEMENT CONTROLS There are several universal key management controls that must be enforced throughout the key life cycle. 1. Private asymmetric keys and symmetric keys shall only exist in the following secure forms: 4 As cleartext inside the protected memory of a tamper-resistant security module As ciphertext outside the protected memory of a tamper-resistant security module As two or more key fragments (e.g., key components, k-of-n key shares), either in cleartext or ciphertext, managed using dual control with split knowledge These three forms ensure that the confidentiality of private asymmetric and symmetric keys is absolute; no one must ever know these keys. 2. Public asymmetric keys are unrestricted by definition, therefore their confidentiality is not necessary; however, the integrity and authenticity of public asymmetric keys must be established, maintained, and verifiable. Public key certificates bind the user s identity to the public key via the CA s signature on the certificate, and therefore ensure the integrity and authenticity of the certificate contents, including the public key it contains. 3. Key generation should use only approved algorithms (e.g., X9 standards) for random or pseudo-random number generation and random prime number generation. 4. Key separation is a security method whereby each key (or key pair) is generated for a particular purpose and is used for the sole purpose for which it was intended. 5. Key synchronization is the ability to verify that the same key (e.g., symmetric or asymmetric private key) is securely stored in one or more locations without compromising the security of the keys or the systems. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 5

7 Figure 2: Software- versus Hardware-Based Cryptography Software-Based Cryptography Hardware-Based Cryptography KEY MANAGEMENT RISK FACTORS In the software-based cryptography on the left, all the components A single, generic set of key management policies and practices that (i.e., algorithm, key, cleartext, ciphertext) reside in unprotected memory and are susceptible to duplication, modification, or substitution. satisfies these basic controls and can apply to all scenarios is simply not feasible. Rather, a comprehensive set of specific key management policies and, especially, practices must be chosen and imple- The most susceptible element is the cryptographic key. A duplicated symmetric key allows an adversary to recover all encrypted data. A mented to effectively and appropriately mitigate the business risks in duplicated asymmetric private key allows an adversary to falsely generate digital signatures that would be attributed to the computer 5 a given environment. owner. A substituted or modified public key would allow a man in the Cryptography is based on mathematical algorithms (i.e., a software middle attack, such that the adversary could intercept and change process) and cryptographic keys (i.e., data) running in either specialized hardware or as software on a dedicated or general-purpose com- s or transaction data undetected by the sender or receiver. puter. The more dedicated or specialized the hardware, the higher the In the hardware-based cryptography on the right, the brick wall represents physical and logical barriers where data is allowed to pass while degree of inherent security controls. the algorithm and key are kept secure in the protected memory of a Software-based cryptography is where the cryptographic algorithms, tamper-resistant security device. Thus, hardware-based cryptography keys, cleartext data, and ciphertext data all reside in the unprotected ensures the confidentiality, integrity, and authenticity of cryptographic memory of a general-purpose computer. Figure 2: Software- versus keys and, further, provides assurance regarding the integrity and Hardware-Based Cryptography depicts the various components and authenticity of the cryptographic algorithm, which reinforces the overall level of security. highlights the security issues intrinsic in performing software-based cryptography. In this example, a symmetric encryption key is represented by the door key icon, the cryptographic algorithm is represented by the padlock icon, and the input data (cleartext) and output Irrespective of whether a particular application is using hardware- or software-based cryptography, the computer on which the application data (ciphertext) are shown as document icons. runs operates in both physical and logical environments that possess their own security characteristics ranging from uncontrolled to highly controlled. Hence, key management policy and practices must address the balance among operational requirements, the use of spe- Cleartext Cleartext Cleartext Cipher -text Cipher -text Cipher -text Unprotected Memory Unprotected Protected Memory 5 ANS X9.49 Secure Remote Access to Financial Services. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 6

8 cialized devices, and the environmental security controls. Figure 3: Key Management Risk Factors depicts the interdependency between environmental and device controls. 6 Figure 3: Key Management Risk Factors The x axis represents the environmental controls, ranging from uncontrolled (no security) to a controlled environment (highest security). Uncontrolled environments are public places (e.g., restaurants) where access control is not practical. Partially controlled environments are those where limited access can be assumed (e.g., a person s home) or restricted (e.g., office) via a simple physical token (e.g., house key, employee badge). Controlled environments are those where restricted access is actively enforced (e.g., data center) via stronger authentication methods (e.g., key pads, biometrics, smart cards) and monitoring either directly with human guards or indirectly with surveillance cameras. The y axis represents device-level controls ranging from a general-purpose device (low security) to a specialized device (highest security). General-purpose devices are desktop and laptop computers running open platform operating systems (e.g., Microsoft Windows 2000) and numerous applications, including software-based cryptography. Dedicated devices are typically general-purpose devices with computational capability to run some restricted applications and software cryptography (often, co-processors are used), often take advantage of removable media (e.g., smart card) to enable strong authentication of administrative staff, and may provide tamper-evident packaging (e.g., point of sale terminal). Specialized devices are restricted to performing cryptographic functions within a tamper-resistant housing (e.g., hardware security module) to enforce key management policy and practice schemes, such as key separation. These devices are often certified using established criteria in an accredited laboratory environment (e.g., the National Institute of Standards and Technology s NIST/NVLAP validation program using FIPS PUB Security Requirements for Cryptographic Modules, 7 the joint NIST/NSA NIAP program using ISO/IEC Common Criteria for Information Technology Security Evaluation). 8 6 ISO Banking Secure Cryptographic Devices (Retail). 7 For more information, see Note that FIPS PUB will be phased out and it is expected that all certifications will be transitioned to FIPS PUB within 12 months of its approval date of May 25, For more information, see Y = Device Controls Specialized Device 3 Dedicated Device General Purpose Device Uncontrolled Partial Controlled X = Environmental Controls Figure 3: Key Management Risk Factors shows four zones where the environments (uncontrolled, partially controlled, and controlled) intersect with the device types (general-purpose, dedicated, and specialized). The zones are described as follows: Zone 1 represents the lowest security with the highest risk scenario where a general-purpose (or dedicated) device is operated in an uncontrolled (or partially controlled) environment, such as a personal computer in a person s home. For low-value (and typically low-volume) transactions this may be sufficient depending on the business risk assessment. Zone 2 represents a scenario where a general-purpose (or dedicated) device is operated in a controlled environment. The controlled environment offers higher security and therefore lower risk than Zone 1; however due to the nature of the device, manual key management procedures must be relied on, and these manual key management procedures should therefore be integrated with operational and environmental controls. For low-value transactions this should be sufficient depending on the business risk assessment. Zone 3 represents a scenario where a specialized device is operated in an uncontrolled (or partially controlled) environment, such as an ATM. For higher-value transactions (e.g., deposit, with- K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 7

9 drawal, funds transfer), this may be sufficient depending on the business risk assessment. Note that in addition to the higher security, the specialized device will typically increase the application s transaction throughput as the computationally intense cryptography is off-loaded from the main processor to the specialized device. KEY MANAGEMENT TRENDS The ability to determine that adequate key management controls are in place requires periodic review of key management policies, practices, and procedures against some established criteria. In many cases, an examination of the key management policies, practices, and procedures by an independent third party is also necessary. For example, Zone 4 represents the highest security with the lowest risk where a specialized device is operated in a controlled environment, a combination often employed at a certification authority. Environmental controls may include multi-factor authentication (e.g., smart cards and biometrics) for administrative personnel, enforced dual control where one person is never allowed unsupervised access to the device, and sign in/out log sheets with monitored surveillance cameras. Device controls would include a tamper-resistant security module enforcing key confidentiality and separation, dual control, and, potentially, tamper detection and active countermeasures (e.g., automatic key erasure). Such devices and environmental security controls exist at most financial institutions and network processing centers, and at many military installations. most financial networks and associations require that financial institutions and processors undergo a periodic examination of their key management policies, practices, and procedures by a professional security consultant or audit practitioner, similar to financial audits. In the past several years, these security exams have become commonplace and are now being performed more frequently by professional practitioners licensed by organizations such as the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). 9 The advent of commercially available cryptography and the widespread acceptance of the Internet as the primary electronic commerce vehicle have sparked numerous initiatives embodying various cryptographic protocols and other technologies (e.g., smart cards, biometrics). Cryptography is becoming more and more integrated into Tomorrow s key management challenges are in Zone 2 and Zone 3. The increasing focus on overall system security lies behind the general trend of moving away from general-purpose devices operating in uncontrolled environments (Zone 1) to the use of specialized devices operating in controlled environments (Zone 4). However, it is important to realize that as security controls increase on the x axis or the y axis, so does the cost of implementation. Hence, depending on a business risk assessment, alternatives in either Zone 2 or Zone 3 may provide an acceptable alternative. There are already dedicated network architectures, such as through the deployment of SSL, IPSec, and VPN protocols. Cryptography is also being widely adopted as a component of mainstream business applications such as securing using encryption and digital signatures, encrypting data stored on laptops, and protecting databases, and as part of emerging applications such as digital rights management and bank card payment systems (e.g., smart cards). As the use of cryptography continues to increase, several trends are emerging: devices (e.g., Web servers) operating in partially controlled environments, but as the demand for higher security increases, there will be an increase in use of specialized devices. The challenges of using specialized devices operating in uncontrolled or partially controlled environments include the capability and capacity to securely deploy and operate large numbers of these devices at remote or mobile locations while maintaining proper key management controls. Hardware-based cryptography for added security. Currently, many initiatives in the proof-of-concept (PoC) stage use softwarebased cryptography that is intended to be a temporary solution and does not promote sound key management policies, practices, and procedures. As these PoC projects transform into pilots or permanent production systems, these software-based solutions will migrate to cryptographic hardware or otherwise require extensive manual key management procedures to compensate for the inherent weaknesses of software-based cryptography. In either case, current key management controls will undergo restructuring and redesign, and controls will be created where none exist. 9 For more information, visit or K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 8

10 High scalability for diverse applications. The sheer proliferation of cryptography will dramatically increase the number of cryptographic keys generated, distributed, installed, used, and eventually terminated. This proliferation will stress the scalability of key management software and the key storage mechanisms that will be forced to manage more and more cryptographic keys. appreciation for sound key management practices. Therefore, more automated key management tools coupled with remote key management capability will emerge. Such automation will promote the use of software "trusted agent" tools that may be developed by one company, installed at a second company, and operated by yet another "trusted" third party. Application-specific security policies to reflect business risk. The increasing diversity of business applications using cryptographic functionality (e.g., data encryption, message authentication, digital signatures, secure time stamping, and transaction authorization) will likewise require distinct security policies and key management practices that are tailored to each unique business application. As security applications are introduced and new online services launched, it will be important to assess the sources of risk and cost of compromise on a case-by-case basis in order to define the appropriate security policies. Regulatory and statutory criteria. More and more industries and governments are adopting requirements, guidelines, or specifications for securing electronic data. Examples include the European Union 1995 Data Protection Directive, the U.S Federal Healthcare Insurance Portability and Accountability Act (HIPAA), the MasterCard International and Visa International 1997 Secure Electronic Transaction (SET), the 1998 Identrus LLC security authentication framework specification, and the U.S Federal Electronic Signature Act (E-Sign). These and many other initiatives will lead to a broad awareness of security issues and will help to establish a common understanding of countermeasures New algorithms and policies to suit new applications. The multiplicity of application and host environments including wireless, and handheld devices, such as laptops, cellular phones, and personal digital assistants may ultimately drive the use of various new cryptographic algorithms and communication protocols, many of which are not interoperable. Numerous algorithms (e.g., ECC, AES) are specified in recent standards and will drive a requirement for flexible key management practices that can, if necessary, be algorithm independent. Furthermore, bandwidth limitations and storage capabilities will affect where, when, and how keys are generated and distributed. that can be taken. Real-time audit functionality. As more and more reliance is placed on automated key management tools used by less-trained operators in more complicated and distributed environments, the need for independent examination of how those tools are being used will need to increase. These examinations will move away from traditional latent audits and migrate toward real-time auditing with online information feeds that will enable specialized professionals to assess the relevant controls and ensure compliance to the stated security policies. Remote key management to reduce administrative burden. The widespread distribution of cryptographic keys will require remote key management methods and techniques to enforce key separation and provide automatic key synchronization between geographically dispersed systems. Remote key management will be problematic, as keys must be managed from a centralized site The increased use of cryptography will affect how and where key management is performed, and will require new tools and methods that are still emerging. At the same time, the ability to assess the security features and verify the effectiveness of the security practices of these new methods is still a necessary ingredient for reducing business risk. There is always a need to balance among operational effectiveness, in some cases and multiple sites in other cases as evolving business requirements and globalization issues dictate. The ability timeliness, and adequacy of security. Key management is an essential ingredient of maintaining sufficient security. This means that those to securely administer cryptographic keys and devices from individuals involved in daily operations have to be prepared and practiced for planned events (e.g., key generation) and unexpected a remote location will become an important feature of any security architecture. events (e.g., disaster recovery). Therefore, key management policy, Delegation of authority and automated systems. This same propagation of cryptography illustrates that key management will migrate from security officers with specialized skills and experience to operational staff with more general knowledge and less practices, and procedures are needed to ensure operational and security continuity. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 9

11 POLICY, PRACTICES, AND PROCEDURES All organizations must disclose their business practices to some degree. Publicly held companies are required to disclose certain business BUSINESS PRACTICE DISCLOSURES practices, while privately held organizations primarily share their This topic deals with an organization s policies regarding the disclosure of its key management and information privacy practices. An business practices with board members, employees, and customers. Often, key management and security policy and practices are not example of such a policy is a certification authority s Certificate publicly disclosed unless it is in the organization s best interest to do Practice Statement (CPS), which defines its business practices. Any so, such as in the case of a certification authority. Regardless of business disclosure practices, key management policies, practices, and service organization whose offerings or business applications employ any form of cryptography should have available business practice disclosures addressing their key management policy and practices. procedures are at the heart of achieving and maintaining sound key management. Key management policies define the organization s overriding requirements The benefits of having such disclosures are that a company can: and strategy for the secure administration of cryptographic keys throughout a key s life cycle. Similarly, key management practices describe the organization s tactics to achieve those strategic policy goals. Key management procedures are the documented Provide a level of assurance to its business partners and customers that its key management practices are sound, and as such imply that the organization has undertaken reasonable efforts to secure its systems and business applications. step-by-step tasks necessary for the secure daily cryptographic operations within an organization. Clearly it is in the best interest of any organization to establish and promote sound key management policies, practices, and procedures. The challenge in fulfilling these goals is to remain flexible enough to respond to the inevitable key management diversity, scalability, and extensibility issues that have been Provide documentation whereby its key management practices can be evaluated or tested to establish compliance with external standards, such as those defined to establish industrywide interoperability (e.g., the Identrus LLC framework specification for the international banking community). identified as trends in this paper. The following sections begin by describing the approach to policy setting at the business level followed by an overview of how this translates into a series of environmental Satisfy legislative or regulatory requirements regarding due diligence and subsequent business disclosure for key management practices (e.g., EU Data Protection Directive, HIPAA). controls. The section concludes with a review of specific key management practice statements, and introduces the key generation ceremony 10 as an example of an operational procedure that embodies these various policies and practices. The appropriate level of detail for an organization s disclosures must be individually determined by each organization, taking into account federal, state, and local legislative requirements; industry regulations; potential legal liability; and business risk in the marketplace. Business practice disclosures should do the following: Define the various communities of interest that rely on or interact with the organization wherever cryptography and, hence, key management is used. For each community of interest, the type of interaction (e.g., Web site) available, the type of cryptography (e.g., SSL, PKI) used, and the corresponding key management schemes employed (e.g., certificates) should be described. This may include descriptions of the relevant industries, business partners, or customer markets. 10 ANS X9.79 PKI Practices and Policy Framework, and AICPA/CICA WebTrust SM/TM Program for Certification Authorities. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 0

12 Provide the appropriate contact information (e.g., name, department, mailing address, phone number, address) for the individual(s) responsible for key management practices for each community of interest. This should include notification and escalation procedures for lost or stolen equipment. Where cryptographic devices or keys have been widely deployed and local or regional operational staff has been assigned to emergency response teams, this information is essential. Define the obligations of all participating parties and any applicable provisions regarding apportionment of liability or financial responsibility resulting from security breaches due to known or suspected key compromise. For example, a service provider might process transactions using equipment outsourced to a second entity, which includes a cryptographic device that contains keys belonging to the service provider, while its key management is outsourced to a third entity. ENVIRONMENTAL CONTROLS This topic deals with an organization s policies and practices regarding environmental controls, including information security, asset classification and management, personnel security, physical access controls, operations management, system access controls, system development and maintenance, business continuity management, monitoring and compliance, and event handling. Environmental control information should be disclosed to allow relying parties to assess whether the organization maintains sufficient controls to meet their business requirements outlined on the following pages. Define the environmental control policies relative to all participants. This should describe or entail an approval process for acceptable physical security (e.g., locked doors and restricted access), facility and system access controls (e.g., employee badges, passwords, and biometrics), and business continuity controls (e.g., site locations, power requirements, media storage, and off-site backup). Define the key and certificate (where appropriate) life cycle management control policies relative to all participants for any cryptographic key generated, stored, or used by the organization. This should describe or entail an approval process for the acceptable cryptographic algorithms, key strengths and crypto-periods, key management protocols, and cryptographic hardware. For example, there will be long-term digital signature keys for legal documents as well as short-term digital signature keys for access control. The relevant standards (e.g., ANSI, ISO, IETF) should also be identified. Define the organization s policies regarding the publication, revision, and distribution of the business practice disclosures, including intellectual property protection mechanisms (e.g., copyrights). K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 1

13 Environmental Controls Environmental Activity Policy authority and practices Information security practices Asset classification practices Personnel security practices Physical security practices Operations management practices Control Objective for Environment Activities Organization has established and operates a policy authority to create and revise key management policy and practices, including: Roles and responsibilities (e.g., committee chair, vice chair, secretary) Titles and departments (e.g., vice president of internal audit) Revision and publication practices Organization has documented and distributed its security practices and maintains controls to provide reasonable assurance that information security is properly managed according to its security practices, including: Registration and enrollment methods Authentication and authorization methods Distribution and affidavit methods References to asset classification practices Organization has established an asset classification scheme and all assets (e.g., equipment, data, facilities, personnel) have been properly identified and labeled, including: Security requirements for protecting each discrete category Security mechanisms for protecting each discrete category Organization maintains controls over personnel and hiring practices to support the trustworthiness of the organization, including: Credentials validation Nondisclosure agreements Other verification methods for sensitive positions (e.g., security officer) Organization maintains controls for physical access to sensitive areas and equipment is limited to properly authorized individuals, and the facilities are protected from environmental hazards, natural or otherwise, including: Passive physical barriers Active intruder detection systems Physical access controls References to relevant documentation (e.g., business continuity plan) Organization maintains controls to ensure the correct and secure operation of IT systems, including: Systems failures prevention or detection mechanisms Viruses and malicious software protection Incident reporting and response escalation practices Theft or inadvertent damage of media or other hardware References to relevant documentation (e.g., business continuity plan) K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 2

14 Environmental Controls Environmental Activity System access practices Systems development and maintenance practices Business continuity practices Monitoring and compliance practices Key management trends will challenge current environmental practices as the use of portable devices in untrustworthy environments continues to increase. A trustworthy and controlled environment operated by one entity does not necessarily translate to an environment trusted by another entity. Control Objective for Environment Activities Organization maintains controls to limit system access to properly authorized individuals, including: User access controls Network access controls Operating system access controls Application access controls Authentication mechanisms (e.g., passwords, tokens, biometrics) References to relevant documentation (e.g., ANSI, systems manuals) Organization maintains controls to properly authorize systems development and maintenance activities, including: Software development life cycle (SDLC) Use of cryptography Separation between cryptographic test keys and production keys Organization maintains controls to provide reasonable assurance of continuity of operations in the event of a disaster, including: Key management controls during the execution of a recovery plan References to relevant documentation (e.g., business continuity plan) Organization maintains controls to ensure that its monitoring and compliance methods satisfy legislative or regulatory requirements, including: Event journals Backup and recovery of event journals Security controls to protect the journals from unauthorized destruction, tampering, or replacement References to relevant documentation (e.g., information security, asset classification, system access) K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 3

15 KEY MANAGEMENT LIFE CYCLE CONTROLS This topic deals with an organization s policies and practices regarding the management of private asymmetric keys, symmetric keys, and other types of keying material (e.g., pseudo-random number generator seed values), including cryptographic hardware management. Key management life cycle control information should be disclosed to allow relying parties to assess whether the organization maintains sufficient controls to meet its business requirements in the following areas: Key Management Life Cycle Controls Key Management Activity Key generation practices Key storage, backup, and recovery practices Key distribution practices Control Objective for Key Management Activities Cryptographic keys are generated in accordance with industry standards, including: Random or pseudo-random number generation Prime number generation Key generation algorithms Hardware and software components Adherence to all relevant standards References to the key generation procedural documentation Asymmetric private keys and symmetric keys remain secret and their integrity and authenticity is retained, including Key separation mechanisms Hardware and software components Adherence to all relevant standards References to key storage, backup, and recovery procedures Business continuity management documentation Secrecy of asymmetric private keys, symmetric keys, and keying material, and the integrity and authenticity of all keys and keying material are maintained during key distribution, including: Initial key distribution processes Subsequent key replacement processes Key synchronization mechanisms Adherence to all relevant standards References to the key distribution procedural documentation K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 4

16 Key Management Life Cycle Controls Key Management Activity Key use practices Key destruction and archival practices Cryptographic hardware life cycle practices Key management trends will affect all aspects of the key management life cycle as the origination, usage, and location of keys become more diverse. Remote and automated key management mechanisms will proliferate in the near term and eventually be standardized. Control Objective for Key Management Activities Cryptographic keys are used only for their intended purpose, including: Business applications Key separation mechanisms Related crypto-periods Adherence to all relevant standards References to the business and system description documentation All active instances of the cryptographic key are properly erased (destroyed) at the end of their designated crypto-periods and archived keys are handled appropriately, including: Controls to maintain confidentiality, integrity, and authenticity Mechanisms to prevent an archived key from being reinstalled Adherence to all relevant standards Inclusion of references to the business and system documentation Access to cryptographic hardware is limited to properly authorized individuals, and the hardware is functioning properly. The description should include: Controls for the device life cycle (e.g., shipping, inventory controls, installation, initialization, repair, and de-installation) Adherence to all relevant standards References to device documentation (e.g., product specifications, users manual) and certification (e.g., FIPS 140) K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 5

17 CERTIFICATE MANAGEMENT LIFE CYCLE CONTROLS This topic deals with an organization s policies and practices regarding secure management of public asymmetric keys, public key certificates, and attribute certificates, including the use of portable storage devices such as smart cards. Certificate management life cycle control information should be disclosed to allow relying parties to assess whether the organization maintains sufficient controls to meet their business requirements in the following areas: Certificate Management Life Cycle Controls Certificate Management Activity Subscriber registration practices Certificate issuance practices Certificate distribution practices Certificate revocation practices Control Objective for Certificate Management Activities Subscribers are properly identified and authenticated, and certificate request information is accurate and complete, including: Internal registration practices External registration services Registration authority interfaces Adherence to all relevant standards References to registration procedures Certificates are generated and issued securely and accurately, including: Use of outsourced services (if appropriate) Naming conventions and extension fields Public key validation processes Adherence to all relevant standards References to external certificate service documentation (e.g., letters of agreement, contracts, other CPS) Upon issuance, complete and accurate certificates are available to subscribers and relying parties, including: Out-of-band notification processes Databases and repositories Adherence to all relevant standards References to external distribution or storage services documentation Certificates are revoked based on authorized and validated certificate revocations requests, including: Out-of-band notifications Certificate revocations list distribution Databases and repositories Adherence to all relevant standards References to external distribution or repository services documentation K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 6

18 Certificate Management Life Cycle Controls Certificate Management Activity Certificate verification practices Token life cycle practices Control Objective for Certificate Management Activities Certificates and certificate chains are properly verified, including: Verification mechanisms Databases and repositories Adherence to all relevant standards References to external distribution or repository services documentation Initialization, distribution, usage, and termination of portable tokens (e.g., smart cards) are properly managed, including: Controls for the token life cycle (e.g., shipping, inventory controls, installation, initialization, personalization, and termination) Adherence to all relevant standards References to device documentation (e.g., product specifications, users manual) and certification (e.g., FIPS 140) Key management trends will significantly impact certificate management, particularly the ability to revoke widely distributed certificates. CEREMONY EXAMPLE KEY GENERATION Shorter-term certificates reduce risk exposure but increase the frequency of key generation and certificate registration. Certificate vali- As an illustration for this framework, a description of a key generation ceremony is included; however it is recommended that a detailed key dation services can reduce the revocation problem but require an generation script be developed and followed. Recognizing that the online environment and are somewhat contrary to the original concept of a certificate that can be verified offline. specific steps for key generation vary significantly across different applications and organizations, a CA has been chosen as a procedural example because it is typical of a high-end security application and has been widely tested in the field. Given the ceremony should take into account the application software and version number that is to be implemented, the cryptographic devices that are used, and the organization s requirements for private key protection and disaster recovery, only a general description is feasible. Each organization must develop its own customized key management procedures that are specific to that organization s needs. Appendix B: Key Generation Ceremony provides an overview of a rudimentary script for the generation of a CA asymmetric key pair, with additional notes regarding special consideration for the generation of a root CA key pair. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 7

19 SUMMARY Key management risk factors should be evaluated for every application that employs cryptography. A proper business risk assessment will identify the security requirements needed to protect application data regarding its confidentiality, integrity, message and entity authenticity, and even non-repudiation. In circumstances where cryptography is determined to be a viable security measure, the environmental controls available regarding the protection of the cryptographic hardware, software, and keys should likewise be evaluated. In applications that require more than basic security levels for example those that generate high volumes of transactions or where corruption of individual transactions represents a tangible financial loss or breach of privacy specialized cryptographic hardware should be considered as a necessary security control to protect cryptographic keys and keying material. The use of special-purpose cryptographic hardware can compensate for environmental control weaknesses, in the context of both internal and external attacks, and can enhance the security of key management practices and procedures to achieve desired security levels. All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. The decision to use cryptographic hardware will, in and of itself, not guarantee the secure administration of keys throughout their life cycles. Rather, sound key management policies, practices, and procedures are necessary to ensure the constant supervision of cryptographic keys. The trends discussed in this paper describe some of the areas that will affect key management. Organizations that are now or will be employing cryptography should review their key and certificate management life cycle practices and environmental practices to determine that business risks have been sufficiently considered. The versatility of cryptography as the basis for secure applications will naturally lead to numerous key management schemes. Therefore there cannot be a generic set of key management practices and procedures for all applications or organizations. Thus, every organization must develop and maintain its own suite of key management policies, practices, and procedures. Periodic examinations by an independent third party using industry-recognized standards, such as the ANS X9.79 PKI Practices and Policy Framework and the AICPA/CICA WebTrust SM/TM Program for Certification Authorities, should become an important aspect of risk management, enhancing the trust of employees, customers, business partners, and other relying parties. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 8

20 APPENDIXES APPENDIX A: STANDARDS ACTIVITIES The ANSI X9 and ISO standards for symmetric key management have Recently, the PKI Forum 12 endorsed the ANS X9.79 PKI Practices and been established for over ten years, with revisions every five years Policy Framework standard and the corresponding document from the per the ANSI procedures, or on an as-needed basis (e.g., X9 standards American Institute of Certified Public Accountants (AICPA) and the using single DES encryption have either been withdrawn or revised to Canadian Institute of Chartered Accountants (CICA), the WebTrust SM/TM triple DES encryption). 11 Similarly, many ANSI X9 and ISO standards Program for Certification Authorities. These companion standards for asymmetric key management have been recently published or are enable an experienced practitioner to perform an examination of the in progress. In parallel to the X9 standards, auditing standards for certification authorities (CAs) relating to asymmetric key management of the controls described in these standards address the CA environ- controls implemented by a certification authority (CA). A large portion have also been published. mental controls and the key management controls. The AICPA and the CICA issued a press release in May 2001 announcing that the The financial services industry often leads the development of standards regarding key management techniques and has established the Microsoft Corporation selected the WebTrust SM/TM for Certification Authorities (or its equivalent) as part of its program for accepting CAs ability to validate compliance against those standards. The American wishing to distribute their root certificates through Microsoft software. National Standard (ANS) X9 Technical Guideline #3 (TG-3) PIN Audit Security Guideline was adopted by the Electronic Funds Transfer Key management has become an integral part of the ISO and ANSI Association's (EFTA) Network Executive Council (NEC) so that electronic funds transfer (EFT) networks could agree on a common set of standards. standards, and is now being integrated into industry and accounting personal identification number (PIN) and key management criteria. Most of the EFT networks require their members to periodically undergo a TG-3 examination either by their internal auditors or a thirdparty accounting firm. X9 TG-3 addresses PIN and related key management security controls based on two other American National Standards, X9.8 PIN Management and Security and X9.24 Financial Services Key Management Using Symmetric Cryptography. 11 For more information, visit and 12 For more information, visit K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 1 9

21 APPENDIX B: KEY GENERATION CEREMONY The following is a rudimentary script for the generation of a CA asymmetric key pair. Another important aspect of proper preparation is that all participants practice the key management procedures prior to actual execution. Performing a key generation walkthrough allows each participant to List of Participants and Preparation The participants for a key generation ceremony will vary depending upon the type of key management scheme employed. Each participant gain an understanding of his or her role and responsibilities. A walkthrough is also a good method to identify potential problems so that procedures can be adjusted accordingly. has a specific role and responsibility, such as: Equipment Installation and Initialization Operation Manager. This individual is responsible for the equipment and the facility in which the equipment resides, including Prior to the start of the key generation ceremony, the CA hardware and software is properly configured within a controlled environment computer hardware and software, host security modules (HSMs), that is physically secure. This configuration process should include and physical safes to store cryptographic keying material. installation of the host operating system, smart card, or storage Key Manager. This individual is responsible for orchestrating the key generation ceremony according to the organization s policies and procedures. This includes scheduling, organizing, and supervising the participants before, during, and after the execution of the key ceremony script per the organization s procedures. devices, and CA software from original shrink-wrapped packaging. Often, procedures for configuring the CA hardware and software are provided by the vendor in separate documentation packages. Witnessing and Record Keeping Key Administrators. These individuals are responsible for handling cryptographic keying material and following the key generation ceremony script. The actual number of administrators and their exact duties will vary widely depending on the PKI vendor product, the cryptographic devices, the key management schema, and the organization s procedures. For example, if key components are used to securely store symmetric keys, at least two administrators are necessary to maintain split knowledge. Another schema might be the Shamir k-of-n Secret Sharing Scheme, which requires a subset (k) of all administrators (n) to perform key management tasks. 13 For a 3-of-5 scheme, five administrators would be necessary. All participants observe the key generation ceremony events and one or more witnesses (potentially including an external auditor) should make a notation on their copies of the script to indicate whether each step was successfully performed in accordance with the script, or if deviations occurred. At the conclusion of the ceremony, an "official copy" of the script should be updated by the Key Manager to reflect any deviations from the planned script prior to having it signed by all participants and witnesses indicating that the steps were followed as documented. Hardware Security Module Initialization Typically, a newly installed HSM is pristine, meaning it does not contain any keying material. Similar to the CA hardware and software, the Witnesses. These individuals are present to observe the key generation ceremony, but typically do not actively participate in the actual key management practices. The purpose of witnesses is to provide a level of assurance that the key generation ceremony took place under proper controls. HSM must be properly configured within a controlled environment that is physically secure. Typically, procedures for installing and configuring the HSM are provided by the vendor in separate documentation. Key Generation Procedures The precise step-by-step procedures will vary greatly depending upon For certain high-assurance applications, such as a root CA, the Equipment Installation and Initialization process may be observed by an auditor and/or other witnesses and/or videotaped. the PKI vendor product, the cryptographic devices, and the key management schema. Procedural steps are often grouped into tasks, causing the Key Manager to pause the key generation ceremony to ensure that each task (or step) has been completed successfully. This is part of the witness and record-keeping processes. 13 A. Shamir, How to share a secret, Communications of the ACM 22 (1979), K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 2 0

22 Ceremony Examination and Validation With regard to the examination of a key generation ceremony, the procedures themselves provide evidence that proper key management practices were followed. The examination can be concurrent with the key generation ceremony so that a professional practitioner is present as an observer (witness) during the key generation ceremony. Otherwise, the examination can occur after the fact if sufficient evidence is maintained to demonstrate that appropriate key generation policies and procedures were followed. For example, if the key generation ceremony were to be videotaped, the professional practitioner could review the videotape. In addition, a checklist (script) dated and signed by the key generation ceremony participants should be used to provide additional evidence that proper key management procedures were followed. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 2 1

23 APPENDIX C: GLOSSARY Term Description Reference AES Advanced Encryption Standard AICPA American Institute of Certified Public Accountants is the United States professional practice organization for accountants. ANS American National Standard is an industry standard developed by an ANSI-accredited standards body, such as the X9 Committee. ANSI American National Standards Institute is the United States national standards body registered with ISO as a country member. ATM Automated teller machine is an unmanned terminal providing online access to financial transactions. CICA Canadian Institute of Chartered Accountants is the Canadian professional practice organization for accountants. Ciphertext Data in its enciphered form. ANS X9.24 ISO Cleartext Data in its original, unencrypted form. ANS X9.24 ISO DES Data Encryption Standard is the Federal Information Processing Standard (FIPS) Publication 46-1 that defines the data encryption algorithm (DEA). The DEA is also described in ANS X3.92. Dual Control A process of using two or more separate entities (usually persons) operating ANS X9.8 in concert to protect sensitive functions or information whereby no single ANS X9.24 entity is able to access or use the materials (e.g., cryptographic key). ISO ECC Elliptic curve cryptography ANS X9.63 ISO ISO is not an acronym, although it is a common belief that it means the International Standards Organization. Rather, ISO is a word, derived from the Greek isos, meaning equal, which is the root of the prefix iso-, such as isometric and isonomy. KEK Key enciphering key is a symmetric key generated and used for the sole ANS X9.24 purpose of protecting other symmetric keys (e.g., master key, session key). ISO MAC Message authentication code is an integrity value that is cryptographically ANS X9.9 derived from a message so that the modification or substitution of either ANS X9.19 can be detected. ISO NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology NSA National Security Agency NVLAP National Voluntary Laboratory Accreditation Program PIN Personal identification number is a 4- to 12-digit number used by financial ANS X9.8 institutions to authenticate their customers at an ATM for cash withdrawal ISO 9564 and at POS devices for debit transactions. K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 2 2

24 Term Description Reference PKI Public key infrastructure is a framework of hardware, software, people, ANS X9.79 processes, and policies that employs digital signature technology to facilitate a verifiable association between the public component of an asymmetric public key with a specific subscriber that possesses the corresponding private key. The public key may be provided for digital signature verification, authentication of the subject in communication dialogues, and for message encryption key exchange or negotiation. POS Point of sale terminal is a merchant device typically consisting of a magnetic stripe reader, a keypad, a display window, and a telephone dialer for obtaining credit or debit card authorization. RC5 Rivest Cipher; symmetric cryptographic algorithm so named for its inventor, Ron Rivest. Root CA The CA at the top of the CA hierarchy. ANS X9.79 RSA Asymmetric cryptographic algorithm named for the original paper, R. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public Key Cryptosystems," Communications of the ACM, 21(2): , February Split Knowledge A condition under which two or more parties separately and confidentially ANS X9.8 have custody of components of a single key that, individually, convey no ANS X9.24 knowledge of the resultant cryptographic key. ISO Tamper Evident A characteristic that provides visual evidence that an attack has been ANS X979 attempted. Tamper Resistant A characteristic that provides passive physical protection against an attack. ANS X9.79 K E Y M A N A G E M E N T P O L I C Y A N D P R A C T I C E S F R A M E W O R K 2 3

25