Cryptography Reference
In-Depth Information
In this section we provide an introduction to key management. Most impor-
tantly, we identify the scope of key management and introduce the key
lifecycle, which we will use to structure the discussion in the remainder of the
chapter.
10.1.1
What is key management?
The scope of key management is perhaps best described as the
secure admin-
istration of cryptographic keys
. This is a deliberately broad definition, because
key management involves a wide range of quite disparate processes, all of
which must come together coherently if cryptographic keys are to be securely
managed.
The important thing to remember is that cryptographic keys are just special
pieces of
data
. Key management thus involves most of the diverse processes
associated with information security. These include:
Technical controls.
These can be used in various aspects of key management.
For example, special hardware devices may be required for storing crypto-
graphic keys, and special cryptographic protocols are necessary in order to
establish keys.
Process controls.
Policies, practices and procedures play a crucial role in key
management. For example, business continuity processes may be required in
order to cope with the potential loss of important cryptographic keys.
Environmental controls.
Key management must be tailored to the environment
inwhich it will be practiced. For example, the physical location of cryptographic
keys plays a big role in determining the key management techniques that are
used to administer them.
Human factors.
Key management often involves people doing things. Every
security practitioner knows that whenever this is the case, the potential for
problems occurring is high. Many key management systems rely, at their very
highest level, on manual processes.
Thus, while cryptographic keys represent an extremely small percentage of the
data that an organisation needs to manage, much of the wider information
security issues that the organisation has to deal with (such as physical security,
access control, network security, security policy, risk management and disaster
recovery) interface with key management. Paradoxically, we will also see that
while key management exists to support the use of cryptography, we will also
need to use cryptography in order to provide key management.
The good news is that much of key management is about applying 'common
sense'. The bad news, of course, is that applying 'common sense' is often much
more complex than we first imagine. This is certainly true for key management.
