Cryptography Reference
In-Depth Information
7
. Hardware security modules (HSMs) are commonly used to store cryptographic
keys.
(a) What benchmarks are used for evaluating the security of an HSM?
(b) Which organisations carry out such evaluations?
(c) Provide an example of a currently available commercial HSM technology
and provide any details that you can about the security features that it uses.
8
. Key backup is an important part of the cryptographic key lifecycle.
(a) Why is it important to back up cryptographic keys?
(b) In what ways might backup of cryptographic keys differ from backup of
more general data on a computer system?
(c) As system administrator of a small organisation deploying symmetric
cryptography for protection of all traffic on the local intranet, suggest what
techniques and procedures you will use for the backup (and subsequent
management of backed-up) cryptographic keys.
9
. In the past, the idea of mandatory key escrow in order to facilitate access
to decryption keys during an authorised government investigation has been
proposed.
(a) Explain what is meant by mandatory key escrow.
(b) What are the main problems with attempting to support mandatory key
escrow within a key management system?
(c) An alternative approach is to provide a legal framework within which
targets of an authorised investigation are 'forced' by law to reveal relevant
decryption keys. What are the potential advantages and disadvantages of
this approach?
(d) For the jurisdiction in which you currently reside, find out what (if any)
mechanisms exist for supporting an authorised government investigation
in the event that the investigators require access to data that has been
encrypted.
10
. Give an example of a real cryptographic application that:
(a) 'enforces' the principle of key separation (explain why);
(b) 'abuses' the principle of key separation (justify why, if possible).
11
. Cryptographic keys need to be destroyed at the end of their lifetime. Find out
what the latest recommended techniques are for destroying:
(a) a data key that is stored on a laptop;
(b) a master key that is stored on a server in a bank.
12
. Key management must be governed by appropriate policies, practices and
procedures.
(a) Provide one example (each) of an appropriate policy statement, practice
and procedure relating to passwords used to access a personal computer
in an office.
