Key Management
Key management is an essential component of cryptography and is necessary to achieve true encryption.
​
Key management is the process of regulating cryptographic keys at the user level and protecting them from loss and misuse throughout their life cycle. This includes: managing key generation, key storage, key distribution, key replacement, and key destruction.
The National Institute of Standards and Technology compares cryptographic keys to a safe’s combination. Protecting the integrity of the combination is essential to safeguarding the contents of the safe. In the same way, key management is necessary for protecting the information contained within secure communications.
​
While much of the key management discipline involves a thorough understanding of the cryptosystem, successful key management must also include operational elements, such as internal policies, training programs, and regulatory compliance. Because it is a multifaceted discipline that includes scientific and human elements, it is often difficult to execute effectively.
​
​
Generally, key management includes the following components:
Inventory
The foundation of any key management program is a thorough and accurate inventory of all keys and certificates. This inventory should include locations and owners. Inventories should be verified and updated regularly to ensure accuracy.
​
Exchange / Distribution
Key management is responsible for any necessary key exchanges. Key exchange occurs when keys are transferred between two parties, enabling the cryptographic algorithm. The key management strategy will dictate which method or protocol is used during key exchanges, oversee the process, and maintain accountability and integrity of keys during the exchange. The two primary key exchange methods are symmetric & asymmetric:
Data Received
Secret Key Encrypts & Decrypts
Symmetric Key Encryption
Data Sent
Data Encrypted
Asymmetric Key Encryption
Data Sent
Data Encrypted
Data Received
Public Key Encrypts
Private Key Decrypts
Storage
Secure storage is a primary concern for key management and includes keys before and after distribution. Depending on the nature of the communications, encryption protocols, and applicable regulations, key management programs can include a number of potential storage options for keys. Some examples include external devices, system hardware, server locations, and even the user’s memory.
Usage
Key management programs must also consider when and for how long keys are used. Considering and managing key usage is an important security measure because any discovered key unlocks the encrypted communications tied to it. Therefore, changing out keys often provides fewer chances for exposing large amounts of communications at once.
​
Destruction
The key management program must dictate the process for key destruction. This occurs when a key is no longer in use or if the key is compromised at any time during the lifecycle. There are a few methods for key destruction, including total deletion, which completely secures encrypted data as it will no longer be accessible by anyone. Under certain circumstances, key management may allow keys to be destructed with recovery options. This might be appropriate if access to the encrypted data is still necessary.
​
​
Though key management is essential, many organizations struggle with it.
It is a complicated discipline that can become convoluted as the number of keys increase. Maintaining accountability for a large number of keys throughout their lifecycle includes keeping them safe from hackers, ensuring users understand encryption protocols and have access to applicable data, and meeting relevant regulatory compliance standards.
Because key management is a cornerstone of encryption and secure communications, most regulations that highlight data privacy or cybersecurity also include mandates for key management. Some examples include: PCI-DSS, HIPAA, GDPR, and 23 NYCRR 500. Each regulation sets its own compliance standards for key management and imposes its own set of penalties for non-compliance.
While key management is complicated and presents increased challenges with scale, creating and executing effective key management programs is necessary for secure communications and increased cybersecurity.