Key Management is essentially the tools, processes and practices that together allow an enterprise to understand, maintain and control its cryptographic assets.
Many business applications today use cryptographic techniques to protect data, to ensure that the parties that data is being collected from, or distributed to, are who they are expected to be, and the integrity of the data being processed is assured. Using these cryptographic techniques involves the use of keys to encrypt or decrypt data and create or verify digital signatures. With the proliferation of business applications that use encryption and signature techniques and the vast number of entities that need keys to identify themselves, the number of keys in existence in any enterprise can be enormous. Furthermore, keeping track of which key belongs to which entity, which application needs access to which key, and what the usage policies associated with each key should be can easily get out of hand. Key management is therefore a critical aspect of a business’s ability to operate efficiently and securely.
In order to create a good key management solution it is important to not only know where all your keys are, but to be able to define who (or what application) can do what with any particular resource. Furthermore if you are not able to have confidence in identifying the person or application requesting access to the key, and the policy (what they can do with the key) is not securely enforced, then even if you safely secure your keys it may be possible for them to be used inappropriately.
For example, if the way application users authenticate themselves to your systems is not secure, attackers may be able to masquerade as legitimate users and use keys in an authorized way. This happened within DigiNotar, who, even though it used an HSM to protect its Certificate Authority signing keys, failed to adequately protect user authentication. Subsequently, attackers were able to sign bogus browser certificates without detection.
It is equally important to ensure your key management solution includes strong policy enforcement such that a legitimate user cannot confer rights on themselves that should not be available to them. For instance, if policy is defined in an unencrypted lookup table that can easily be modified, a legitimate user could be assigned inappropriate access to keys or key actions and thus carry out operations they would ordinarily not be allowed access to.
Ultimately, the policy for key usage should be securely and tightly tied to the key itself. Mandating the key only be decoded within the secure boundary of an HSM ensures strong policy enforcement and reduces the risk of attack.
Without these approaches it is easy to get lost in the sheer scale of the problem, and without good approaches and strong enforcement it is easy to create security and business continuity risks.