SecurityArena

Guide to Practical Info Security!

Who's Online

We have 3 guests online
CBK Cryptography
Print E-mail
Written by Administrator   
Friday, 24 July 2009 08:48
Article Index
CBK Cryptography
Definitions
Types of Ciphers
Symmetric vs Asymmetric Cryptography
Types of` Symmetric Ciphers
Types of Symmetric Systems
Types of Asymmetric Systems
One-time pad
Hybrid Encryption Methods
Public Key Infrastructure (PKI)
Hashing
Digital signatures
Key Management
Link versus end-to-end encryption
E-mail standards
Web Security
Transport Layer Security (TLS)
IPSec - Internet Protocol Security
Attacks
All Pages
Page 13 of 19

Key Management

Key management deals with the secure generation, exchange, storage, safeguarding, use, vetting, and replacement of keys.
Key management concerns keys at the user level, either between users or systems. This is in contrast to key scheduling; key scheduling typically refers to the internal handling of key material within the operation of a cipher.
In practice, most attacks on public-key systems will probably be aimed at the key management level, rather than at the cryptographic algorithm itself.

Principles

  • Users must be able to securely obtain a key pair suited to their efficiency and security needs.
  • Keys should not be in cleartext outside the cryptographic device.
  • There must be a way to look up other people's public keys and to publicize one's own public key.
  • Users must be able to legitimately obtain others' public keys; otherwise, an intruder can either change public keys listed in a directory, or impersonate another user. Certificates are used for this purpose. Certificates must be unforgeable.
  • The issuance of certificates must proceed in a secure way, impervious to attack. In particular, the issuer must authenticate the identity and the public key of an individual before issuing a certificate to that individual.
  • If someone's private key is lost or compromised, others must be made aware of this, so they will no longer encrypt messages under the invalid public key nor accept messages signed with the invalid private key.
  • Users must be able to store their private keys securely, so no intruder can obtain them, yet the keys must be readily accessible for legitimate use.
  • Keys need to be valid only until a specified expiration date but the expiration date must be chosen properly and publicized in an authenticated channel.
  • A company can choose to have multiparty control for emergency key recovery. This means that if a key needs to be recovered, more than one person is required to be involved with this process. 

Rules for key

  • The key length should be long enough to provide the necessary level of protection.
  • Keys should be stored and transmitted by secure means.
  • Keys should be extremely random and use the full spectrum of the keyspace.
  • The key’s lifetime should correspond with the sensitivity of the data it is protecting.
  • The more the key is used, the shorter its lifetime should be.
  • Keys should be backed up or escrowed in case of emergencies.
  • Keys should be properly destroyed when their lifetime comes to an end.
Last Updated on Friday, 28 August 2009 05:01
 
Please register or login to add your comments to this article.
Comments (1)
-11 Wednesday, 05 August 2009 12:44
ravi
Very helpful....
Tabulated comparisons of the two cryptography, really help to remeber...
thanx
keep up the good work
Display #
yvComment v.1.23.0
Banner
Copyright © 2010 Information Security Arena. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.
 
Joomla 1.5 Templates by Joomlashack