|
That classic saying neatly encompasses the need for key
management: while many tools can provide encryption
capabilities, where do the encryption keys come from? Key
Management is the set of administrative and operational
processes needed to manage cryptographic keys used for
encryption of systems or data. Typically, key management
encompasses three functions:
 |
Providing an encryption key for a user or system that wants to protect data
|
|
|
Providing the appropriate decryption key for a user or system that wants to access encrypted data
|
|
|
Allowing an administrator to specify policies that dictate who can get which keys, how keys are recovered, and how users must authenticate |
How Voltage Key Management Works
Voltage employs an identity-based key management
architecture that eliminates much of the complexity
associated with traditional key management systems.
Voltage keys are given names (identities) that are can be
used to easily reference the appropriate key. Names are
typically of the form <identifier>@<domain>,
and may represent a user, a group, or even a complex
policy. Examples of key names might include:
 |
jdoe@company.com -- Representing John Doe's user key |
|
|
hr@company.com -- Representing the HR department's group key |
|
|
ssndata@company.com -- Representing the set of users, systems, and applications that are allowed to access Social Security Numbers in an application infrastructure |
This naming model is used both with Identity-Based
Encryption (where the name can be mathematically converted
into a public key) as well as with symmetric encryption
algorithms such as Format-Preserving Encryption and AES
(where the name is used to derive the symmetric key, as
described below).
Key Generation
When a Voltage system is first instantiated, a base key is
generated (a separate base key is generated for each
encryption algorithm; the IBE base key is often referred to
as a master secret). A one-time backup of these base keys
is performed in order to provide for disaster recovery.
When a key is requested from the Key Management Server, the
key name is used to generate the actual keying material (the
symmetric key in the case of symmetric encryption algorithms
such as FPE, AES, and 3DES, and the private key in the case
of Identity-Based Encryption). After the requesting entity
has been appropriately authenticated (described below), the
Server uses a Key Derivation Function (KDF) in order to
combine the base key and the key name, producing the actual
keying material.
Stateless Operation
This derived-key approach enables the Voltage Key Management
Server to be completely stateless.
Traditional key management architectures are highly stateful:
when a new key is required, it is randomly generated and
stored within a key database or directory. Each of these
keys must be individually backed up for disaster recovery,
replicated across distributed key servers for high
availability, and archived for audit and compliance access.
A single key that is not appropriately stored can result in
permanent loss of data. With thousands or potentially
millions of keys in a typical enterprise environment, this
state can quickly become massively expensive to manage.
Because Voltage is stateless, enabling individual encryption
keys to be generated on-demand from a base key, it
eliminates these operational complexities. If a key is
required for disaster recovery or audit purposes, it can
simply be regenerated; a one-time backup of the base keys
guarantees that data can never be "lost". Similarly, the
ability to derive keys allows deployment in a highly
distributed environment without the need to continuously
replicate keys across servers.
|
Other systems: Stateful |
Voltage: Stateless |
| Constant backups required |
One-time backup |
| Key replication required among servers |
No replication required - all servers can derive the same keys |
| Lost key can result in lost data |
Keys can never be lost |
Key Lifecycle
In many applications, it is important to control how long
keys are used to encrypt data, and to refresh keys on a
regular schedule. The Voltage Key Management System
incorporates a key expiration and derivation system that
allows complete management of the key lifecycle. All keys
in the Voltage System contain an inherent time reference
that determines when that key is to be automatically cycled.
Voltage managed keys also can reference distinct base keys,
allowing for policy-based key refreshes.
Authentication
Authentication is a critical aspect of any key management
architecture; it ensures that keys are only distributed to
those users or systems that are appropriately authorized.
Voltage employs a federated authentication model that allows
users, systems, and applications to be authenticated using
nearly any mechanism. From the Voltage Key Management
Server, security administrators can easily associate key
names with the desired authentication method, including LDAP,
Active Directory, single sign-on systems, client
certificates, and customer portals. For example, the key
hr@company.com can be associated with an existing Active
Directory group, ensuring that any member of that group is
granted the appropriate access to the key.
Multiple authentication methods can be defined within a
given system, and Voltage offers a simple pluggable API that
allows custom authentication mechanisms to be rapidly
integrated.
|
What is Key Management?