One Perspective on Key Management Key Management - One Perspective 18 May 2009 “Encryption is easy. Key management is hard. Really hard. The difficulty arises not from the complexity of keys and encryption schemes, approaches to them, or their applications, but from the impacts of encrypted data to operational systems and procedures. One perspective on key management provides insight into implementing encrypted data storage in a typical n-tiered system and identifying the impacted concerns with appropriate implementation strategies for mitigating them.” 18 May 2009 I’m not paranoid – everybody IS after me! 1 One Perspective on Key Management Introduction and Scope OK, let’s call this slide the “Disclaimer…” The information and insights provided here are an attempt at abstracting the lessons learned from an architectural and implementation effort of a PCI DSS-compliant n-tiered system. This information is a single perspective on the very broad topic of key management. The perspective is limited to the concerns of: ▪ Symmetric encryption of stored data ▪ Producers and Consumers of data in an n-tiered system ▪ N-tiered system performance ▪ Complete encryption key lifecycle management 18 May 2009 I’m not paranoid – everybody IS after me! 2 One Perspective on Key Management Objective 1. 2. 3. 4. 5. Why is there a need manage encryption keys What does managing of encryption keys entail How does key management impact n-tiered systems How to mitigate key management impacts to n-tiered systems Resources Word of the Day: “Re-cryption”: The act of decrypting data with one key and encrypting it with a different key. 18 May 2009 I’m not paranoid – everybody IS after me! 3 One Perspective on Key Management Keys – Why? This is a trivialization but… Encoding is an obfuscation of data whereby anyone who knows the algorithm can “encode” and “decode” data. Encryption is an obfuscation of data whereby everyone knows the algorithm to “encrypt” and “decrypt” data, but only those who know the key used to encrypt the data can actually decrypt it. So… (and without an argument on complexity) If you’re using encoding and your algorithm is compromised, you need to recode your system to re-protect your data. If you’re using encryption and your key is compromised, you only need to change the value of your key to re-protect your data. Therefore … (you’re using encryption – right?) You need a mechanism for changing keys and “re-crypting” data, otherwise you’re no better off than using encoding because changing your key is invasive – Welcome to Key Management 18 May 2009 I’m not paranoid – everybody IS after me! 4 One Perspective on Key Management Key Management – What is it? Assuming that you’ve selected an appropriate, well vetted symmetric encryption technology, managing the keys that will be used to perform encryption and decryption is comprised of: – – – – – – – Creation of keys Storage of keys Key lifetime (cryptoperiod) Access of keys for encryption/decryption Execution of the key lifecycle Auditing of key lifecycle Managing a compromise of a key or set of keys 18 May 2009 I’m not paranoid – everybody IS after me! 5 One Perspective on Key Management Key Management – I Creation of keys: Look for a cryptographic library that provides for generation of keys. That will help you avoid having to manage multiple parties with independent key parts (think of the guys with the two keys to arm the nukes in a submarine). This way the keys can be generated by the system and humans will never know them. Storage of keys: You’ll need at least two keys: • • • • One for encrypting data (called a DEK for Data Encryption Key) One for encrypting the storage of the DEK (called a KEK for Key Encryption Key) The DEK and the KEK will need to be stored on separate physical systems so that if one if compromised, the other is not You might want to think about some kind of encryption or obfuscation of your KEK, but that is not a requirement from a strict PCI standpoint Key lifetime (Cryptoperiod) Keys should have a usage period and lifetime akin to data retention period. 18 May 2009 I’m not paranoid – everybody IS after me! 6 One Perspective on Key Management Key Management – II Access of keys for encryption/decryption: You’ll need to decide on how keys are accessed considering: • • Keys will need to be transmitted across components of your system do to the physical separation of DEK and KEK storage Do you embed the crypto routines in the tier using them or do you provide a crypto service, in which case you’ll need to consider how data is securely exchanged between application code and crypto services Execution of key lifecycle: Keys have the following states at a minimum: • • • • Current Retired Expired Deleted (NIST: Active) – used to encrypt and decrypt data (NIST: Deactivated) – used to only to decrypt data (NIST: Compromised) – used only to decrypt data of a compromised key (NIST: Destroyed) – historical reference to a key that no longer exists You’ll want to automate the key state transitions in accordance with your key lifetime policy. This is especially true if your data retention period is longer that your combined current and retired key lifetimes as you’ll need to be re-crypting. Make sure that key state transition operations are atomic! (Well, at least from the perspective of the caller) 18 May 2009 I’m not paranoid – everybody IS after me! 7 One Perspective on Key Management Key Management – III Auditing of the key lifecycles: You need to audit state transitions of keys. This is one of the compelling reasons for storing your keys in a database. So, build a data model that lets you store information about keys. Managing a compromise: If you have evidence that a some un-trusted entity has gained access to a key or set of keys, you’ll want an interface to initiate the transition of the suspect-keys to the compromised state and then initiate a re-cryption of data that was using those keys. If the keys that were compromised are all retired keys, the current key can be used to re-crypt. If the current key is compromised, a new current key will need to be created to be used for re-cryption. 18 May 2009 I’m not paranoid – everybody IS after me! 8 One Perspective on Key Management Key Lifecycle Snapshot This is the key lifecycle according to NIST: As interesting as a “pre-activation” state may be, I think it’s excessive and not needed. “Current” “Retired” “Expired” With proper historical information, the “destroyed” NIST state really is only a state transition and not a real state. Either way, your end state is “deleted”. “Compromised” is different in that you need to keep the “compromised” key around long enough to decrypt any data using it so that it can re-crypted with a new key. “Deleted” Source: http://csrc.nist.gov/groups/ST/toolkit/key_management.html 18 May 2009 I’m not paranoid – everybody IS after me! 9 One Perspective on Key Management Key Creation Example This is an example of the steps executed during the creation of a key: Symmetric Server Assumptions: 1 No PANs are stored beyond 12 months. New Key Request 2 Symmetric keys are paired with a sequence number. The sequence number is stored with the corresponding encrypted data so that the decrypt process can use appropriate key (current versus retired). This daily key retiring strategy allows us to expire keys without re-encryption except in the case where we believe we have a compromised key or set of keys (current and/or retired). Sequence number zero is reserved for default key signifier. The default key is used to avoid transaction failures in the event the Symmetric Key Server is unresponsive. A scheduled job exists to detect PANs stored with default keys and re-encrypted them (see PAN Scanner tab). DEK: Data Encryption Key KEK: Key Encryption Key MCK: Microsoft.Net Machine.config Key 18 May 2009 Encrypted Decrypted MCK Symmetric Keys are retired on a daily basis. There is only one symmetric key (one DEK and one KEK) for current use. After 1 day, the current keys are retired. Retired keys are deleted after 12 months. MCK 5 Retire Current DEK 3 Retire Current KEK 4 6 Create new Current KEK Create new Current DEK Database Cluster 1 Database Cluster 2 MCK Encrypted KEK KEK Encrypted DEK Rijndael Keyring Rijndael Keyring I’m not paranoid – everybody IS after me! 10 One Perspective on Key Management Key Audit/Management Example This is an example of a user interface exposing the auditing and compromise response initiation capabilities: 18 May 2009 I’m not paranoid – everybody IS after me! 11 One Perspective on Key Management Aspects of N-tiered Systems Producers and Consumers External Systems Users Internal Processes Besides the typical software architectural tiers, there are three, no make that four aspects of n-tiered systems that need to be considered: ▪ Producers and Consumers Systems User and System Interfaces Business and Data Tiers Encryption Services 18 May 2009 ▪ Systems ▪ Software/applications that are performing operations on behalf of the producers and consumers ▪ Storage ▪ Encrypted data ▪ Encryption Keys Storage Stored Data ▪ People that read/write data ▪ External systems that read/write data ▪ Internal processes (think cron jobs) Keys ▪ Business – yes as much as we’d like to ignore it, we must consider risk… I’m not paranoid – everybody IS after me! 12 One Perspective on Key Management Impacts to N-tiered Systems Introducing encrypted data storage adds the following: – – – – Encryption adds overhead to storing data Decryption adds overhead to retrieving data Encrypted data is not readily available for ad-hoc operations through non-encryption-aware software like SQL or analytic studios Backed up encrypted data is not readily restored to systems without access to corresponding keys Introducing key management adds the following: – – – – Keys are not well known so they somehow must be paired with the data that’s been encrypted with them Re-crypting large datasets can be operationally intensive Multiple keys need to be backed up and backups need to honor key lifetime policies Failure to access key storage systems can block critical data storage operations 18 May 2009 I’m not paranoid – everybody IS after me! 13 One Perspective on Key Management Concerns from the N-tiered Context Data producers and consumers: – – – Certain data storage operations are critical and need to occur regardless of key availability: consider taking a payment, you never want that to fail Access to encrypted data in whole but more often than not, only in part: consider the “last 4” example of SSNs and PANs How do the cryptoperiods and data retention policies interact Systems: – – – How do you manage re-cryption on a large dataset without impacting operational performance How do you know which key was used What impacts will addressing the other concerns create Storage: – Backups: “What do you mean that I really need to re-crypt my backups?” Business: – What opportunities exist for reducing risk 18 May 2009 I’m not paranoid – everybody IS after me! 14 One Perspective on Key Management Keeping Track of Key Usage The encryption/decryption aspects of an n-tiered system enabled for key management are going to need to know which key was used to encrypt any given data. This implies: – – – Have a data model that tracks an integer key identifier for each key: use integers for speed Store the key identifier with the data that it was used with In SQL, store the identifier as a column as opposed to something like a serialized object encapsulating the key identifier and data: keeping the identifier easily query-able will greatly speed up searching for key usages during operations like a mass re-crypt The following slides presents an example data model for DEK and KEK storage. 18 May 2009 I’m not paranoid – everybody IS after me! 15 One Perspective on Key Management DEK/KEK Data Model Example Key Table Data Model (DEK) Data Type Sequence ID Int [IDENTITY] Encrypted Key Notes Important Sequence IDs: base key = 100 Note that the default key will never be stored in the Key database table. In fact, no key with a Sequence ID under 100 will ever be stored in the database. Those ids are reserved for keys that will exist outside of the database and hence the normal retirement scheme. Consists of two columns, Key [varchar(260)] and InitializationVector [varchar(260)] Encryption Sequence ID Int References (think “foreign key”) to the KEK that the DEK was encrypted with. Status Enumeration, see notes. Key Status Enumeration Current ~ only ever one Retired ~ 0 to 364 Expired ~ 0 to 365 Deleted ~ unlimited Create Date Date time This field helps to monitor and audit the lifecycle of each key. It’s value is set when the key is created. Expire Date Date time This date is updated when the key is expired either by an explicit action on part of a user or through a scheduled background process. In conjunction with the expiration reason, this field helps monitor the lifecycle of each key Expiration Reason Text Example – “Believed comprised by hacker on ip xx.xx.xx.xx” 18 May 2009 Key Table Data Model (KEK) Data Type Notes Sequence ID Int [IDENTITY] Important Sequence IDs: base key = 100 Note that the default key will never be stored in the Key database table. In fact, no key with a Sequence ID under 100 will ever be stored in the database. Those ids are reserved for keys that will exist outside of the database and hence the normal retirement scheme. Encrypted Key Consists of two columns, Key [varchar(260)] and InitializationVector [varchar(260)] Status Enumeration, see notes. Key Status Enumeration Current ~ only ever one Retired ~ 0 to 364 Expired ~ 0 to 365 Deleted ~ unlimited Create Date Date time This field helps to monitor and audit the lifecycle of each key. It’s value is set when the key is created. Expire Date Datetime This date is updated when the key is expired either by an explicit action on part of a user or through a scheduled background process. In conjunction with the expiration reason, this field helps monitor the lifecycle of each key Expiration Reason Text The expiration reason helps: 1. offer insight into the reasons that a key might have been automatically expired by a background process, and 2. Meet auditing requirements in situations when a personnel explicitly expires a key from a key management user interface. An example for a value in this field might be “Key deleted normally” I’m not paranoid – everybody IS after me! 16 One Perspective on Key Management Critical Data Storage Operations Certain operations should never fail, even if access to the segregated key storage subsystems fails. To mitigate: – – Implementing the encryption worker close to the application Implementing a “default” key in the encryption worker so that encryption can always succeed This creates a new impact: data encrypted with this default key will need to be re-crypted as soon as possible. This is because the default key will need to be persisted where the encryption worker lives unlike keys accessed from the storage subsystem. The means they will be exposed if that application environment is compromised. To mitigate: – Implementing a scanner for default key usage The following slide presents a cadence of scanner for default key usage. 18 May 2009 I’m not paranoid – everybody IS after me! 17 One Perspective on Key Management Default Key Cadence Example Normal cadence: (run every 30 minutes) 1: Where PAN is using default DEK, re-encrypt using current DEK (see diagram below) 2: Per scan, if total count of default DEK occurrence exceeds threshold, generate alarm 2 Databases searched for default key usage 3 Database Servers Default Key Encrypted PAN over DB connection 6 Current DEK Encrypted PAN over DB connection Ops Server Symmetric KEY Server 1 (see Symmetric Key Server tab) Scheduled Job 5 Rijndael DEK over SSL 4 DEK Request over SSL 18 May 2009 DEK: Data Encryption Key KEK: Key Encryption Key MCK: Microsoft.Net Machine.config Key I’m not paranoid – everybody IS after me! 18 One Perspective on Key Management Lifetimes and Access Implications Repeating the questions of: – – Access to encrypted data in whole but more often than not, only in part: consider the “last 4” example of SSNs and PANs How do the cryptoperiods and data retention policies interact We need to consider the use cases of the data we are encrypting, the cryptoperiods, and any applicable data retention policies. Consider: – Does the data need to be retained longer than the total cryptoperiod If so, consider using current keys with a cryptoperiod of 1 day so that your daily re-crypt load is limited, once you’ve automated your lifecycle, this is a snap – Do we need to retain complete data or is some masked of it acceptable like first 4, last 4 of PANs – Are there use cases where only a mask of the data is needed If so, there’s a great opportunity for performance optimizations. Consider storing the masked data along with the data at initial save/encrypt time. This way you can present the masked data when the full data isn’t needed with decrypt. This removes the need to decrypt and mask when deleting full data. 18 May 2009 I’m not paranoid – everybody IS after me! 19 One Perspective on Key Management Encrypt/Decrypt Sequence Example Physical Server n Symmetric Key Server Application Code EncryptionWrapper Component Consider extending with a “format spec” so that “safe” data can be returned. DEK Web Service Encrypt(Data) WS DEK Request over SSL DEK Response over SSL Encrypt Data With the “format spec”, some “safe” form of the data can be returned and saved unencrypted. E.g., First 4, Last 4 of a PAN Encrypted data, Key ID Physical Server n Symmetric Key Server Application Code EncryptionWrapper Component DEK Web Service Decrypt(Data, Key ID) WS DEK Request over SSL DEK Response over SSL Decrypt Data Decrypted data 18 May 2009 I’m not paranoid – everybody IS after me! 20 One Perspective on Key Management Key Access Example 6 KEK encrypted Rijndael DEK over DB Connection Database Cluster 1 Web Heads 5 Symmetric Key Server DEK Request over DB Connection KEK Encrypted Rijndael DEK 7 1 Rijndael DEK over SSL DEK Request over SSL 4 KEK Encrypted DEK Decrypted MCK Rijndael Keyring Encrypted MCK 3 MCK encrypted Rijndael KEK over DB Connection Database Cluster 2 2 KEK Request over DB Connection MCK Encrypted Rijndael KEK DEK: Data Encryption Key KEK: Key Encryption Key MCK: Microsoft.Net Machine.config Key 18 May 2009 MCK Encrypted KEK Rijndael Keyring I’m not paranoid – everybody IS after me! 21 One Perspective on Key Management Performance and Risk Revisiting these questions: – – How do you manage re-cryption on a large dataset without impacting operational performance What opportunities exist for reducing risk While coming from separate areas of concern, they can be addressed by the same consideration: – As we’ve already stated, use a very short cryptoperiod for your current key, like one day This way you reduce the set of data used by a single key. Reducing the set of data means that you limit re-cryption as your retired keys are deleted, and in event of a compromise you need to re-crypt less data, and you expose less data for any given key that is compromised. 18 May 2009 I’m not paranoid – everybody IS after me! 22 One Perspective on Key Management The Benefit of Lots of Keys I know I keep harping on this, but here’s another example: If you have lots of keys, you reduce the number of keys that can be leeched or snooped out of a system at any one time and if you partition their storage you further reduce the number that can be exposed through a server or storage compromise. Ultimately this means that less data can be compromised and less data exposed reduces the severity/consequence which means less financial risk! 18 May 2009 I’m not paranoid – everybody IS after me! 23 One Perspective on Key Management Normal Key Lifecycle Cadence Example Normal cadence: (run daily) 1: Where PAN/order is older than 1 year, set PAN to null in PAN storage object (see diagram below) 2: Delete retired key where age >= 365 days - annotation: key deleted normally 3: Retire current key and Create new current key as atomic operation 2 Databases searched for PANs/orders older than 1 year 3 Database Servers PAN storage objects over DB connection 4 Ops Server Empty (null) PANs over DB connection 1 Scheduled Job DEK: Data Encryption Key KEK: Key Encryption Key MCK: Microsoft.Net Machine.config Key 18 May 2009 I’m not paranoid – everybody IS after me! 24 One Perspective on Key Management Compromised Key Cadence Example Compromised current key cadence: (on demand) 1: Expire current key - annotation is submitted through key manangement UI 2: Create new key 3: Where PAN is using newly expired current key, re-encrypt using newly created current key (see diagram below) 4: Delete expired key Compromised retired key cadence: (on demand) 1: Expire compromised retired keys - annotation is submitted through key manangement UI 2: Where PAN is using any of the newly expired retired keys, re-encrypt using current key (see diagram below) 3: Delete expired keys 2 Databases searched for expired key usage 3 Database Servers Expired Key Encrypted PAN over DB connection 6 Current DEK Encrypted PAN over DB connection Ops Server Symmetric KEY Server 1 (see Symmetric Key Server tab) On-demand Job 5 Rijndael DEK over SSL 4 DEK Request over SSL 18 May 2009 DEK: Data Encryption Key KEK: Key Encryption Key MCK: Microsoft.Net Machine.config Key I’m not paranoid – everybody IS after me! 25 One Perspective on Key Management Backups and Et Cetera Backups/archives present a set of unique challenges: – Since keys reside in segregated storage, they need to be able to paired back to the data that’s been encrypted with them By keeping a key identifier with the encrypted data that is unique across your business systems, it shouldn’t be too difficult to restore into a domain where the keys are present and decrypt. – In the event of a compromise, data encrypted with the keys being expired will need to be re-crypted This one is trickier… if you can easily restore and re-crypt before deleting the compromised keys, great. If you cannot, one strategy is to make a full backup of your current environment once the compromise re-crypt has completed and then delete previous backups containing data encrypted with the compromised key. Either way, this can be highly problematic with large data sets and data warehouse environments. And then there’s that whole ad-hoc access of data thing… 18 May 2009 I’m not paranoid – everybody IS after me! 26 One Perspective on Key Management Resources NIST Key Management Project http://csrc.nist.gov/groups/ST/toolkit/key_management.html NIST Key Management Workshop June 8-9, 2009 http://csrc.nist.gov/groups/ST/key_mgmt/ RFC4107 http://www.rfc-editor.org/rfc/rfc4107.txt IEEE Key Management Summit http://www.keymanagementsummit.com StrongKey Open Source Project http://www.strongkey.org Oasis Enterprise Key Management Infrastructure http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi 18 May 2009 I’m not paranoid – everybody IS after me! 27
© Copyright 2024