How many keys have you used so far today? For most of us, this question calls to mind a limited number of traditional keys that we use at home, to start our car, to open a file cabinet, and so on. It is relatively easy to keep track of these keys because they are so visible and so frequently needed. And if we do misplace or lose a traditional key, we have a straightforward means of replacing it - we simply call a locksmith or the car dealership, and request a new one. If the loss is due to a theft, we may take the extra precaution of requesting that the lock be re-keyed, so that the stolen key will no longer work.
Ask someone who is responsible for the security of an entire building, or who manages the access privileges of a large and varied workforce, about keys and you will get a very different type of response. In today's corporate security environment, traditional keys have given way to a variety of digital keys inside access tokens such as key cards. Implementing secure access control for thousands of doors or other assets, and ensuring that the individuals authorized for access will get it readily while everyone else will be kept out is a challenging task. It requires a combination of hardware (often in the form of key cards and card readers), software, an understanding of digital security and encryption, and carefully developed key management policies and practices.
This article presents an overview of the decisions and processes involved in successful physical access control from a key management perspective.
Key Management Fundamentals
Keeping track of digital keys is called key management. The purpose of a key management system is to provide the information necessary to enforce a key management policy. The primary way a key management system does this is by keeping a cradle-to-grave record of the life of every key, every when, why and how of its creation, use, breach and destruction. That may sound like an impossible task - and it would be if digital keys were managed along the same lines as the traditional keys in our pockets.
IT professionals and key management vendors have worked for years to design key management systems that will serve the needs of all types and sizes of organizations. A key management system enables you to see and monitor the digital keys that are deployed in your corporation with the same degree of detail as you track your personal keychain, or manage the accounts receivable and other internal systems.
I will focus on the three primary phases in the life of a managed key: key generation, key usage and key breach. While it may be helpful to have in mind the keys inside a smart card such as an HID iCLASS card, these three phases define the life of any managed key, no matter where it is stored or where it is used.
Whether it is a physical key or a digital key, the management of a key starts with key generation. You have probably noticed that there are some keys in your pocket or purse that the local hardware store can duplicate and some that it cannot.
In well-managed systems, key generation takes place in a carefully controlled environment. Each and every key generation is recorded in a permanent log. The log includes when, where, what, why, how and who.
In not-so-well-managed systems, no records are made of who is generating keys, why they are being generated, what they going to be used for or how they are going to be protected. A moment's reflection tells you that unmanaged key generation is the headwater of a river of downstream trouble.
It is during the generation phase that decisions about cryptographic algorithms, key length and key distribution are made. For example, in the smart card case, this is the time to decide questions such as whether cards may share keys for specific types of access or whether all keys must be unique.
One way the physical keys and digital keys are exactly alike is that you cannot use them unless you actually possess the key. The obviousness of this statement for physical keys is matched by the lack of obviousness of the statement for digital keys. This stark difference in awareness is due in part to the fact that while we all understand what having a physical key means, it is not so clear what "having" a digital key means in practice.
In both cases, it means that if an interloper takes the key from you while you are in the act of using it, that interloper can subsequently use it too. In particular, in the digital key case, it means that the key is exposed in its unprotected, unwrapped, unclothed and natural form for everyone to see. That constitutes a key breach, which requires remedial action. So protecting the digital key during use becomes a high priority for key management.
There are number of decisions that go into the management of a key during its use phase. The following are just examples:
- What can this key be used for and what must it not be used for?
- How do I tell if this key has been breached or otherwise compromised?
- How often is this key updated or "rolled"?
Key management is not "fire and forget" - or, in the specific case of digital keys, "generate and forget." Best-practice key management is a continuous process that monitors the health of every key every day and is prepared to take immediate action should the health of a key start to fail. This is one reason why forward-looking companies are starting to offer key management services to its access control customers.
Quite unlike the management of physical keys, the management of digital keys is often disconnected from the physical manifestation of the keys themselves. One area where this becomes most evident is policies regarding key breaches.
Key breach means that some incident has exposed the key to unauthorized use. In the case of a physical key, it does not mean necessarily that a malicious person is in possession of the key; and in the case of a digital key, it does not mean that the person knows the value of the key. It just means that somebody can use the key that should not be able to.
In physical reality, key breach can mean an authorized user losing the key, or somebody making a unauthorized copy of the key. But physical key breach can also mean getting hold of a master key, learning how to bump a lock, or coming into possession of a good set of lock picks. In whatever form, the breach of a physical key - both the breach itself and the harvesting of the breach - will have numerous physical manifestations that careful observation has a very good chance of detecting.
It is quite different in digital reality. Indeed, one of the most troublesome - and most ignored - challenges of digital key management is detecting key breach. Unless something really egregious takes place whose only logical cause could be the compromise of a key, digital key breach may go undiscovered and therefore unaddressed.
Let's assume that a key breach has been discovered. In the case of a physical key loss, one remedy is to change all the locks that the breached key fits and then issue a new key to each authorized person. In almost every case, the list of locks and the list of people are completely known. Knowing the list of locks is usually sufficient, since rekeying the locks will cause the key holders to step forward and request a replacement.
What has to be done in the case of a breached digital key is just as obvious. The key has to be rolled. But doing that for a digital key is as no means as straightforward. First, the responsible key manager has to locate all the places and situations in which the digital key is being used. In the case of a physical access control system, this process might be as easy as in the case of physical key since, after all, the digital door access is replacing a physical lock. In other cases - for example cards used to log-in to computers, or for document encryption and data access - it may not be so easy to find all the breached keys.
Even when an instance of the breached value is found, changing it to a new value can surface previously unacknowledged problems. One problem can be acquiring the authorization to change the key value at all. Just because a digital key is in use does not mean that somebody can be found who can change it. In fact, there are cases in which policy decisions may make it impossible to change the value.
Suppose that somebody in security or IT can be found that does have the authorization to change the key value. It is highly likely that procedures for generating a new key value and for getting it into a form that can be used for key rolling are not frequently practiced even if they are known. All aspects of key breach detection and key rolling need to be addressed in practice to ensure that the written policies are possible and cost-effective to implement whenever the need arises.
To reconnect with the realities and practicalities of the key management for digital keys, it may be helpful to work backward from a key breach scenario. The surfacing of a roadblock to key rolling and recovery from a key breach well before an actual security issue arises has obvious advantages. It may also help to shine more light on other areas in an existing key management program where policies and practices are less than optimal.
Key Management Benefits
This overview of key management processes provides a starting point for evaluating your company's current key management practices - whether you are working with a turnkey system from a vendor, or have implemented selected policies internally. It may also raise questions about the value of developing a comprehensive key management strategy. According to BITS, a security working group for the financial services industry, a good key management program can assist in accomplishing the following:
- Improve usability and effectiveness of key and key usage;
- Increase reliability and efficiency of key structure and key implementation;
- Reduce costs by leveraging common infrastructure and administrative processes;
- Reduce complexity and improve transparency by re-using well-defined processes and interfaces;
- Automate manual steps to reduce human error and improve consistency;
- Support a variety of keys consumed by a variety of encryption/decryption processes delivered by commercial, open-source and customer-developed applications on multiple platforms;
- Allow for segregation of key management from encryption/decryption operations;
- Improve transparency by aligning and integrating with the businesses processes; and
- Provide evidence of having implemented sound and secure practices.
Strong keys coupled with best-practice key management are at the foundation of token-based access control systems. Strong keys alone are not sufficient. If you are running a keyed security system, then either you buy a key management system and put in place a continuously-running key management process, or you seek a vendor that can provide these services. Running a keyed security system without a key management system underneath should not be considered an option.
Tam Hulusi is senior vice president of strategic innovation and intellectual property at HID Global, the trusted leader in providing access and ID management solutions for the delivery of secure identity.
Matt Blaze's classic paper on master keys is a beautiful case study of the similarities and differences of physical and cryptographic keys: http://www.crypto.com/papers/mk.pdf