Key management for physical access control

Whether a physical or digital key, policies and practices for their use must be in place


How many keys have you used so far today? For most of us, this question calls to mind a limited number of traditional keys that we use at home, to start our car, to open a file cabinet, and so on. It is relatively easy to keep track of these keys because they are so visible and so frequently needed. And if we do misplace or lose a traditional key, we have a straightforward means of replacing it - we simply call a locksmith or the car dealership, and request a new one. If the loss is due to a theft, we may take the extra precaution of requesting that the lock be re-keyed, so that the stolen key will no longer work.

Ask someone who is responsible for the security of an entire building, or who manages the access privileges of a large and varied workforce, about keys and you will get a very different type of response. In today's corporate security environment, traditional keys have given way to a variety of digital keys inside access tokens such as key cards. Implementing secure access control for thousands of doors or other assets, and ensuring that the individuals authorized for access will get it readily while everyone else will be kept out is a challenging task. It requires a combination of hardware (often in the form of key cards and card readers), software, an understanding of digital security and encryption, and carefully developed key management policies and practices.

This article presents an overview of the decisions and processes involved in successful physical access control from a key management perspective.

Key Management Fundamentals

Keeping track of digital keys is called key management. The purpose of a key management system is to provide the information necessary to enforce a key management policy. The primary way a key management system does this is by keeping a cradle-to-grave record of the life of every key, every when, why and how of its creation, use, breach and destruction. That may sound like an impossible task - and it would be if digital keys were managed along the same lines as the traditional keys in our pockets.

IT professionals and key management vendors have worked for years to design key management systems that will serve the needs of all types and sizes of organizations. A key management system enables you to see and monitor the digital keys that are deployed in your corporation with the same degree of detail as you track your personal keychain, or manage the accounts receivable and other internal systems.

I will focus on the three primary phases in the life of a managed key: key generation, key usage and key breach. While it may be helpful to have in mind the keys inside a smart card such as an HID iCLASS card, these three phases define the life of any managed key, no matter where it is stored or where it is used.

Key Generation

Whether it is a physical key or a digital key, the management of a key starts with key generation. You have probably noticed that there are some keys in your pocket or purse that the local hardware store can duplicate and some that it cannot.

In well-managed systems, key generation takes place in a carefully controlled environment. Each and every key generation is recorded in a permanent log. The log includes when, where, what, why, how and who.

In not-so-well-managed systems, no records are made of who is generating keys, why they are being generated, what they going to be used for or how they are going to be protected. A moment's reflection tells you that unmanaged key generation is the headwater of a river of downstream trouble.

It is during the generation phase that decisions about cryptographic algorithms, key length and key distribution are made. For example, in the smart card case, this is the time to decide questions such as whether cards may share keys for specific types of access or whether all keys must be unique.

Key Use

This content continues onto the next page...