Enterprise Key Management Infrastructure (EKMI)

Arshad Noor

CTO, StrongAuth, Inc.

Chair, EKMI TC – OASIS

arshad.noor@strongauth.com

Business Challenge• Regulatory Compliance

– PCI-DSS, PCSA, HIPAA, FISMA, EU Directive

• Avoiding Fines– ChoicePoint ($15M), Nationwide Building Society

($2M), University of California – LLNL ($4M)

• Avoiding Lawsuits– TJX (multiple), Bank of America

• Avoiding costs due to security breaches– TJX ($150M)

The Encryption Problem

● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy

● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy

● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy

● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy

● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy

● Generate● Encrypt● Decrypt● Escrow● Authorize● Recover● Destroy

.........and on and on

Key Management Silos

Application Application Application Application Application Application

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

Database or DB Driver

KM

OS or its Drivers

KM

OS or its Drivers

KM

OS or its Drivers

KM

OS or its Drivers

KM

OS or its Drivers

KM

OS or its Drivers

KM

OS or its Drivers

KM

OS or its Drivers

KM

OS or its Drivers

KM

Key Management Connections NetworkPKI

What is an EKMI?

An Enterprise Key Management

Infrastructure is:

“A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise.”

Characteristics of an EKMI● A single place to define EKM policy● A single place to manage all keys● Standard protocols for EKM services● Platform and Application-independent● Scalable to service millions of clients● Available even when network fails● Extremely secure

EKMI Harmony

PKI SKMS

Application

Database or DB Driver

Database or DB Driver

Database or DB Driver

OS or its Drivers

Application Application Application Application Application

OS or its Drivers

OS or its Drivers

NetworkKey Management Connections

EKMI

The Encryption Solution

WAN

SKS Server

• Generate• Protect• Escrow• Authorize• Recover• Destroy

• Encrypt• Decrypt

PKI Server

• Issue & Manage Credentials

• Encrypt• Decrypt

• Encrypt• Decrypt

• Encrypt• Decrypt

• Encrypt• Decrypt

• Encrypt• Decrypt

EKMI Components●Public Key Infrastructure

● For digital certificate management; used for strong-authentication, and secure storage & transport of symmetric encryption keys

●Symmetric Key Management System● SKS Server for symmetric key management● SKCL for client interactions with SKS Server

●EKMI = PKI + SKMS

SKMS – SKS Server

• Contains all symmetric encryption keys – Generates, escrows and retrieves keys– ACLs authorizing access to encryption keys– Central policy for symmetric keys:

• Key-size, key-type, key-lifetime, etc.– Accepts SKSML protocol requests– Functions like a DNS-server

SKMS - SKCL• Symmetric Key Client Library

– Communicates with SKS Server– Requests (new or old) symmetric keys– Caches keys locally (KeyCachePolicy)– Encrypts & Decrypts data (KeyUsePolicy)

• Supports 3DES, AES-128, AES-192 & AES-256– Makes SKSML requests– Functions like DNS-client library

SKMS - SKSML• Symmetric Key Services Markup Language

– Request new symmetric key(s) from SKS server, when

• Encrypting new information, or • Rotating symmetric keys

– Request existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext

– Request key-cache-policy information for client

SKMS Big Picture

DB Server

Crypto Module

ApplicationServer

Crypto Module

SKCL

C/C++Application

RPGApplication

JavaApplication

Key Cache

JNIRPGNI

ServerClient

Network1

2

3

4

5

6

1. Client Application makes a request for a symmetric key

2. SKCL makes a digitally signed request to the SKS

3. SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB

4. Crypto HSM provides security for RSA Signing & Encryption keys of SKS

5. SKS responds to SKCL with signed and encrypted symmetric key

6. SKCL verifies response, decrypts key and hands it to the Client Application

7. Native (non-Java) applications make requests through Java Native Interface

7 7

SKMS Security• Symmetric keys are encrypted with SKS

server's RSA public-key for secure storage• Client requests are digitally signed (RSA)• Server responses are digitally signed (RSA) and

encrypted (RSA)• All database records are digitally signed (RSA)

when stored, and verified when accessed – including history logs – for message integrity

Common KM Problems• Using proprietary encryption algorithm• “Hiding” encryption key on the machine• Embedding encryption key in software• Encrypting symmetric key with another• Using a single key across the enterprise• Backing up key with data on the same tape• Using weak passwords for Password-Based-

Encryption (PBE)• No key-rotation or key-compromise plan

OASIS Idtrust Member Section• Identity and Trusted infrastructure components• Identity & Trust Policies; Enforcement,

Education and Outreach• Identify barriers and emerging issues• Current Technical Committees

– Enterprise Key Management Infrastructure TC– Public Key Infrastructure Adoption TC– Digital Signature Services TC

OASIS EKMI TC

Four (4) objectives & Sub-Committees:– Standardize on Symmetric Key Services Markup

Language (SKSML)– Create Implementation & Operations Guidelines– Create Audit Guidelines– Create Interoperability Test-Suite

Burton Group on EKMI

"The life cycle of encryption keys is incredibly important. As enterprises deploy ever-increasing numbers of encryption solutions, they often find themselves managing silos with inconsistent policies, availability, and strength of protection. Enterprises need to maintain keys in a consistent way across various applications and business units," said Trent Henry, senior analyst, Burton Group. "EKMI will be an important step in addressing this problem in an open, cross-vendor manner."

Current EKMI TC Members

FundServ (Canada) MISMO (USA) NuParadigm Government Systems, Inc. (USA) PA Consulting (UK) PrimeKey (Sweden) Red Hat (USA) StrongAuth (USA)

US Department of Defense (USA) Visa International (USA) Wave Systems (USA) Wells Fargo (USA) Many security and audit focused individuals

Current EKMI TC Observers 3 Global Security Companies (Canada, US) Global Software Company (US) Global Database Company (US) 2 Large Consulting Companies (US) Government Agency (New Zealand)

ISACA & OASIS• Many ISACA members from San Francisco are

EKMI TC (AGSC) members• Planning underway for a full-day workshop in

October-November 2007 in SFO– Setting up an SKMS– Operating an SKMS– Auditing an SKMS– Attacking an SKMS

• Potential for many ISACA workshops

Conclusion• “Securing the Core” should have been Plan-A

from the beginning; but its not too late to remediate

• OASIS EKMI TC is driving new standards in key-management that cuts across platforms, applications and industries

• Building, securing and auditing EKMI requires new levels of knowledge and understanding

• Get involved!

EKMI Resources www.oasis-open.org

Policy template, Use Cases, SKSML Schema, Presentations, White Papers, Implementation Guidelines, etc.

•www.strongkey.org - Open-source SKMS•www.issa.org - Article on SKMS in February 2007 issue