If your cryptographic keys are lost or stolen – your security is severely broken

A steadily increasing number of security architects now realize that companies skipping the competence build-up for handling key management and instead only relying on software doing the entire job, pose a significant security threat.
Cryptographic key management is one of the cornerstones of modern ICT systems. These keys are the gatekeepers preventing the system and the applications from being misused. Cryptographic keys, user credentials including passwords are still stored in files on local laptops, or on file shares – without any serious protection.

The main challenges for operation staff, security architects and security officers include:

  1. Finding all the keys in an enterprise, which is often a problem due to lack of inventory.
  2. Understanding the different types of cryptographic keys and their accessories.
  3. Lacking key-rotation makes your system halt.
  4. Handling cryptographic keys in complex infrastructure with a variety of hardware.

The vendors for Vault and Security Module software have tried to accommodate such problems by way of building processes, procedures, and routines for Key Management into their tools. Hence manually written routines could be replaced by automation and gentle and easy guidelines. In this way the security advisors or crypto officers did not have to construct a library of manually written textual procedures, and some of the required routines could be executed more securely and more efficiently.

The danger with automation is that the organizations put too much trust in the tools offered. Can you manage something you do not understand? Can you learn all you need about key management from a tool? Policies for handling cryptographic keys should be decided upon – on a company level, and the training and education should be maintained on the ground level. Automation should be a natural part of such strategies. So should specifically testing and analysis of the tools supplied to the ICT-infrastructure of the organization. Security architects are searching for new tools supporting and facilitating such testing, which has been overlooked for years.

To summarize: You should understand key management so that you can choose the right tool for protecting your keys and secrets.

Challenges Related to Operational Management of Cryptographic Keys

We previously advocated for the importance of Key Management for ordinary enterprises[url/link]. But how do you mitigate intrinsic threats in Cryptographic Key management? A good start would be to apply this four-step checklist in your efforts to gain control:

1. Finding all the keys in an enterprise. In a typical enterprise – there is no inventory for cryptographic keys. In practice this means the enterprise and the staff in charge – do not know about all the keys. Some keys are only known to the specialists that have some responsibility for the software. If you do not where all your keys are – and who is responsible for them, they might get lost, or even worse – stolen.

Solution: Build an inventory for cryptographic keys that is complete.

2. Understanding the different types of cryptographic keys and their accessories.  Which of the keys you have are particularly important? Some keys are master keys of root keys. Everything else depends on securing these keys. Typically, there are chains of derived keys from the root/masters – that form a key hierarchy. Understanding the different key types – and their different requirements for protection is crucial for a company – to give the correct level of protection to the assets.

Solution: Understanding complicated cryptography is only possible through extensive training, and continuous learning – staff should be dedicated and get enough time to keep updated.

3. Lacking key-rotation makes your system halt. Many keys are rotated on a regular basis (once month or once a year), to prevent compromise, reduce recovery time, and maintain compliance by following best practices. But key rotation frequently leads to downtime and problems for ICT dependent enterprises too. When operating staff forget to rotate keys, or the tools for automated key rotation malfunctions, services involving huge number of users, abruptly halts.

Solution: If key rotation routines are properly documented and well understood among the staff, you can get your system up again quickly. If you have a tool that can automate the rotation, then do so – and pay extra attention to the keys that live outside the tool and outside the scope of automation.

4. Complex infrastructure with different hardware.  Most enterprises have a myriad of different hardware, laptops, tablets, printers, routers etc. These different types of hardware are equipped with keys and certificates. The challenge with crypto management is twofold: setup and install the appropriate the appropriate cryptographic content on all the various devices and making them communicate, but also to keep these devices updated with the appropriate keys – for keeping them on the net. The share number of entities is huge on spread-out locations. The user-interface for peripheral devices, like printers, is cumbersome for the handling of cryptographic material.

Solution: Implement installation scripts for large stocks of hardware of the same type. Assure that these scripts are properly documented and maintained. For all peripheral devices, build inventories of both the hardware and the cryptographic content on these hosts. Assure that routines for managing these devices are properly documented and managed.

Written by Anders Moen Hagalisletto (CEO) and Erik Rosen (chairman)

Prosa Security year in review and plans for 2022

2021 has been a year of growth for Prosa Security, where we’ve finally had the capacity and finances to bring on more employees. While there is still work left to do on the commercial side we’re planning to continue our growth in 2022, both through our own efforts and with our partners.

Overview of changes in 2021

Employees

  • We brought on two new full-time employees, both as developers. Their responsibilities have so far been to integrate our solution with third-party tools, such as Sparx System’s Enterprise Architect, continue development on our own tools, and to take on consultancy work when ready.
  • We’ve brought on two new part-time employees to help with research applications and bring on new commercial projects. Both have extensive contacts in the industry and academia.

New projects and development efforts

  • Two major new consultancy projects, for a large public company and for a governmental agency.
  • We have implemented 20+ new security protocols in the Prosa tools, which speeds up the modeling of new systems.
  • For our bank and fintech customers, we’ve started on a PSD2 RTS (“Payment Service 2 Regulatory Technical Standard”) template for analysing products and solutions fulfilling the strict EU regulation of banking payments.
  • Our in-house analytical tools have seen continued development, and are now in use in all consultancy work.

Other news

  • We’ve again qualified for Skattefunn, which helps fund our development and research, as well as some other support for an Innovation Norway project.
  • Together with NTNU, we’ve worked on a paper on quantum cryptography, set to be published in 2022.

Focus and goals for 2022

Our main goals are as follows:

  • Focus on building a solid economy through more commercial projects and consultancy.
  • Try to start at least one new major research project with one of our partners, preferably with some public funding.
  • Continue to fund the development of our security analysis solution through paid projects which are also useful for gaining more industry experience.