Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC

Agenda What is an EKMI? Components of an EKMI Auditing an EKMI ISACA members at OASIS EKMI Summary

Business Challenges Regulatory compliance –PCI-DSS, FISMA, HIPAA, SB-1386, etc. Avoiding fines –ChoicePoint: $15M, Nationwide: $2M Avoiding lawsuits –TJX (multiple), Bank of America Avoiding negative publicity to the brand –TJ Maxx, Ralph Lauren, Citibank, Wells Fargo, IBM, Ernst & Young, Fidelity, etc., etc.

The Encryption Problem ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy....and so on

Key-management silos

What is an EKMI? ● An Enterprise Key Management Infrastructure is: “A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise.”

EKMI Characteristics ● A single place to define EKM policy ● A single place to manage all keys ● Standard protocols for EKM services ● Platform and Application-independent ● Scalable to service millions of clients ● Available even when network fails ● Extremely secure

EKM Harmony

The Encryption Solution WAN SKS Server Generate Protect Escrow Authorize Recover Destroy Encrypt Decrypt SKS Server Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt Encrypt Decrypt

EKMI Components ● Public Key Infrastructure ● For digital certificate management; used for strong-authentication, and secure storage & transport of symmetric encryption keys ● Symmetric Key Management System ● SKS Server for symmetric key management ● SKCL for client interactions with SKS Server ● SKSML for SKCL-SKS communication ● EKMI = PKI + SKMS

PKI Well known, but not well understood Reputation for being costly and complex BUT –Used in every e-commerce solution –Used by DOD of most democratic nations –Citizen cards, e-Passports –Corporate Access Cards –US Personal Identity Verification (PIV) card –IETF PKIX standards

SKMS: SKS Server Symmetric Key Services Server –Contains all symmetric encryption keys –Generates, escrows and retrieves keys –ACLs authorizing access to encryption keys –Central policy for symmetric keys: Key-size, key-type, key-lifetime, etc. –Accepts SKSML protocol requests –Functions like a DNS-server

SKMS: SKCL Symmetric Key Client Library –Communicates with SKS Server –Requests (new or existing) symmetric keys –Caches keys locally, per key-cache policy –Encrypts & Decrypts data, per key-use policy Currently supports 3DES, AES-128, AES-192 & AES-256 –Makes SKSML requests –Functions like DNS-client library

SKMS: SKSML Symmetric Key Services Markup Language –Request new symmetric key(s) from SKS server, when Encrypting new information, or Rotating symmetric keys for existing ciphertext –Request existing symmetric key(s) from SKS server for decrypting previously encrypted ciphertext –Request key-cache-policy information for client

The Big Picture

Security in an SKMS Symmetric keys are encrypted with SKS server's RSA public-key for secure storage Client requests are digitally signed (RSA) Server responses are digitally signed (RSA) and encrypted (RSA) All database records are digitally signed (RSA) when stored, and verified when accessed – including history logs – for message integrity

Common KM problems Using proprietary encryption algorithm “Hiding” the encryption key on the machine Embedding encryption key in software Encrypting symmetric key with another Using a single key across the enterprise Backing up key with data on the same tape Using weak passwords for Password- Based-Encryption (PBE)

Auditing an EKMI Key-management policy Prerequisite controls: –Physical access control to EKMI machines –Logical & network access control to EKMI –Standard security controls Firewall Minimal attack-surface (minimal services) Security patches Security logging

Auditing an SKMS Client Is a hardware token being used? How many people are required to log into the token to activate it? How many people have access to token? How often is the token PIN changed? How much data is encrypted with 1 key? SHA-1 hash of client library?

Auditing an SKMS Server Is a hardware token being used? How many people are required to log into the token to activate it? How many people have access to token? How often is token PIN changed? SHA-1 hashes of server jar files?

OASIS EKMI-TC ● Standardize on Symmetric Key Services Markup Language (SKSML) ● Create Implementation & Operations Guidelines ● Create Audit Guidelines ● Create Interoperability Test-Suite

OASIS EKMI-TC Members ● FundServ, PA Consulting, PrimeKey, Red Hat, Sterling Commerce, StrongAuth, US DoD, Visa International, Wave Systems ● Booz Allen Hamilton, EMC (RSA), Entrust, Mitre Corporation, Oracle, Sigaba, Symantec ● Individuals representing Audit and Security backgrounds

ISACA – OASIS Many ISACA members from San Francisco are EKMI-TC (AGSC) members Full-day workshop scheduled for October- November 2007 –Setting up an SKMS –Operating an SKMS –Auditing an SKMS –Attacking an SKMS

Conclusion ● “Securing the Core” should have been Plan A from the beginning... but its not too late to remediate. ● OASIS EKMI-TC is driving new key- management standards that cuts across platforms, applications and industries. ● Auditing EKMIs requires new levels of knowledge and understanding. ● Get involved!

Thank you!