Enterprise Key Management Infrastructures: Understanding them before auditing them

1
Enterprise Key Management Infrastructures
Understanding them before auditing them

• Arshad Noor
• CTO, StrongAuth, Inc.
• Chair, OASIS EKMI-TC

2
Agenda

• What is an EKMI?
• Components of an EKMI
• Auditing an EKMI
• ISACA members at OASIS EKMI
• Summary

3
Business Challenges

• Regulatory compliance
• PCI-DSS, FISMA, HIPAA, SB-1386, etc.
• Avoiding fines
• ChoicePoint 15M, Nationwide 2M
• Avoiding lawsuits
• TJX (multiple), Bank of America
• Avoiding negative publicity to the brand
• TJ Maxx, Ralph Lauren, Citibank, Wells Fargo,
  IBM, Ernst Young, Fidelity, etc., etc.

4
The Encryption Problem
....and so on
5
Key-management silos
6
What is an EKMI?

• An Enterprise Key Management Infrastructure
  isA collection of technology, policies and
  procedures for managing all cryptographic keys in
  the enterprise.

7
EKMI Characteristics

• A single place to define EKM policy
• A single place to manage all keys
• Standard protocols for EKM services
• Platform and Application-independent
• Scalable to service millions of clients
• Available even when network fails
• Extremely secure

8
EKM Harmony
9
The Encryption Solution
10
EKMI Components

• Public Key Infrastructure
• For digital certificate management used for
  strong-authentication, and secure storage
  transport of symmetric encryption keys
• Symmetric Key Management System
• SKS Server for symmetric key management
• SKCL for client interactions with SKS Server
• SKSML for SKCL-SKS communication
• EKMI PKI SKMS

11
PKI

• Well known, but not well understood
• Reputation for being costly and complex
• BUT.......
• Used in every e-commerce solution
• Used by DOD of most democratic nations
• Citizen cards, e-Passports
• Corporate Access Cards
• US Personal Identity Verification (PIV) card
• IETF PKIX standards

12
SKMS SKS Server

• Symmetric Key Services Server
• Contains all symmetric encryption keys
• Generates, escrows and retrieves keys
• ACLs authorizing access to encryption keys
• Central policy for symmetric keys
• Key-size, key-type, key-lifetime, etc.
• Accepts SKSML protocol requests
• Functions like a DNS-server

13
SKMS SKCL

• Symmetric Key Client Library
• Communicates with SKS Server
• Requests (new or existing) symmetric keys
• Caches keys locally, per key-cache policy
• Encrypts Decrypts data, per key-use policy
• Currently supports 3DES, AES-128, AES-192
  AES-256
• Makes SKSML requests
• Functions like DNS-client library

14
SKMS SKSML

• Symmetric Key Services Markup Language
• Request new symmetric key(s) from SKS server,
  when
• Encrypting new information, or
• Rotating symmetric keys for existing ciphertext
• Request existing symmetric key(s) from SKS server
  for decrypting previously encrypted ciphertext
• Request key-cache-policy information for client

15
The Big Picture
16
Security in an SKMS

• Symmetric keys are encrypted with SKS server's
  RSA public-key for secure storage
• Client requests are digitally signed (RSA)
• Server responses are digitally signed (RSA) and
  encrypted (RSA)
• All database records are digitally signed (RSA)
  when stored, and verified when accessed
  including history logs for message integrity

17
Common KM problems

• Using proprietary encryption algorithm
• Hiding the encryption key on the machine
• Embedding encryption key in software
• Encrypting symmetric key with another
• Using a single key across the enterprise
• Backing up key with data on the same tape
• Using weak passwords for Password-Based-Encryption
  (PBE)

18
Auditing an EKMI

• Key-management policy
• Prerequisite controls
• Physical access control to EKMI machines
• Logical network access control to EKMI
• Standard security controls
• Firewall
• Minimal attack-surface (minimal services)
• Security patches
• Security logging

19
Auditing an SKMS Client

• Is a hardware token being used?
• How many people are required to log into the
  token to activate it?
• How many people have access to token?
• How often is the token PIN changed?
• How much data is encrypted with 1 key?
• SHA-1 hash of client library?

20
Auditing an SKMS Server

• Is a hardware token being used?
• How many people are required to log into the
  token to activate it?
• How many people have access to token?
• How often is token PIN changed?
• SHA-1 hashes of server jar files?

21
OASIS EKMI-TC

• Standardize on Symmetric Key Services Markup
  Language (SKSML)
• Create Implementation Operations Guidelines
• Create Audit Guidelines
• Create Interoperability Test-Suite

22
OASIS EKMI-TC Members

• FundServ, PA Consulting, PrimeKey, Red Hat,
  Sterling Commerce, StrongAuth, US DoD, Visa
  International, Wave Systems
• Booz Allen Hamilton, EMC (RSA), Entrust, Mitre
  Corporation, Oracle, Sigaba, Symantec
• Individuals representing Audit and Security
  backgrounds

23
ISACA OASIS

• Many ISACA members from San Francisco are EKMI-TC
  (AGSC) members
• Full-day workshop scheduled for October-November
  2007
• Setting up an SKMS
• Operating an SKMS
• Auditing an SKMS
• Attacking an SKMS

24
Conclusion

• Securing the Core should have been Plan A from
  the beginning ... but its not too late to
  remediate.
• OASIS EKMI-TC is driving new key-management
  standards that cuts across platforms,
  applications and industries.
• Auditing EKMIs requires new levels of knowledge
  and understanding.
• Get involved!

25
Thank you!