Enterprise Key Management Infrastructure: Understanding them before auditing them

1
Enterprise Key Management Infrastructure
Understanding them before auditing them

• Arshad Noor, arshad.noor_at_strongauth.com
• CTO, StrongAuth, Inc.
• Chair, OASIS EKMI TC

2
Agenda

• What is an EKMI?
• Components of an EKMI
• Auditing an EKMI
• ISACA members at OASIS EKMI
• Summary
• Demonstration?

3
Business Challenges

• Regulatory compliance
• PCI-DSS, FISMA, HIPAA, SB-1386, PCSA,EU
  Directive, PIPEDA, etc.
• Avoiding fines - ChoicePoint 15M, Nationwide
  Building Society (UK) 2M
• Avoiding lawsuits
• TJX (multiple), Bank of America
• Avoiding negative publicity to the brand
• TJ Maxx, Ralph Lauren, Citibank, Wells Fargo,
  IBM, UCLA, UCB, Fidelity, etc.

4
The Encryption Problem
....and so on
5
Key-management silos
6
What is an EKMI?

• An Enterprise Key Management Infrastructure
  isA collection of technology, policies and
  procedures for managing all cryptographic keys in
  the enterprise.

7
EKMI Characteristics

• A single place to define EKM policy
• A single place to manage all keys
• Standard protocols for EKM services
• Platform and Application-independent
• Scalable to service millions of clients
• Available even when network fails
• Extremely secure

8
EKM Harmony
9
The Encryption Solution
10
EKMI Components

• Public Key Infrastructure
• For digital certificate management for strong
  authentication, secure storage transport of
  symmetric encryption keys
• Symmetric Key Management System
• SKS Server for symmetric key management
• SKCL for client interaction with server
• SKSML for SKCL-SKS communication
• EKMI PKI SKMS

11
PKI

• Well known, but not well understood
• Reputation for being costly and complex
• BUT.......
• Used in every e-commerce solution
• Used by DOD of most democratic nations
• Citizen cards, e-Passports
• Corporate Access Cards
• US Personal Identity Verification (PIV)
• IETF PKIX standards

12
SKMS SKS Server

• Symmetric Key Services Server
• Contains all symmetric encryption keys
• Generates, escrows and retrieves keys
• ACLs authorizing access to encryption keys
• Central policy for symmetric keys
• Key-size, key-type, key-lifetime, etc.
• Accepts SKSML protocol requests
• Functions like a DNS-server

13
SKMS SKCL

• Symmetric Key Client Library
• Communicates with SKS Server
• Requests (new or old) symmetric keys
• Caches keys locally (KeyCachePolicy)
• Encrypts Decrypts data (KeyUsePolicy)
• Currently supports 3DES, AES-128, AES-192
  AES-256
• Makes SKSML requests
• Functions like DNS-client library

14
SKMS SKSML

• Symmetric Key Services Markup Language
• Request new symmetric key(s) from SKS server,
  when
• Encrypting new information, or
• Rotating symmetric keys
• Request existing symmetric key(s) from SKS server
  for decrypting previously encrypted ciphertext
• Request key-cache-policy information for client

15
The Big Picture
16
Security in an SKMS

• Symmetric keys are encrypted with SKS server's
  RSA public-key for secure storage
• Client requests are digitally signed (RSA)
• Server responses are digitally signed (RSA) and
  encrypted (RSA)
• All database records are digitally signed (RSA)
  when stored, and verified when accessed
  including history logs for message integrity

17
Common KM problems

• Using proprietary encryption algorithm
• Hiding encryption key on the machine
• Embedding encryption key in software
• Encrypting symmetric key with another
• Using a single key across the enterprise
• Backing up key with data on the same tape
• Using weak passwords for Password-Based-Encryption
  (PBE)
• No key-rotation or key-compromise plan

18
Auditing an EKMI

• Key-management policy
• Prerequisite controls
• Physical access control to EKMI machines
• Logical network access control to EKMI
• Standard security controls
• Firewall
• Minimal attack-surface (minimal services)
• Security patches
• Security logging

19
Auditing an SKMS Client - 1

• Is a hardware token being used?
• How is the token provisioned?
• How is the token revoked/replaced?
• How many people are required to log into the
  token to activate it?
• How many people have access to token?
• How often is the token PIN changed?
• Is the token backed up and how is it protected?

20
Auditing an SKMS Client - 2

• How much data is encrypted with 1 key?
• How often are keys rotated?
• Are keys cached locally?
• How are cached keys protected?
• SHA-1 hash of client library?

21
Auditing an SKMS Server - 1

• Is a hardware token being used?
• How is the token provisioned?
• How is the token revoked/replaced?
• How many people are required to log into the
  token to activate it?
• How many people have access to token?
• How often is the token PIN changed?
• Is the token backed up and how is it protected?

22
Auditing an SKMS Server - 2

• How are keys protected on the server?
• How are audit logs protected from being tampered?
• SHA-1 hashes of server jar files?

23
OASIS IDTrust Member Section

• Identity and Trusted infrastructure components
• Identity Trust Policies Enforcement, Education
  and Outreach
• Identify barriers and emerging issues
• Current Technical Committees
• Enterprise Key Management Infrastructure TC
• Public Key Infrastructure Adoption TC

24
OASIS EKMI TC

• Four (4) objectives Sub-Committees
• Standardize on Symmetric Key Services Markup
  Language (SKSML)
• Create Implementation Operations Guidelines
• Create Audit Guidelines
• Create Interoperability Test-Suite

25
The Burton Group on EKMI

• "The life cycle of encryption keys is incredibly
  important. As enterprises deploy ever-increasing
  numbers of encryption solutions, they often find
  themselves managing silos with inconsistent
  policies, availability, and strength of
  protection. Enterprises need to maintain keys in
  a consistent way across various applications and
  business units," said Trent Henry, senior
  analyst, Burton Group. "EKMI will be an important
  step in addressing this problem in an open,
  cross-vendor manner."

26
Current EKMI TC Members

• FundServ (Canada)
• NuParadigm Government Systems, Inc.
• PA Consulting (UK)
• PrimeKey (Sweden)
• Red Hat (USA)
• StrongAuth (USA)
• US Department of Defense (USA)
• Visa International (USA)
• Wave Systems (USA)
• Wells Fargo (USA)
• Many security/audit focused individuals

27
Current EKMI TC Observers

• 3 Global Security Companies (Canada, US)
• Global Database Company (US)
• 2 Large Consulting Companies (US)
• Government Agency (New Zealand)

28
ISACA OASIS

• Many ISACA members from San Francisco are EKMI TC
  (AGSC) members
• Planning underway for a full-day workshop in
  October-November 2007 in SFO
• Setting up an SKMS
• Operating an SKMS
• Auditing an SKMS
• Attacking an SKMS
• Potential for many ISACA workshops

29
Conclusion

• Securing the Core should have been Plan-A from
  the beginning but its not too late to remediate
• OASIS EKMI TC is driving new standards in
  key-management that cuts across platforms,
  applications and industries
• Auditing EKMI requires new levels of knowledge
  and understanding
• Get involved!

30
EKMI Around the World

• ISSA
• Chennai (Madras) India, August 3, 2007
• mp.badrinath_at_in.ey.com
• ISSE/SECURE 2007
• Warsaw, Poland, September 25-27, 2007
• www.isse.eu.com

31
EKMI Resources

• www.oasis-open.org
• Policy template, Use Cases, SKSML Schema,
  Presentations, White Papers, Implementation
  Guidelines, etc.
• www.strongkey.org - Open Source SKMS
• www.issa.org - SKMS article in February 2007
  issue of ISSA Journal

32
Thank you!