By James H. Reinholm

July 1, 2015

This article considers the use of key management and encryption as “embedded”, “stand-alone“, or an “add on” features as they exist for various devices and applications.

How much hardware and/or software is needed for Key Management?

When looking for a possible key management solution for data protection, one should consider the various packaging types that are available with some combination of hardware and/or software. Then the actual functions contained in each solution should be considered, as well as operating costs. Whether the data is in storage, in transit, or in use, the ****key management system may well be the single most important component of a data security solution.

The need for long term data protection

When looking through the following key management types, one should keep in mind that a solution may be needed that can securely protect stored data for a long period of time, where any keys used will have to be maintained for many years. If possible, the keys should be stored in a separate location from the data, and secured during their life-time so that they aren’t tampered with or compromised (resulting in a data breach). This can provide the assurance that when keys are looked up to encrypt data, they will be available whenever and wherever authorized access to data is required.

Key Management in the Application

In this method, a software application that is used on an operating system has embedded key management and encryption functions built into it. One advantage of embedded application key management is that application administrators can also administer key management. Another benefit is that any products that are developed using this method won't have to integrate with a 3rd party key manager, making it far easier to release a product.

When considering embedded key management within an application, the disadvantages and other limitations should also be considered:

• Any keys used within the embedded application are protected with software only. There are no fixed hardware locations designed for key storage as in other key management types. This is a problem if keys are to be saved for long periods of time, as the bit strength of the protected keys is much greater than the protection mechanism of those keys (they should be equalized).
• As the number of embedded applications within a system increases, so does the number of key managers (one for each application), making it very difficult to keep track of.
• Difficulties are often encountered is on the server side, as the number of legitimate application users increase on the system. Even though these uses don't have security administrative status or root credentials to the application server, the keys have a greater risk of being tampered with.
• Since the application runs on an operating system, any problems that may develop in the operating system can have a detrimental effect on the application (including the encryption keys). In many cases like this, the application ceases operation until the operating system vendor can provide a fix.
• It should be noted that FIPS crypto module certification above level 1 is not possible for application key management since there are no hardware modules or any type of physical security protecting the keys or encryption. In cases like this the entire application must be certified at once, making it difficult to certify the key management part of it by itself.

Key Management in the Device

This is probably the most attractive method because the key management and encryption are already packaged within the device when purchased, so there is very little extra work involved in obtaining the required data protection. Because of its self-contained nature, it works very well in environments that backup and restore encrypted data using the same device.  Although the key generation and key management functions within the device are usually limited in their capability (many of these functions are external), the encryption (and often compression) is performed within the device itself. Because of the limited functionality, these devices are able to backup self-generated keys, but cannot share them easily. Many devices of this type receive their encryption keys in cleartext or wrap these keys with weaker keys as they are stored in the device. This greatly reduces overall key strength, but it may be possible to protect the device with extra hardware security, and many devices (but not many) include physical protection mechanisms such as an intrusion detector. Because the actual key management is not centralized in many of these devices, key usage must be administered to manually to ensure all endpoints have access to encryption keys from all other endpoints. If there are hundreds of active keys in operation, the repetitive nature of this task can be time consuming. Many organizations using these types of device can increase the mobility of their data by creating backups at one location and restoring them at a remote disaster recovery site.

Stand-alone Key Management Software

A simpler solution from the point of view of the vendor is to package the entire key management and encryption solution in a software application. As a stand-alone system it can perform all the main functions for a key during its life cycle (generating, storing, replacing, deleting, etc.), and also provide adequate protection against threats. This method has many of the same problems as with the embedded application key management solution. The main drawback would again be lack of physical security, since there are no fixed hardware locations designed for key storage. Finding a way to securely store data can be a problem.