Managing Cryptographic Keys

Keys Are Power

Key management is one of the most important and challenging aspects of using cryptography correctly. Whoever controls the keys controls the data. Deciding how keys are managed determines how power and control are distributed amongst participants. The challenges this involves grow increasingly in larger organizations, which will likely have a myriad of users, data, groupings and subgroupings, projects, work flows, etc. Each of these aspects imposes new restrictions and requirements on how, when and by whom any different data should be accessible. All of this needs to be reflected in how the key material protecting the data is managed. Who has access to a particular set of keys and under which conditions? Where and how is key material stored? Who can create, refresh, distribute, revoke and delete key material? These are the kinds of questions that any comprehensive security strategy will have to address under the umbrella of Key Management.

A Step in the Right Direction

Without a doubt, allowing users a more fine-grained control of their keys — not mention encouraging them to be more mindful (and hopefully systematic) about their key management policy — is a valuable contribution to the wider state of security and a step in the right direction for everyone involved.

The Path Left Untrodden: End-to-End Security

It’s hard to understate the importance of least necessary privilege when designing security solutions. Moreover, the truth is that we could ask for a lot more privilege reduction than EKM seems to provide. Ideally, we should be shooting for end-to-end security and access control models. After all, only the user needs access to their own data. So what we want is a key management system where only the user has access to the keys (and thus the data).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store