170 likes | 182 Views
Implementing a comprehensive key management strategy is crucial for data protection. Learn key generation, retention, revocation, and disaster recovery steps, encryption keys, certificates, and security guidelines.
E N D
Lab: Key Management A strategy is required to key generation, retention,revocation, and disaster recovery. Key Management
Instructions • Install KeyAdministration Group on a PC. This product uses, and will install, a copy of a Derby Database. • FYI: Apache Derby, an Apache DB subproject, is an open source relational database implemented entirely in Java and available under the Apache License, Version 2.0., http://db.apache.org/derby • Discuss security planning, key recipients, distribution, etc. • Generate a pair of Certification Authority (CA) keys. • Generate a pair of member keys signed by the CA. • Expire a pair of keys. • Generate a pair of group keys signed by the CA. • Merge the pair of group keys into a set of member keys. • Discuss group keys and information sharing. Key Management
Encryption Keys • Asymmetric cryptography uses a pair of keys (public, private) to hide and reveal messages. • Public Key: Used to encrypt information that can only be decrypted by the owner of the private key. Also used to validate the digital signature of a received message. • Public keys are shared via certificates which allow users to exchange encrypted messages. • Private Key: Used to decrypt information received from a user who encrypted with the matching unique public key. Also used to sign a document for certifying the message originator. • Private Keys are the primary resource to be protected in any security plan for an organization that is using asymmetric cryptography. • Key users must be aware of security guidelines for key usage. Key Management
Certificates • A certificate is a file designed to hold user information and the public key used to encrypt files. • Can be distributed to users/associates who would want to send you encrypted messages. • Provides the public key used in other Cryptographic applications such as digital signatures, secure sockets, etc. Key Management
Security Design Before using the Key Administration application, a security design should be discussed, designed and created. In order to implement the design, an organization must define and clarify how they would use cryptography. A corporation may decide to protect their strategies, human resource information, executive communications, etc. Designating what information should be protected and the levels of access are critical to a good design. Key Management
Security Guidelines • Determine what employee types have legitimate use for encryption keys or have management request them as required. • Establish security procedures for resetting passwords, revoking keys, decrypting emergency data. • Ensure the process is auditable by requiring signed and validated requests for keys, logging of changes, etc. • Establish controls to limit access to keys by non-authorized employees. • Create network shares and drives to ease public key and certificate sharing. Key Management
Alias & Password Standards • Establish standards for assigning unique aliases and passwords. • Copies of private keys are only useful if there is a default recoverable password assigned to the keystore by the security team and maintained for emergency use. (Password resets, emergency decryptions, etc.) • Some examples of aliases are the following: • First Name Initial and Last Name. If the length is less than 7, append a number padded with zeros. • Match the file server unique identifier. • First Name and Last Name. The length can end up being very long. Key Management
Off-site Storage • The security administrator uses the Key Administration tool to generate keystores and certificates for designated employees. These files should be written to a secure server and backed up. Ideally they would be sent to secure off-site facility but economics will dictate which direction should be taken. Document the procedures on retrieving a specific keystore or certificate, should the situation arise that dictates the emergency retrieval of the information. Key Management
Single-User Keys Generation • DocuArmor single-user application collects information to generate a pair of encryption keys. • A backup copy is also generated and should be stored in a secure location. Key Management
Critical DocuArmor Files After the encryption keys are generated you should store the backup copies in a safe location. Key Management
CA Keys Generation • After installing the KeyAdministration application you must generate a pair Certification Authority keys to act as a trusted keystore and sign each member’s pair of encryption keys. • Select the “Generate CA Store” option under the “CA Setup” menu. • The dialog to generate a Certificate Authority will appear. • Determine who will own the CA keys and gather their information. Key Management
CA Keys Generation • Enter the unique information for the owner of the CA. Ideally, it is the person who would distribute, revoke, and restore encryption keys to members. • Press the “Generate Store” button to build the CA encryption keys. • After successful generation, a unique 4 hex-digit string will be appended to the alias and file name. Key Management
Member Keys Generation • After the CA is generated you can generate individual encryption keys for members • Enter the unique information for each member. • Determine how long keys should be active and enter associated validity dates. • Press the “Generate Store” button to build the encryption keys. You’ll be prompted to enter the CA keys password. • After successful generation, a unique 4 hex-digit string will be appended to the alias and file name. Key Management
Group Keys Generation • First determine who will share the group keys and determine how long it should be active. Keep duration short as a default. • Select the “Group” radio button. • All aliases for group keys will be prefixed with the string “g_”. • Determine how long keys should be active and enter associated validity dates. • Press the “Generate Store” button to build the encryption keys. You’ll be prompted to enter the CA keys password. • After successful generation, a unique 4 hex-digit string will be appended to the alias and file name. Key Management
Merging Group Keys • Once you’ve generated member keys and you can merge the pair of group keys into each user’s keys. • Select the “Group Administration” option under the “Group” menu. • The dialog to merge group keys will appear. • All mergers are logged for auditing. Key Management
Merging Group Keys • Hit the “Add” button and a popup will occur of available members that can have the pair of group keys added to their keystore. • You’ll see results in a popup message. • The dialog to merge group keys will show the list of members added to the group. • You can delete a member from the group if you change your mind. Key Management
Lab: Summary • Cryptography is the science of hiding the meaning of a message. • Who receives keys is critical to security of shared information belonging to a family or organization. • Good security planning includes: archival of keys and certificates; designated encrypted information; rules and procedures for access; external auditing by a non-responsible party. • Group keys simplifies distribution of encrypted documents to a select few. • It is critical to remember don’t encrypt everything and not everyone needs a keystore. Over doing can be just as detrimental and costly as failing to secure critical data. www.LogicalAnswers.com Key Management