1 / 17

Lab: Key Management

Implementing a comprehensive key management strategy is crucial for data protection. Learn key generation, retention, revocation, and disaster recovery steps, encryption keys, certificates, and security guidelines.

bolin
Download Presentation

Lab: Key Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lab: Key Management A strategy is required to key generation, retention,revocation, and disaster recovery. Key Management

  2. Instructions • Install KeyAdministration Group on a PC. This product uses, and will install, a copy of a Derby Database. • FYI: Apache Derby, an Apache DB subproject, is an open source relational database implemented entirely in Java and available under the Apache License, Version 2.0., http://db.apache.org/derby • Discuss security planning, key recipients, distribution, etc. • Generate a pair of Certification Authority (CA) keys. • Generate a pair of member keys signed by the CA. • Expire a pair of keys. • Generate a pair of group keys signed by the CA. • Merge the pair of group keys into a set of member keys. • Discuss group keys and information sharing. Key Management

  3. Encryption Keys • Asymmetric cryptography uses a pair of keys (public, private) to hide and reveal messages. • Public Key: Used to encrypt information that can only be decrypted by the owner of the private key. Also used to validate the digital signature of a received message. • Public keys are shared via certificates which allow users to exchange encrypted messages. • Private Key: Used to decrypt information received from a user who encrypted with the matching unique public key. Also used to sign a document for certifying the message originator. • Private Keys are the primary resource to be protected in any security plan for an organization that is using asymmetric cryptography. • Key users must be aware of security guidelines for key usage. Key Management

  4. Certificates • A certificate is a file designed to hold user information and the public key used to encrypt files. • Can be distributed to users/associates who would want to send you encrypted messages. • Provides the public key used in other Cryptographic applications such as digital signatures, secure sockets, etc. Key Management

  5. Security Design Before using the Key Administration application, a security design should be discussed, designed and created. In order to implement the design, an organization must define and clarify how they would use cryptography. A corporation may decide to protect their strategies, human resource information, executive communications, etc. Designating what information should be protected and the levels of access are critical to a good design. Key Management

  6. Security Guidelines • Determine what employee types have legitimate use for encryption keys or have management request them as required. • Establish security procedures for resetting passwords, revoking keys, decrypting emergency data. • Ensure the process is auditable by requiring signed and validated requests for keys, logging of changes, etc. • Establish controls to limit access to keys by non-authorized employees. • Create network shares and drives to ease public key and certificate sharing. Key Management

  7. Alias & Password Standards • Establish standards for assigning unique aliases and passwords. • Copies of private keys are only useful if there is a default recoverable password assigned to the keystore by the security team and maintained for emergency use. (Password resets, emergency decryptions, etc.) • Some examples of aliases are the following: • First Name Initial and Last Name. If the length is less than 7, append a number padded with zeros. • Match the file server unique identifier. • First Name and Last Name. The length can end up being very long. Key Management

  8. Off-site Storage • The security administrator uses the Key Administration tool to generate keystores and certificates for designated employees. These files should be written to a secure server and backed up. Ideally they would be sent to secure off-site facility but economics will dictate which direction should be taken. Document the procedures on retrieving a specific keystore or certificate, should the situation arise that dictates the emergency retrieval of the information. Key Management

  9. Single-User Keys Generation • DocuArmor single-user application collects information to generate a pair of encryption keys. • A backup copy is also generated and should be stored in a secure location. Key Management

  10. Critical DocuArmor Files After the encryption keys are generated you should store the backup copies in a safe location. Key Management

  11. CA Keys Generation • After installing the KeyAdministration application you must generate a pair Certification Authority keys to act as a trusted keystore and sign each member’s pair of encryption keys. • Select the “Generate CA Store” option under the “CA Setup” menu. • The dialog to generate a Certificate Authority will appear. • Determine who will own the CA keys and gather their information. Key Management

  12. CA Keys Generation • Enter the unique information for the owner of the CA. Ideally, it is the person who would distribute, revoke, and restore encryption keys to members. • Press the “Generate Store” button to build the CA encryption keys. • After successful generation, a unique 4 hex-digit string will be appended to the alias and file name. Key Management

  13. Member Keys Generation • After the CA is generated you can generate individual encryption keys for members • Enter the unique information for each member. • Determine how long keys should be active and enter associated validity dates. • Press the “Generate Store” button to build the encryption keys. You’ll be prompted to enter the CA keys password. • After successful generation, a unique 4 hex-digit string will be appended to the alias and file name. Key Management

  14. Group Keys Generation • First determine who will share the group keys and determine how long it should be active. Keep duration short as a default. • Select the “Group” radio button. • All aliases for group keys will be prefixed with the string “g_”. • Determine how long keys should be active and enter associated validity dates. • Press the “Generate Store” button to build the encryption keys. You’ll be prompted to enter the CA keys password. • After successful generation, a unique 4 hex-digit string will be appended to the alias and file name. Key Management

  15. Merging Group Keys • Once you’ve generated member keys and you can merge the pair of group keys into each user’s keys. • Select the “Group Administration” option under the “Group” menu. • The dialog to merge group keys will appear. • All mergers are logged for auditing. Key Management

  16. Merging Group Keys • Hit the “Add” button and a popup will occur of available members that can have the pair of group keys added to their keystore. • You’ll see results in a popup message. • The dialog to merge group keys will show the list of members added to the group. • You can delete a member from the group if you change your mind. Key Management

  17. Lab: Summary • Cryptography is the science of hiding the meaning of a message. • Who receives keys is critical to security of shared information belonging to a family or organization. • Good security planning includes: archival of keys and certificates; designated encrypted information; rules and procedures for access; external auditing by a non-responsible party. • Group keys simplifies distribution of encrypted documents to a select few. • It is critical to remember don’t encrypt everything and not everyone needs a keystore. Over doing can be just as detrimental and costly as failing to secure critical data. www.LogicalAnswers.com Key Management

More Related