Network Sercurity: Voluntary Key Management
Articles and Tips: tip
01 Nov 1998
The subject of electronic liability and the handling of private electronic information is receiving incre-ased attention by corporate managers and executives. Clearly, people are concerned about corporate liability in an electronically-mediated environment such as the Internet. Issues of legal liability and personal and business accountability are impinging on the ability of companies to perform in a connected electronic commerce environment. Gaining a clear perspective on how to establish a business liability is key to the issue of working on networks connected to open environments.
While the subject of key management was previously relegated (almost solely) to the realms of government security and cryptography, it is now often considered equally essential in the electronic business model, especially when implementing security services for Web and Internet applications. The concern, no longer just for key escrow, involves legal aspects which require a reliable (and provable) means in associating the actions of an individual with the processes of the computer.
Trust has always been the basis or prerequisite of any commercial or business transaction. The underlying need for trust in business processes, whether mechanical (pen and paper) or electronic (certificates and digital signatures), remains as a prerequisite to electronic commercial activity. The binding of an individual's electronic identity to the actions taken by the computer on behalf of the individual is a matter which concerns cryptographic key management. Yet one very rarely hears about key management at all. Public Key Infrastructures (PKIs) receive more attention, but without good key management, PKIs would not have the security they are trying to promote.
What Is Voluntary Key Management?
Voluntary key management provides the ability to re-acquire a decryption key which was used by a system. Data archives, retained records, and other applications may at some point be encrypted to protect sensitive business information from disclosure through open Internet connections. Cryptographic keys are used for various purposes such as authentication (a special use), confidentiality, and integrity. The trick is to have various service features available to the customer at the key management level to re-acquire used keys. That implies feature sets that can be replaced modularly or modified by the customer, because not all customers have the same needs.
When companies implement Internet and electronic-commerce solutions, it is important to consider how the electronic business functions impact their legal responsibility and possible position in court. A business should have an understanding of how they use and store cryptographic keys, which provides them with some sort of accountability. A supportive infrastructure (key management) integral to the system is imperative. Otherwise, there is no way to effectively evaluate whether the keys in a system are secure or not.
Key Management Issues
Today adequate technical solutions exist, so there is good reason for businesses to examine key management. Below are some of the important issues for discussion.
Misuse of Privilege. Be-yond the mandatory needs imposed in key management, customers need to be aware of any misuse of administrative privilege. Administrators should not have an unrestricted ability to directly access or deny access to the business use of cryptographic keys. Key recovery architecture and mechanisms should at least constrain, if not prevent, the misuse of privilege.
Integrity of Keys. Damaged or unuseable keys create problems where keys are stored electronically. For instance, if the magnetic media on a disk drive where keys are stored is damaged, the keys themselves could be damaged so that they would not be able to restore data that had been electronically encrypted.
Beyond the integrity issues surrounding damage, there is a latent key integrity issue from misuse of privilege that must include tampering with useable keys. Imagine that all of the keys in the system were set to just one key-pair, easily compromised. How would end-users of the system know? What would be the companies liability for using these keys? These concerns confirm the need for key management.
Recoverability of Keys. Cryptographic keys need to be stored in such a way that they can be identified and verified, and as well re-covered, even if their storage pla-ce is damaged. Customers dema-nd that they be able to re-obtain their keys even in the event of misuse of privilege, where originals are destroyed.
However, a primary concern in the recovering of keys is for the ongoing security of a company's information. Any recovery procedure to re-obtain lost or damaged keys should not be readily employable by unauthorized individuals, the vendor, the contractor, or others without the company's authorized agent agreement.
Security of the Key Archive. How is the key archive used by key management secured? Inevitably, key security is regularly done with cryptography in software for commercial systems. But what cryptography is employed and how secure is it? In any form of voluntary key management, the cryptographic keys which the system uses, and the system itself, must be securable against lost or modification.
In addition, since the keys to be protected will be protected through use of another key, these will also need some level of security. Thus, protecting the keys presents the customer with yet another choice in determining which hardware and software to employ.
How Novell Meets These Needs
Novell's key management abilities are part of Novell's International Crypt-ographic Infrastructure (NICI). NICI provides for the correct and best useable cryptography allowed by law in a customer's region. To meet this requirement, it performs key management as an integral part of the key use policy as mandated by various import/export regimes legislating cryptography. NICI also provides a beginning level of voluntary key management, initially at the NetWare 5 server but extensible by developers and Novell partners, as well as various other servers and systems as customers' needs grow.
Misuse of Privilege. Novell's key management system is an operating system level infrastructure component which is not directly accessible by application-level programs. It works within a trusted computing boundary of the operating system. In Novell's case, this infrastructure works at the server to create, protect, and store cryptographic keys to prevent misuse of privilege. However, any operational policy which does not consider the server and its operation negates the benefit of providing an independently-evaluated server product. In all cases, the server must be securely protected.
Integrity of the Keys. In addition to an internal verification of both key origin and key quality, NICI cryptographically wraps NetWare keys so that only the operating system can use them at the time and for an allowable function. Thus, cryptographic keys which might move through the system are not subject to tampering. This prevents one type of misuse of privilege (including addition, removal, or modification of keys) by malicious software. In NetWare, the integrity of keys comes from the key management service in NICI, and this happens before any key is released for use.
Another point of interest is the key integrity provided by NICI to the PKI. While any PKI may have other levels of services to provide for the distribution and availability of cryptographic keys, the integrity of the keys should not be confused with the function of the PKI. In Novell's PKI Services (PKIS), key integrity is provided by cryptographically wrapping the newly formed keys created in NICI so that they cannot be accessed by application-level programs.
As with digital signatures, this process prevents the keys from being exposed or leaving the system in a raw form. Not having a supportable infrastructure would be especially compromising for private keys, as well as to public keys which should be protected until they are bound as part of the public key certificate (which occurs as part of the NetWare 5 Certificate Authority function).
Recoverability of Keys. Novell provides customers with a method by which they can recover their own keys on a NetWare 5 server. In the future, as developers provide greater extensibility to the NICI model, Novell will be able to provide them with the ability to use various key recovery models on a worldwide basis.
Security of the Key Archive. Novell's key archive resides in a protected area on the NetWare 5 server. Appropriate measures should be taken to assure that the server is not physically exposed to attack. Current versions of the key archive allow for key archive backup and restore so that customers can restore their key archive if they should lose their server. Key archive also provides customers the ability to rebuild their key sets if they should lose their key archive backup.
Novell's PKIS offers a key-service for applications like LDAP to use with SSL. Novell's key archive is located within the operating system and is part of NICI (the key manager is not actually in the PKI).
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.