Abstract
Key management is the Achilles’ heel of cryptography. This work presents a novel Key-Lifecycle Management System (KLMS), which addresses two issues that have not been addressed comprehensively so far.
First, KLMS introduces a pattern-based method to simplify and to automate the deployment task for keys and certificates, i.e., the task of associating them with endpoints that use them. Currently, the best practice is often a manual process, which does not scale and suffers from human error. Our approach eliminates these problems and specifically takes into account the lifecycle of keys and certificates. The result is a centralized, scalable system, addressing the current demand for automation of key management.
Second, KLMS provides a novel form of strict access control to keys and realizes the first cryptographically sound and secure access-control policy for a key-management interface. Strict access control takes into account the cryptographic semantics of certain key-management operations (such as key wrapping and key derivation) to prevent attacks through the interface, which plagued earlier key-management interfaces with less sophisticated access control.
Moreover, KLMS addresses the needs of a variety of different applications and endpoints, and includes an interface to the Key Management Interoperability Protocol (KMIP) that is currently under standardization.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Akl, S.G., Taylor, P.D.: Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems 1(3), 239–248 (1983)
Anderson, R., Bond, M., Clulow, J., Skorobogatov, S.: Cryptographic processors — a survey. Proceedings of the IEEE 94(2), 357–369 (2006)
Arnold, W., Eilam, T., Kalantar, M.H., Konstantinou, A.V., Totok, A.: Pattern based SOA deployment. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 1–12. Springer, Heidelberg (2007)
Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management. NIST special publication 800-57, National Institute of Standards and Technology, NIST (2007)
BITS Security Working Group, Enterprise key management. Whitepaper, BITS Financial Services Roundtable (2008)
Björkqvist, M., Cachin, C., Haas, R., Hu, X.-Y., Kurmus, A., Pawlitzek, R., Vukolić, M.: Design and implementation of a key-lifecycle management system. In: Research Report RZ 3739, IBM Research (June 2009)
Bond, M.: Attacks on cryptoprocessor transaction sets. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)
Cachin, C., Chandran, N.: A secure cryptographic token interface. In: Proc. Computer Security Foundations Symposium (CSF-22). IEEE, Los Alamitos (2009)
Clulow, J.: On the security of PKCS#11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)
Cover pages: Cryptographic key management (2009), http://xml.coverpages.org/keyManagement.html
Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11. In: Proc. Computer Security Foundations Symposium (CSF-21). IEEE, Los Alamitos (2008)
Dworkin, M.: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. In: NIST special publication 800-38D, National Institute of Standards and Technology, NIST (2003)
Dyer, J.G., Lindemann, M., Perez, R., Sailer, R., van Doorn, L., Smith, S.W., Weingart, S.: Building the IBM 4758 secure coprocessor. IEEE Computer 34(10), 57–66 (2001)
Hamlets, http://hamlets.sourceforge.net
International Business Machines Corp., CCA Basic Services Reference and Guide for the IBM 4758 PCI and IBM 4764 PCI-X Cryptographic Coprocessors (2008)
OASIS Key Management Interoperability Protocol Technical Committee, Key Management Interoperability Protocol (2009)
RSA Laboratories, PKCS #11 v2.20: Cryptographic Token Interface Standard (2004), http://www.rsa.com/rsalabs/
Trusted Computing Group, “Trusted platform module specifications (2008), http://www.trustedcomputinggroup.org
Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). RFC 3610 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Björkqvist, M. et al. (2010). Design and Implementation of a Key-Lifecycle Management System. In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-14577-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14576-6
Online ISBN: 978-3-642-14577-3
eBook Packages: Computer ScienceComputer Science (R0)