This article explains the concept of meta-data in the context of cryptographic keys, explaining why it is used and the necessity to manage it well.
Cryptographic keys lie at the heart of cryptography. The protection offered by algorithms such as 3DES, AES and RSA depend on the security of these keys. Thus, the way such keys are generated, protected and managed is of fundamental importance.
However, keys are just large, random numbers and have no meaning in isolation. It’s like having a large bunch of door keys – if they are not labelled, you have no idea which door each key is for. Therefore, we use “meta-data” to label cryptographic keys and ensure that they are protected and managed correctly throughout their life-cycle. Even when a key is deleted, its meta-data remains as a permanent record of its existence.
There are many types of key meta-data, which can be broadly categorized as follows:
Identity & Revision
Each key is typically assigned a label to identify it. For example, when using a key management system, there may be an internal system reference as well as an assigned, human-friendly label. It may also be identified as part of a particular set of related keys.
In addition, there may be a revision number that is incremented when the key is rotated. (The process of “key rotation” is the periodic refresh of a key’s value to reduce and mitigate the risk of any compromise.) There may also be a Key Check Value (KCV) that acts like a fingerprint – this helps to identify a particular revision of the key (without seeing its secret value) and can be used to validate its integrity after being transported.
Type & Length
This will indicate the basic function of the key (e.g. system key, application key, key encryption key), which algorithm it is intended to be used for (e.g. 3DES, AES, RSA, etc.) and its size (i.e. length in bits or bytes).
Ownership & Usage
This indicates who “owns” the key, which can be used to protect it from unauthorized access or use. The allowed usage of each key can also be defined, e.g. which application(s) are permitted to use the key and for what operations (e.g. encryption, signing, etc.) as well as any imposed restrictions (e.g. how it may be exported or transported).
Status & Expiry
The status of a key is tracked throughout its life-cycle, e.g. when it is created, approved, activated, deployed, archived, etc. Each key also has a “crypto-period” that defines when it expires and should be rotated. The meta-data may also define whether workflow features like auto-renewal are allowed or not.
Custom Meta-Data
Custom meta-data may be associated with each key. This may be data that is required by the application using the key and is distributed with the key, such as PKCS#11 attributes, or it may just be notes or other necessary data that does not fit into any other standard field.
Audit Records
The history of a key should be recorded in an audit log to provide evidence for compliance audits and security investigations.
This should include every change to the key data or meta-data and every operation performed on the key, along with a timestamp and who authorized it.
Conclusions
Managing all this meta-data using a manual process is laborious, error-prone and subject to abuse from a malicious insider. It enables and, indeed, encourages short-cuts, which can lead to compromised keys and/or failed audits.
This is where a key management system adds tremendous value – as well as supporting the generation, management and secure distribution of keys, it can utilize the types of meta-data outlined above to enforce security policy, simplify compliance and increase efficiency.
Further Reading
- Selected articles on Centralized Key Management (2017-today) by Chris Allen, Robb Stubbs Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
-
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
-
CKMS Product Sheet (2016), by Cryptomathic