Section 9: Key Management

Symmetric algorithms depend upon

shared secret keys

Out-of-Bound Key Exchange

use a different channel to properly share secret keys

Out-of-Bound Key Exchange Options

• Face to face meetings

• Physical Mail

• telephone call

In-band Key Exchange

securely exchange keys digitally

Diffie-Hellman Algorithm

provides symmetric key capability based upon the work of Ralph Merkle

p and g must be large values to achieve strong security in Diffie-Hellman

True

Encryption key Escrow

allows government access to keys

Recovery Agents

allow internal access to lost keys

Key Stretching

takes relatively insecure value, such as a password, and uses mathematical techniques to strengthen it, making it harder to crack

Salting

adds a value to the encryption key to make it more complex

Hashing

adds time to the verification process by requiring more math

Password-Based Key Derivation Function v2

uses salting and hashing to stretch a key (should be used at least 4000 times)

bcrypt

algorithm based upon the blowfish cipher; it uses blowfish hashing approach combined with salt to strengthen keys

Hardware Security Modules (HSMs)

manage encryption keys and perform cryptographic operations

FIPS 140-2 Security Levels

works/applies when using government data

Security Level 1

standard operating systems; no physical security

Security Level 2

EAL2 software and firmware; tamper-evident seals

Security Level 3

EAL3 software and firmware; tamper resistant controls

Security Level 4

EAL4 software and firmware; strict physical security