CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [192]
Key management is one of the key aspects of an effective cryptographic system. Keys, as you may remember, are the unique passwords or passcodes used to encrypt or decrypt messages. You can think of a key as one of the primary components of certificates; this is why these terms are used together. Certificates are used to transport keys between systems.
The following sections compare and contrast centralized and decentralized key generation as well as key storage and distribution. The other aspects of key management are also covered.
Comparing Centralized and Decentralized Key Generation
Key generation (the creation of the key) is an important first step in the process of working with keys and certificates. Using certificates is one of the primary methods for delivering keys to end entities. Key length and the method used to create the key also affect the security of the system in use. The security of a key is measured by how difficult it is to break the key. The longer it takes to break the key, the more secure the key is considered to be.
According to RSA, it would take 3 million years and a $10 million budget to break a key with a key length of 1,024 bits. The amount of time it would take to break a 2,048-bit key is virtually incalculable. Of course, these numbers are based on the assumption that the algorithm is secure and no other methods of attack would work to break the algorithm or the key.
A common method used to generate keys creates very large prime numbers. Computing prime numbers is a laborious process. Most systems use a sophisticated approximation method to calculate prime numbers as opposed to calculating them directly. If the calculation method is flawed, the numbers may not be prime and, consequently, may be easier to determine.
One main thing to consider is where to create the keys. Should they be generated on a central machine or in a decentralized environment? A third method used to generate keys is called the split generation system, which is a combination of a centralized and decentralized process.
Centralized Key Generation
Centralized key generation allows the key-generating process to take advantage of large-scale system resources. Key-generating algorithms tend to be extremely processor intensive. Using a centralized server, this process can be managed with a large single system. However, problems arise when the key is distributed. How can it be transported to end users without compromising security?
Figure 7.23 shows a centralized generation process. In this example, all the physical resources are in a single location, under centralized management control.
Centralized generation has the advantage of allowing additional management functions to be centralized. A major disadvantage is that the key archival and storage process may be vulnerable to an attack against a single point instead of a network. Reliability, security, and archiving can be addressed if the proper systems, procedures, and policies are put into place and followed.
FIGURE 7.23 A centralized key-generating facility
Decentralized Key Generation
Decentralized key generation allows the key-generating process to be pushed out into the organization or environment. The advantage of this method is that it allows work to be decentralized and any risks to be spread. This system isn’t vulnerable to a single-point failure or attack. Decentralized generation addresses the distribution issue, but it creates a storage and management issue.
Figure 7.24 demonstrates a decentralized system. In this situation, the loss of any single key-generating system doesn’t disrupt the entire network. The RA in the figure refers to a registration authority, and the CA refers