Demystifying the Lifecycle of a Cryptographic Key

Cryptographic keys play an important part in protecting data. But to do this properly, each key must progress through the various phases of its lifecycle. Here we will attempt to demystify the key management  lifecycle of cryptographic keys through its basic phases, beginning with its generation through to its removal from operation. 

In this article, we outline the typical phases of key management lifecycle to be aware of; however, please note that depending on the type of key management solution used, additional phases may be added, such as pre-activation, activation, or post-activation. Additionally, some of the phases noted below may not be used at all.

Phase One – Generation

The first phase in a cryptographic key’s lifecycle is its generation/creation. This can be accomplished in several ways. The key can be generated either by a key management system (KMS), hardware security module (HSM), or a trusted third party (TTP). A cryptographically secure true random number generator (TRNG) should be used for seeding. After the key is generated, it is then stored in a key storage database along with all its attributes that have been encrypted with a master key. Examples of accompanying attributes may include key name, date of activation, size, and instance. Activation of the key can occur when it is generated, or it can be set to activate automatically or manually at a later date.

To protect against data loss, it is recommended that a secure backup copy of keys be made so they can be retrieved if they are lost while in use, which could occur if a password is forgotten, or in case of an equipment failure. Such backup keys should be stored in a protected form on external media or by using a local or networked traditional backup solution. If the key being backed up is a symmetric key or an asymmetric private key, it must first be encrypted before storing.

Phase Two – Distribution and Loading

The installation of the new key into a secure cryptographic device, whether electronically or manually takes place during the deployment and loading phase. This is the most critical phase for keeping a key secure, hence it should only be done by authorized personnel when the key is being installed manually. Such distribution is common when distributing keys in the payments space. Therefore, key encryption keys (KEKs) are distributed and loaded in the key shares to protect the full key from viewing during the process. PCI DSS now mandates that along with encrypting the key material, the key usage must also be equally secured such as PIN block encryption/decryption.

Phase Three – Normal Use and Replacement

Once the key has been distributed, loaded and activated, the key management system should allow it to be retrieved by users and authorized systems for processes involving encryption or decryption or for verification or MAC generation. The KMS will also manage current and past instances of the encryption key.

The KMS is also responsible for automatically replacing the key according to its previously established schedule or when it is suspected that the key has been compromised, which is typically a manual process performed by an authorized administrator. When a key is replaced, the replacement key is activated and will typically re-encrypt all the stored data that was protected by the previous key. The timing for key expiration depends on the key’s strength and how long the key or its protected data will be valid.

Phase Four – Archival

Once a key is replaced, it is not entirely removed. Instead, it remains archived so that it can be retrieved if special circumstances warrant it, such as settling a repudiation dispute. Archiving keys involve long-term, offline storage of keys no longer being used. Typically, these keys still have data associated with them that may need to be stored in the long term in case they are needed in the future.

Archived keys must also be encrypted to keep them secure. Often this is done by encrypting a symmetric key with the public key of an asymmetric key pair. As a result, the key can only be decrypted by the entity possessing the corresponding private key. Depending on a key’s deployment scenario, archival is typically the final phase of its lifecycle with it never being deleted or destroyed.

Phase Five – End of Life

The last stop for keys with deployment scenarios that include being removed from operation is the end of life phase. This phase should only occur after a long archival phase and analysis that ensures that removing the key from the archives will not cause loss of data or loss of other keys.

There are three methods that are used to remove a key from operation:

1. Key destruction where the key is removed from a specific location, but the information may still remain and could be retrieved in the future if the key is feasibly reconstructed.
2. Key deletion where the key is removed along with any information that could be used to reconstruct; however, the key may continue to exist elsewhere, such as in an archive.
3. Key termination involves completely removing all instances and information regarding the key, which makes it impossible to reconstruct or regenerate the key unless by restoring it from a backup copy.

MYHSM Ensures Compliance

There is no room for error for secure key management lifecycle, especially for keys used in payment processing or other processes within the banking and financial services industry – an industry that has some of the most demanding industry compliance requirements. 

The MYHSM service, on behalf of its customers, manages the top-level keys including the MFK, ZMK’s and BDK’s in compliance with industry standards, throughout all phases of the key lifecycle. This is carried out by industry experts, in line with regulatory compliance, and with a high level of security. 

If you are interested in finding out more about the technical specifications of the MYHSM service, click here.  

Blog post by Dawn Turner