The ‘key’ to PIV-I, FICAM, FIPS 201 and trusted identities
08 September, 2010
category:
By Salvatore D’Agostino, IDmachines
Any security solution is only as good as the keys it uses. Keys and key management are crucial factors in the level of assurance and trust that a system can provide. Keys are both metal and digital, this discussion focuses primarily on digital keys.
Key management requires technology, policy and procedure. The key management component of physical access control is expanding and needs upgrading. At present physical access control systems typically manage a small number of user keys–company ID and common symmetric key.
In some cases users have defined specific keys and access rights for sectors on memory smart cards. In some of these cases there is a expiration date on the keys. Typically the access control vendor or system integrator holds the keys in escrow.
Key management in a PIV-I context introduces the use of digital certificates and their associated private and public keys–asymmetric keys/cryptographic vs. the solely symmetric, or single shared key.
There are also hybrids which use both, for example, creation of a session key, or a combination of asymmetric and symmetric authentication factors being used by a system. This does not replace the key management requirements described above but can add, change or eliminate aspects.
The best practices for management of cryptographic keys are well covered in the literature. This involves much more than the mathematics of cryptography.
References and guidance include National Information Assurance Acquisition Policy 2003 in addition to the special publications from the National Institute of Standards Key Management that include Draft Special Publication 800-130, A Framework for Designing Cryptographic Key Management Systems, Draft Special Publication 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, Special Publication 800-56 Parts A & B and 800-57 Parts 1, 2, 3.
Best practice requires a focus on education for employees, contractors, vendors and integrators. Specific new curriculum, leveraging the above documents, should be developed and integrated into vendor and system documentation and training to address this.
All of these practices are relevant in a PIV-I or FICAM context and need to be a consideration of next generation logical and physical access control systems and their deployment. Key management requires roles and system of record data stores.
Organizations should look to see if they have these in place and consider:
- Establishing role of key custodian(s)
- Defining individual and enterprise key archives
- Performing enterprise key census
- Defining policy for key life-cycle management
- Ability to work with latest, and evolving, keys sizes and algorithms