PGP CTO Blog

Here a Key, There a Key, but Where's the Key Manager?
09 May 2007

The hardest problem in cryptography is key management. Every security problem in cryptography reduces to a key management problem: 

• How do you keep an unauthorized person from reading encrypted data?
  Key management
• How do you enable a diverse range of applications and devices to use encryption?
  Key management
• How do you allow an authorized person to read something? 
  Key management
• How do you allow some extra entity (like a virus scanner) to have access to data?
  Key management

All information management systems eventually reduce to key management problems.

This tradeoff occurs because we design systems according to Kerchoffs’s Principle. Kerchoffs’s Principle is the idea that the only parts of a security system that are secret are the keys. For many years, Kerchoffs’s Principle was a goal, but we didn’t know that it was an attainable goal. Over the last couple of decades, cryptographers have learned how to build systems that meet Kerchoffs’s Principle and have proved their security, within certain parameters.

However, we’ve wanted more out of our information protection. Unfortunately, traditional cryptography has some limitations. The unstated problem with Kerchoffs’s Principle is who has to know the keys. Let’s suppose that we do a cryptographic integrity check, one that lets us know the data hasn’t been modified. The problem we have is that if you can verify the integrity of the data with the integrity key, you can also modify the data and compute a new integrity check. Thus, in this system, all the parties who know the key have to trust each other. Any of them can deceive the whole group.

Similarly, any party that can decrypt some data can always use the same key to re-encrypt different data. This situation leaves us with an interesting key management problem.

Fortunately, public-key cryptography frees us from some of these limitations. Public-key cryptography lets us perform two useful tricks. First: An entity that knows both halves of a keypair can make an integrity check (a digital signature) that can be verified with the public half. So we can have an integrity check that relies on a smaller key management problem. Second: Anyone who knows a public part of a key can encrypt data that only the entity that holds the private part can decrypt.

This capability lets us reduce the key management problem. It lets us introduce the notion of “separation of roles”. Many entities can presume that data is correct because of a signature. This presumption requires them to believe only one party, not all the parties who could verify the data. Similarly, an entity can encrypt some data and be confident that only one party can decrypt it. So, for example, we can have entities that don’t have all the keys to the kingdom, so to speak—something that is impossible if you don’t use public-key cryptography. In short, public-key cryptography makes an unmanageable problem into a manageable problem. Traditional symmetric-key cryptography needs public keys to make it usable.

When we created PGP Universal™ Server, we made it first and foremost a key manager. However, we don’t typically talk about it as a key manager; we talk about it as the hub of a data protection system. We built it on standards, and it can therefore work with any other standard key system or application. It doesn’t matter if those are PGP® products, RIM® BlackBerry® products, traditional PKI systems, or anything else, so long as they also use a few simple standards.

Our own new PGP® NetShare creates an innovative role-separation system. Administrators can set up shared files for groups of people that they can back up, restore, and maintain—yet cannot use. Only the entities that are authorized to use the files can do so. Those entities can be people, but they can also be content management processes, malware scanners, or any application with an authorized key.

In previous articles, I’ve talked about the trends that are driving security: Cryptography is becoming easier and more prevalent. We’re using it more, and devices that do cryptography are becoming more common. Computers are now coming with crypto in them. Disks have crypto in them. More networking is guarded with crypto. All these trends increase our need for key management and key management systems. Fortunately, the basis of global-scale key management is already here and is built on open standards that ensure broad interoperability. However, key management is a means, not an end. The end is data protection. The applications that protect data are what we want, but they require the key management we’ve been building.