This article introduces the Utimaco Enterprise Secure Key Management system (ESKM). It explains how the ESKM server can comfortably interact with cryptographic and storage devices from various vendors.
On October 16, 2018, a US branch of the German-based company Utimaco GmbH was cleared to acquire the Utimaco HSM product line, the Enterprise Security Manager (“ESKM”) product line, and related supporting assets, including applicable patents and other IP. Atalla was sold to Utimaco by Micro Focus International plc, an infrastructure software company.
Utimaco CEO, Malte Pollmann, described the acquisition as: “This is a significant milestone, and we look forward to bringing the Atalla team under the information security umbrella of Utimaco. After several changes of ownership, we are happy to offer Atalla a long-term home in our HSM and information security business.”
ESKM is an Enterprise Secure Key Management system. Its role is to store and maintain general purpose cryptographic keys in a secure and flexible way.
An Enterprise Key Management server is a centralized key management hardware-based system for unifying and automating an organization’s encryption key controls by creating, protecting, serving, and auditing access to encryption keys for secure, reliable administration. So in a nutshell, ESKM is all about key management.
Key management requires dealing with the generation, exchange, storage, use, crypto-shredding (destruction usually via zeroization), and replacement of keys. It is difficult to maintain central controls: If users lose access to keys locally then they lose access to the data.
Key management also needs to enforce a consistent policy such as who manages keys, and with what authorization? Regulatory mandates also require evidence auditing and compliance for protecting keys.
Indeed, it is challenging to coordinate and automate controls that protect access to keys across storage encrypted data while remaining transparent to operations.
Good key management solutions like Utimaco ESKM must be able to:
Data-at-rest refers to data that are being stored in “static“ destination systems such as Enterprise Assets/ Encrypted Backups/ Storage Media. Data-at-rest often refers to data that does not travel “frequently” between endpoints in a network.
Conversely, data-in-motion relates to dynamic, transient data that is often transferred from one site to another in a network. This can be data in a secure chat, a VPN, etc.
A third “state of data” is usually referred to as data-in-use. However, we will not be discussing that type at this time.
Data-at-rest and data-in-Motion are encrypted and processed very differently and therefore, the management of their encryption keys by the key management server is critical.
Usually,one might understand data-at-rest encryption at a symmetric key and data-in-motion encryption as an asymmetric key (PKI).
Data-at-rest will be generally be encrypted by a DEK – Data Encryption Key, generated by the Key Management system and encrypted by a KEK – Key Encryption Key. The lifecycle of the DEK must be also be monitored and controlled by the Key Manager.
Data-in-Motion is generally encrypted by public keys and then decrypted by private keys. For instance, in a VPN, data-at-rest are encrypted by AES. The AES key is considered as data-in-motion and is encrypted by the public key of the receiver by the sender. Then the AES key is deciphered by the recipient using its private key and then the data-at-rest are deciphered using the AES key.
For such a case, the Key Management System must maintain and manage securely these two sets of keys (DEK and private/public keys) so that they could be used in a single process like here with a VPN.
Here we will review the main principle ruling a Key Management Server, such as the Utimaco ESKM.
A crypto period is the time span during which a specific key is authorized for use. The span could range from 1 to 3 years (asymmetric cryptography) or 1 to 7 days (symmetric traffic keys). At the end of a cryptoperiod a key change occurs, which is a critical protocol where keys will be updated.
Here we present the general computation of a cryptoperiod as the sum of the data encryption period (the initial time when data I encrypted and loaded) and the usage period (the time during which the keys will be actively used in the system).
Other considerations can mitigate that computation, including:
This refers to the fact that the more sensitive a key is, the shorter crypto-period it will have.
The following is a typical Key Lifecycle as managed by an ESKM:
A good Key management system will usually provide ways to implement the following access control strategies:
Physical security is required to protect the key manager itself is naturally achieved with an HSM.
A FIPS 140-2 certified HSM should be used. For instance, this can be done by using an Utimaco HSM combined with an Utimaco ESKM.
While HSMs can obviously store keys in very secure ways, they cannot manage and search among millions of keys in the same way as a Key Management server can. Protected memory is expensive and has limited storage capacity. Hence, the right combination is HSM+ESKM.
Keys should be physically separated by roles and nature. For example, DEKs and KEKs should not be stored in the same location. As a general rule, keys of different nature, encrypted data, and other components should be separated in partitioned zones.
The OASIS Key Management Interoperability Protocol is a very important concept that allows interoperability in key management. Utimaco ESKM implements KMIP.
The KMIP protocol allows all sorts of operations to exchange keys with other key managers from different vendors while using the KMIP as well. Operations include:
Create Keys, register keys, generate replacement keys, derive key, recertify search keys, activate, backup, revoke, destroy, etc.
Here we show how the Utimaco ESKM server can interact with different cryptographic and storage devices from different vendors through OASIS KMIP.
There are several other vendors that provide Key Management tools. For your general information, here is a list of the ones that are KMIP compliant and are able to interact with Utimaco ESKM:
An organization that uses cryptography should deploy key management systems to securely control the keys it uses instead of “leaving the keys on the dashboard.”
The Utimaco ESKM is a versatile, powerful, and secure Key Management System that allows such tasks to be fulfilled, and can securely interact with other KMIP devices.
NIST has published a complete guide of best practices and recommendations for using a key management system. Two parts of the guide that contain useful information that is relevant to the selection and deployment of a Key Management System, such as the Utimaco ESKM are: