Design and implementation of a key-lifecycle management system

  • Authors:

  • Mathias Björkqvist;Christian Cachin;Robert Haas;Xiao-Yu Hu;Anil Kurmus;René Pawlitzek;Marko Vukolić

  • Affiliations:

  • IBM Research, Zurich;IBM Research, Zurich;IBM Research, Zurich;IBM Research, Zurich;IBM Research, Zurich;IBM Research, Zurich;IBM Research, Zurich

  • Venue:
  • FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

Key management is the Achilles’ heel of cryptography. This work presents a novel Key-Lifecycle Management System (KLMS), which addresses two issues that have not been addressed comprehensively so far. First, KLMS introduces a pattern-based method to simplify and to automate the deployment task for keys and certificates, i.e., the task of associating them with endpoints that use them. Currently, the best practice is often a manual process, which does not scale and suffers from human error. Our approach eliminates these problems and specifically takes into account the lifecycle of keys and certificates. The result is a centralized, scalable system, addressing the current demand for automation of key management. Second, KLMS provides a novel form of strict access control to keys and realizes the first cryptographically sound and secure access-control policy for a key-management interface. Strict access control takes into account the cryptographic semantics of certain key-management operations (such as key wrapping and key derivation) to prevent attacks through the interface, which plagued earlier key-management interfaces with less sophisticated access control. Moreover, KLMS addresses the needs of a variety of different applications and endpoints, and includes an interface to the Key Management Interoperability Protocol (KMIP) that is currently under standardization.