Categories Topics
Description
Key Management

Overview
Key Management is the practice of protecting cryptographic keys from unauthorized modification or disclosure. Key management consists of the infrastructure, software, storage and tools used to securely manage cryptographic keys through it's entire lifecycle.

Guidelines
Key management tools and cryptographic keys should be carefully controlled and secured. Given the importance of encryption to protect sensitive information, it goes without saying that the key management systems, tools and the cryptographic keys are very critical to secure. Key Management Procedures should be documented to include the following controls:
  • Secure storage (ensuring keys are secure through their entire lifecycle)
  • Owners/custodians - Secure handling (most sensitive data classification)
  • Retirement/destruction (keys have a limited life so must be disposed of to prevent unauthorized use)
  • Recovery (keys are properly recovered if lost)
  • Change (process to change keys if needed)
  • Generation (process to securely generate new keys)
  • Frequency (higher frequency of key use may mean higher likelihood of compromise)

Topic Category
Cryptography
 
News Articles
Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARSwww.theregister.co.uk11/17/2017
Hackers Take Aim at SSH Keys in New Attacksthreatpost.com10/20/2017
Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucketthreatpost.com10/11/2017
Google to Operate its Own Root CAthreatpost.com1/27/2017
Microsoft Secure Boot key debacle causes security panicwww.zdnet.com8/10/2016
Certificate Transparency for Untrusted CAssecurity.googleblog.com3/21/2016
Microsoft zaps dodgy Dell digital certificateswww.computerworld.com11/26/2015
Dell ships laptops pre-vulnerable to Man-in-the-middle attackswww.scmagazine.com11/24/2015
Google to Symantec: Clean up your act or be branded unsafewww.zdnet.com10/29/2015
D-Link Accidentally Leaks Private Code-Signing Keysthreatpost.com9/18/2015
Static Encryption Key Found in SAP HANA Databasethreatpost.com6/19/2015
Attackers Stole Certificate From Foxconn to Hack Kasperskywww.wired.com6/15/2015
Mozilla piles on China's SSL cert overlord: We don't trust you eitherwww.theregister.co.uk4/2/2015
Microsoft scrambles to kill Live.fi man-in-the-middle diddlewww.theregister.co.uk3/17/2015
FACEPALM! HP cert used to sign malwarewww.theregister.co.uk10/12/2014
Firefox 32.0 fixes holes, shakes out some old SSL certs, introduces certificate pinningnakedsecurity.sophos.com9/3/2014
Oracle issues a virtual strongbox for enterprise encryption keyswww.computerworld.com8/7/2014
Only '3% of web servers in top corps' fully fixed after Heartbleed snafuwww.theregister.co.uk7/29/2014
Cisco Patches Hardcoded SSH Key Vulnerability in UCMthreatpost.com7/3/2014
Heartbleed Bug Sends Bandwidth Costs Skyrocketingwww.wired.com4/17/2014
Internet slowed by Heartbleed identity crisiswww.zdnet.com4/16/2014
CloudFlare keys snatched using Heartbleedwww.zdnet.com4/12/2014
Light Microsoft Patch Load Precedes MD5 Deprecationthreatpost.com2/6/2014
Target: Encrypted PINs stolen but not encryption keynews.cnet.com12/27/2013
French Government Spoofs Google Certificatethreatpost.com12/9/2013
Google beefs up its SSL keys to 2048-bitswww.zdnet.com7/31/2013
U.S. Emergency Alert System open to more 'zombie' hackers after accidental SSH key disclosurewww.zdnet.com7/9/2013
Opera network crackedwww.theregister.co.uk6/27/2013
Security certificate problem trips up Bing Web sitenews.cnet.com4/19/2013
Gaming Company Certificates Stolen and Used to Attack Activists, Otherswww.wired.com4/11/2013
AWS takes aim at security conscious enterprises with new appliancewww.computerworld.com3/27/2013
Java zero-day malware 'was signed with certificates stolen from security vendor'www.zdnet.com3/4/2013
Microsoft Azure Cloud Storage Suffers Major Outage Over Expired SSL Certificatethreatpost.com2/22/2013
Certificate Authorities to push for better certificate-revocation checkingwww.computerworld.com2/14/2013
Security Firm Bit9 Hacked, Used to Spread Malwarekrebsonsecurity.com2/8/2013
GitHub Search shuts down after users' private keys exposedwww.zdnet.com1/25/2013
Browser vendors block 'active attacks' using fraudulent digital certwww.zdnet.com1/3/2013
FreeBSD shuts down servers after breachwww.infosecurity-magazine.com11/19/2012
Hackers break into two FreeBSD Project servers using stolen SSH keyswww.computerworld.com11/19/2012
Oops: E-Mail Marketer Left Walmart, US Bank and Others Open to Easy Spoofingwww.wired.com10/30/2012
Adobe code signing infrastructure hacked by 'sophisticated threat actors'www.zdnet.com9/27/2012
'Flame’ Malware Prompts Microsoft Patchkrebsonsecurity.com6/4/2012
Mozilla gives CAs a chance to come clean about certificate policy violationswww.computerworld.com2/20/2012
VeriSign Hit by Hackers in 2010www.wired.com2/2/2012
F-Secure finds rare digitally signed malwarenews.cnet.com11/14/2011
Mozilla, Microsoft withdraw trust in Malaysian intermediate CAwww.computerworld.com11/4/2011
KPN stops issuing SSL certificates after possible breachwww.computerworld.com11/2/2011
(At least) 4 web authentication authorities breached since Junewww.theregister.co.uk10/27/2011
How secure is HTTPS today? How often is it attacked?www.eff.org10/25/2011
Dutch government to revoke #DigiNotar certificates on Wednesdaywww.scmagazineuk.com9/26/2011
Policies
Key Management Policy
Standards
NIST SP 800-56A r2 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm CryptographyNIST6/12/2013
NIST Recommendation for Key Management - Part 1: General (Revision 4)NIST1/28/2016
NIST Recommendation for Key Management: Part 2: Best Practices for Key Management OrganizationNIST8/1/2005
NIST Recommendation for Key Management: Part 3 Application-Specific Key Management GuidanceNIST1/23/2015
NIST SP 800-130 A Framework for Designing Cryptographic Key Management SystemsNIST8/16/2013
NIST Recommendation for Cryptographic Key GenerationNIST11/16/2012
NIST SP 800-152 A Profile for U.S. Federal Cryptographic Key Management SystemsNIST10/31/2015