The root of nearly all security technologies today is basically some application of cryptography. That statement goes way beyond the classic use of encryption for protecting confidential data. Cryptography is intrinsic to anything involving authentication and trust – not just data protection and confidentiality.
In fact, the recent supply chain SUNBURST attack brought into sharp focus the risks when malicious code is inserted into downloads ostensibly protected and authenticated by code-signing certificates attesting to the integrity of the software files.
With cryptography, the key (no pun intended) to security is the secret key or the private key. With symmetric key encryption, there is just the one key used for encryption and decryption. Asymmetric encryption, the foundation of PKI, uses a pair of mathematically related keys where a message encrypted with one key can only be decrypted with the other. In PKI, one key is designated the public key and is published in a certificate. The other – private – key is closely guarded and used by the owner of the certificate.
In some cases, the secret key is not strictly speaking the actual encryption key but a more user-friendly secret from which a true encryption key is derived by some sort of hash algorithm.
Regardless of the type of encryption, there is always a secret key that must be protected from 2 things:
- Theft – the key is stolen and can be used by the attacker wherever they like
- Misuse – the key is fraudulently used by the attacker; in this case the key remains secret, but the security mechanism is still defeated.
These are very different risks and in this real training for free event we will differentiate these risks. We will also help you identify all the places where you are managing critical keys whether you realize it or not. Just to name a few:
- Your internal PKI certification authority
- Federated authentication servers
- Code signing
- Cloud resources like storage account keys
- Database encryption
- VM encryption
- Document and transaction signing
- SSL and TLS certificates for secure web browsing
- SSH certificates for secure machine access
- PII and credit card tokenization
Traditionally, the strategy for protecting keys has been to isolate them in special hardware such as a Hardware Storage Module, smart card, token or TPM chip.
These technologies have their place, but new methods utilizing secure multi-party computation (SMPC) are pushing hardware based key management technologies in the direction of legacy status. Gartner says, “current implementations of key management – where private keys are centrally maintained – almost negate the benefits of secure cryptographic access that they enable." This is where my guest Professor Yehuda Lindell, a PhD and cryptologist at our sponsor Unbound Security and Guy Pe’er, Vice President, R&D & Co-founder, will take over to show you how SMPC protects encryption keys by not storing the entire key in any single place and eliminates a single point of failure from both availability and security.
Please join us for this very technical security discussion.