For organizations managing asymmetric keys and certificates as well as symmetric keys, the fact that existing key storage and management solutions don’t provide a single solution to manage all keys from the same console is a significant challenge. Yet there are reasons that one product does not generally “do it all.”
The main reason that all keys aren’t managed in one system is history. Initially, most of the legacy key management systems were built for managing asymmetric crypto (i.e. RSA, ECC) because the most widely used encryption schemes were based on PKI – which is an asymmetric system. Commonly used applications for asymmetric keys include SSL, code signing, authentication, remote access, email encryption and more.
Much less common, on the other hand, are the pure encryption systems that use symmetric keys. Generally speaking, symmetric encryption is not very common and is used mostly by governments and militaries to encrypt communication lines. Because it is not widely used, key management products for symmetric encryption are also not common. PKI, however, is standardly used, and so are the key management products that support it.
When we think about HSMs (Hardware Security Module) for backend key management and smart cards for managing keys on endpoints, we know their real strength is in managing asymmetric keys. This is what they were built to do. They don’t manage symmetric keys well, but up until recently it didn’t really matter. Managing asymmetric keys was enough.
Of course, this is no longer the case. Now we see more and more calls for a key management product that can also manage symmetric keys. In the recent years, new algorithms have emerged for very efficient ways to use symmetric encryption. More organizations want to use these new algorithms for file system encryption, backup encryption and database encryption.
So what’s the problem? Why can’t asymmetric-based key management products also support symmetric keys?
Well, from a high level – the general thought has been that you use symmetric keys to solve one type of use case, and you use asymmetric keys to solve another. Since the two systems solve different problems, why not use different products to manage each?
The main differences for each are:
- Asymmetric = Low Volume: When you manage PKI keys, you usually have a modest amount of keys. For example, when talking about SSL certificates most organizations are really only managing a handful of websites or less. So, they don’t really need that many keys. Or on the endpoint side, if you are using a smart card to authenticate or sign emails, you don’t need more than 2 or 3 keys.
- Symmetric = High Volume: On the other hand, when using symmetric systems, you may have different keys per file, per backup, per any entity. This means lot more keys — a few orders of magnitudes more!
Full Service with Bells and Whistles
- Asymmetric = More than Storage: Asymmetric systems are very complex, resource-intensive, and for that reason many organizations want to offload part of the crypto to the key management product. Therefore, the most popular asymmetric key management platforms actually do a lot more than manage (revoke, renew and generate) the keys. They also do the actual crypto itself (encrypt/decrypt, digital signing and authentication). They also handle the security. In fact, part of the reason that the crypto takes place inside the key management system is for security. The asymmetric keys stored within an HSM are responsible for highly sensitive operations and must be secured at the highest level possible.
- Symmetric = Storage and Retrieve is Enough: With symmetric keys, the it is usually enough for you to be able to securely store the keys, and be able to retrieve the key and use it on your own. This is because with symmetric keys, the operations are quite simple and are supported on many platforms. For example, Intel and ARM chipsets have built in support for fast execution of AES. Additionally, security is less of a concern in a symmetric key management product because there are so many keys – each key being used to encrypt a single entity. If one gets comprised, the risk is smaller.
Today’s products that are used to handle PKI and asymmetric keys don’t have the capability to handle 100s of thousands or millions of symmetric keys. They can’t scale.
And the ones that can handle the storage and retrieval of large amounts of symmetric keys don’t have the capabilities to execute complex crypto or manage the full lifecycle of PKI keys.
So what has changed? Why are organizations looking for a system that can handle both?
Now it’s widely understood and accepted that in most organizations, there will be keys of many types. And whether they are asymmetric or symmetric, in general most of the operations we need to do to manage the keys are the same. So why wouldn’t we want to manage these operations from within the same product?
- Policy definitions (such as who can use the keys how they are backed up etc.)
Also in the last few years there has been a new standard called KMIP which actually merges all the aspects of key management of asymmetric and symmetric to a single standard.
Enterprise Key Management in an ideal world
A comprehensive enterprise key management solution should be able to:
- manage asymmetric and symmetric keys (RSA, AES, ECC)
- scale to support hundreds, thousands or millions of keys
- do complex crypto
- allow you to retrieve keys
- Includes a KMIP server
- run on all standard hardware be it virtual or physical platform
- support cloud, on-premise and hybrid setup options
Sofware-based solutions can come very close to this capability,