We hear more and more often that the existing solutions for storage and management of keys aren’t meeting organizations’ demand for one product that lets them manage asymmetric keys and certificates as well as symmetric keys from the same console.
The reason that that there isn’t really one product that does it all today is mostly because of historic reasons. Initially, most of the legacy key management systems were built for managing asymmetric crypto (i.e. RSA, ECC) because the most widely used encryption schemes were based on PKI – which is an asymmetric system. Commonly used applications for asymmetric keys include SSL, code signing, authentication, remote access, email encryption and more.
Much less common, on the other hand, are the pure encryption systems that use symmetric keys. Generally speaking, even now symmetric encryption isn’t very common and it used mostly by governments and militaries to encrypt communication lines. Since symmetric encryption isn’t very common, key management products for symmetric encryption aren’t common either. Since PKI is common, so are the key management products that support it.
When we think about HSMs (Hardware Security Module) for backend key management and smart cards for managing keys on endpoints, we know their real strength is in managing asymmetric keys. This is what they were built to do. They don’t manage symmetric keys well, but up until recently it didn’t really matter. Managing asymmetric keys was enough.
Of course, this is no longer the case. Now we see more and more calls for a key management product that can also manage symmetric keys. In the recent years, new algorithms have emerged for very efficient ways to use symmetric encryption, such as . More organizations want to use these new algorithms for file system encryption, backup encryption and database encryption.
So what’s the problem? Why can’t asymmetric-based key management products also support symmetric keys?
Well, from a high level – the general thought has been that you use symmetric keys to solve one type of use case, and you use asymmetric keys to solve another. Since the two systems solve different problems, why not use different products to manage each?
The main differences of each are:
- Asymmetric = Low Volume: When you manage PKI keys, you usually have a modest amount of keys. For example, when talking about SSL certificates most organizations are really only managing a handful of websites or less. So, they don’t really need that many keys. Or on the endpoint side, if you are using a smart card to authenticate or sign emails, you don’t need more than 2 or 3 keys.
- Symmetric = High Volume: On the other hand, when using symmetric systems, you may have different keys per file, per backup, per any entity. This means lot more keys — a few orders of magnitudes more!
Full Service with Bells and Whistles
- Asymmetric = More than Storage: Asymmetric systems are very complex, resource-intensive, and for that reason many organizations want to offload part of the crypto to the key management product. Therefore, the most popular asymmetric key management platforms actually do a lot more than manage (revoke, renew and generate) the keys. They also do the actual crypto itself (encrypt/decrypt, digital signing and authentication). They also handle the security. In fact, part of the reason that the crypto takes place inside the key management system is for security. The asymmetric keys stored within an HSM are responsible for highly sensitive operations and must be secured at the highest level possible.
- Symmetric = Storage and Retrieve is Enough: With symmetric keys, the it is usually enough for you to be able to securely store the keys, and be able to retrieve the key and use it on your own. This is because with symmetric keys, the operations are quite simple and are supported on many platforms. For example, Intel and ARM chipsets have built in support for fast execution of AES. Additionally, security is less of a concern in a symmetric key management product because there are so many keys – each key being used to encrypt a single entity. If one gets comprised, the risk is smaller.
Today’s products that are used to handle PKI and asymmetric keys don’t have the capability to handle 100s of thousands or millions of symmetric keys. They can’t scale.
And the ones that can handle the storage and retrieval of large amounts of symmetric keys don’t have the capabilities to executing complex crypto or manage the full lifecycle of PKI keys.
So what has changed? Why are orgs looking for a system that can handle both?
Now it’s widely understood and accepted that in most organizations, there will be keys of many types. And whether they are asymmetric or symmetric, in general most of the operations we need to do to manage the keys are the same. So why wouldn’t we want to manage these operations from within the same product?
- Policy definitions (such as who can use the keys how they are backed up etc.)
Also in the last few years there has been a new standard called KMIP which actually merges all the aspects of key management of asymmetric and symmetric to a single standard.
Dyadic’s Enterprise Key Management (EKM) is the answer?
Yes. Dyadic’s Enterprise Key Management solution is a single product that can:
- manage asymmetric and symmetric keys (RSA, AES, ECC)
- scale to support hundreds, thousands or millions of keys
- do complex crypto
- allow you to retrieve keys
- Includes a KMIP server
- run on all standard hardware be it virtual or physical platform
- support cloud, on-premise and hybrid setup options
Dyadic’s EKM’s unique ability to support all type of crypto systems at its core is a pure software, virtual hardware security module (vHSM) which can be deployed easily without disrupting the existing workflow of applications. Dyadic supports full key lifecycle management including partitioning, BYOK (Bring Your Own Key), generation, renewal, archiving and revocation of all types of standard cryptographic keys: RSA, ECC and AES keys for all purposes – encryption/decryption, digital signing and authentication. Dyadic vHSM is fully transparent to the calling application and supports all crypto API’s such as KMIP, PKCS#11, Microsoft CNG, OpenSSL engine and Dyadic SDK for .NET, Java, Python and PHP.
But what about security, you ask? How can a software HSM ever be as secure as a hardware HSM? Well, it can. And Dyadic EKM is. Learn about Dyadic’s hardware-level security guarantee.