nCipher Security Blog

Keys to the “Concrete Jungle” – from skilled locksmiths to skilled cryptographers

We learned a few weeks ago that master keys for every elevator in New York, from skyscrapers to subways to construction sites, had been copied and leaked, and are now being freely sold online. Let's hope the image used in that article isn't of the actual key, else we'll have an even bigger problem on our hands - thanks to a news piece on baggage handling from last year, replica TSA keys (that open every modern suitcase) have now been 3D printed using leaked photographs of the keys.

Both these types of physical key are in place for our safety and protection, but the entire system hinges on our trust that only authorised personnel have access to them. In the physical world, ensuring this level of security involves a great deal of process – who can unlock the safe to obtain the key? Who else must be present for them to do so? When are they authorised to do so? How can you keep track of when the key has been put back? And ensure that it hasn’t been altered or copied?

The same system of trust applies when considering digital encryption keys. Much like a skilled locksmith can replicate a key based on an image, a skilled attacker can replicate a cryptographic key if they are able to gain access to your server. Once they have this, they can do everything with this key that you can – encrypt data, decrypt data, and sign documents that to all the world, will appear legitimate, as though you had authorised them.

Encryption effectively ‘neutralises’ data, rendering it useless to hackers. However, time and time again, weak key management is revealed as encryption’s greatest vulnerability. In addition to performing secure cryptographic processing, Hardware Security Modules (HSMs) are specifically designed to protect and manage the keys – exactly the same processes that are used to protect critical physical keys. With HSMs, however, organisations are able to enforce policy on the use of the keys, rather than rely solely on people and processes.

Keys represent trust, and their secrecy and integrity determine whether that trust can be relied on – they are the anchor points for reputation, confidence and value. Of course, managing digital keys brings its own challenges, particularly in light of now well-established enterprise trends such as cloud computing and mobility, which require businesses to tread an ever finer line between trust and control with third party service providers. In our recent survey with the Ponemon Institute, the pain of key management emerges as one of the biggest barriers to the widespread adoption of encryption, with 56% of global business respondents rating the “pain” of key management as seven or more on a scale of one to ten. A feeling that there is ‘no clear ownership of the problem’ topped the chart of frustrations.

So, if you want your enterprise security to be “where dreams are made of”, it’s simple. Keep control of your keys, and keep control of your data.