Compromised cryptographic keys have a devastating effect on any organization just ask the major Android device manufacturers whose keys were used to distribute malware. Heres what to know about cryptographic keys, how they work, and how to keep yours secure.
Encryption secures everything from the credit card transactions you use to buy items online to the health information you share with your doctor. Its an intricate system that relies on cryptographic keys to help keep that information secure.
But what are cryptographic keys, and how do we use them? Well explore the roles of cryptographic keys in modern communications and what you can do to secure them.
Lets hash it out.
A cryptographic key is a string of characters (often random or mathematically generated) thats paired with a cryptographic algorithm to secure data. Algorithms are mathematical formulas that carry out multiple important cryptographic functions. Two of the most common functions involving cryptographic keys are data encryption and decryption:
When a secret cryptographic key gets exposed or compromised, it means that whatever its used to secure is now at risk of compromise.
Throughout nearly the last nearly 4,000 years of human history, thereve been many instances of using cryptographic keys to communicate secret information. This includes everything from ancient Egyptian tomb inscriptions to activities associated with the United Kingdoms Government Communications Headquarters (GCHQ) after World War I. One of the best-known (and simplest) examples of cryptographic key applications is the Caesar Shift Cipher. This basic substitution cipher shifts the alphabet by a set number of spaces (e.g., A becomes D, and N becomes P). In this case, the key would be knowing how many spaces to shift to decrypt the message.
A common example of encryption can be seen when you log in to your favorite website. If you see the secure padlock icon (pictured below), it means that youre accessing a site thats secured with public key cryptography using SSL/TLS. (Well speak more about that later in the article.)
NOTE: This trusted little padlock icon will be going away in Google Chrome, starting with Chrome 117 thats estimated to launch in September 2023, according to a recent update by the Google Chrome Security Team. Instead, the browser will display a tune icon that users can click on for information.
Different methods of cryptography involve the use of one or two cryptographic keys. Lets explore them both before we dive into their uses.
Symmetric encryption uses a single key, known as a symmetric key. Both the sender and the recipient need to have a copy of the key to encrypt and decrypt data. As such, this private key has to be kept secret so that no unintended third parties could use it to decrypt their secret messages. When you encrypt and decrypt data using a single key, its known as symmetric encryption, symmetric cryptography, or private key cryptography.
Imagine youve just completed a home renovation, a project that included replacing all of your interior and exterior doors with door locks you bought at a local hardware store. As such, each door you install would have its own separate lock, requiring a separate key to open it. (This would be a bit closer to asymmetric encryption because each key would only fit its corresponding lock but well dive more into that in just a few moments.)
However, using a symmetric key is like re-keying all of your homes door locks so that a single key can open them. This is great for convenience because you only need one key, but it also means you have to go to great lengths to keep that key safe. Otherwise, everything inside your home will be compromised if someone gets their hands on that key.
One of the tricky aspects of symmetric keys is that they require the two communicating parties to meet up in a secure way so they each have a copy of the key. (Think of those stereotypical clandestine spy meetups you see in movies or read in books.) This isnt too bad if youre in the same geographic area as the other party. But what if you need to share sensitive information now but dont have the time to meet to exchange keys? Or, what happens when youre trying to communicate securely with someone whos located in another state, country, or side of the world? Youll be plumb out of luck.
Within the last century, the rise of digital communications changed the landscape of communications. Now, you can be using a phone in the United States and communicate nearly instantaneously with someone regardless of their geographic location. You can enter your information in a web form and send it instantaneously across the internet to someone on the other side of the world.
However, theres a drawback: If youre sending that data in plaintext, it isnt secure and can be intercepted by nosy or malicious third parties.
To avoid this security risk, you and the person youre communicating with need a way to securely communicate using encryption. But this would require exchanging your symmetric key, right? Yes. And this is where public key cryptography comes into play
In modern cryptography, another type of cryptographic key is an asymmetric keya pair of two different but related keys. A public key is publicly known and doesnt have to be kept secret. Its linked to a private key, which is kept secret.
Asymmetric cryptographic keys (asymmetric = not identical) are generated in mathematically related pairs containing one public key and one private key. In public key encryption:
A common analogy youll see online thats used to describe the role of separate keys in asymmetric encryption is a mailbox where you have one key to deposit items (public key) and a separate key to remove them (private key).
Using these two cryptographic keys enables two parties to create a secure, encrypted connection. Think of when you connect to a website. The server and client use asymmetric keys to securely exchange information thats used to establish symmetric session keys. These symmetric keys, which require fewer resources to compute, make data exchanges faster at scale.
To learn more about how public-private key pairs work in various cryptographic uses, check out our other article that looks at the topic more in depth.
But why bother switching to symmetric encryption at all? Cant you just use asymmetric keys the whole time? Technically, yes, you could use asymmetric encryption alone to communicate securely on open channels. However, the resources required to make this happen for popular websites would be too costly to do when dealing with thousands or millions of connections. This is why we use asymmetric keys to exchange symmetric key-encrypted sessions to promote scalability.
Check out this recent comparative cost analysis of asymmetric and symmetric applications by researchers at the Institute of Electrical and Electronic Engineers (IEEE). Spoiler alert: Their research shows a 58% saving in global energy costs of public key-based applications through symmetric key system adoptions.
Sometimes, cryptographic keys are referred to with regard to the roles they play in cryptographic processes. We wont get into all of them because they vary depending on the type of cryptographic processes youre performing, but heres a quick overview of several examples:
Generally speaking, the bigger the key, the more secure it is. For example, a 256-bit AES symmetric key is stronger than a 128-bit symmetric key, and a 3078-bit RSA asymmetric key is more secure than a 2048-bit asymmetric key. Larger keys help thwart brute force attackers who try to guess your key because it would be virtually impossible to guess all possible combinations using modern computer resources.
Lets quickly compare public and private keys. Weve used the RSA key generator tool from devglan.com to generate a 2048-bit RSA key pair for this example.
Public key:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnfyxkfwlj+QmitT4lVxrQLHAuJLRl2oIvy+J3I1cuWbyJWXfcmwzc99HRPL6qvfT3IdkJphxok1KZZf6r38v5HpUacSbLyHfi3s0JjclM09HvzuqWqHe1BJhP14RTIaa2ZVcZZvnFOm91U7VSR3lVFVOBFcfJYGTlvIVtXo57KYKYdwsZmiMlNZ3Zr8BX9gqY/Vl7sgjm9tJhBlpDFHCA0/v1jFlsYgddbOXl8ar7Dhp6VyOFG7ifahjmb7rUjzBvIVm7BG7Ds3IFkNvJAXVzfqqW/Zvru73X0AYOGwE5KWbjYN04JwErNI+2JDpk8d6gJrxb/MT6xXjEBuwc/s1mQIDAQAB
Private key:
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd/LGR/CWP5CaK1PiVXGtAscC4ktGXagi/L4ncjVy5ZvIlZd9ybDNz30dE8vqq99Pch2QmmHGiTUpll/qvfy/kelRpxJsvId+LezQmNyUzT0e/O6paod7UEmE/XhFMhprZlVxlm+cU6b3VTtVJHeVUVU4EVx8lgZOW8hW1ejnspgph3CxmaIyU1ndmvwFf2Cpj9WXuyCOb20mEGWkMUcIDT+/WMWWxiB11s5eXxqvsOGnpXI4UbuJ9qGOZvutSPMG8hWbsEbsOzcgWQ28kBdXN+qpb9m+u7vdfQBg4bATkpZuNg3TgnASs0j7YkOmTx3qAmvFv8xPrFeMQG7Bz+zWZAgMBAAECggEADz17G6wJK5JErYvR1watSfZbsvJmyYZvBZJeaCoy0ae+oCDtpyoM5JabV2lhCPETPOjKnnaCL7fo/1fj1N4eDppGXlWa6rcHy3q9ExqqugJh1264BjorNqX3P5ehb5JkiazA1wRtDDVoHJWYOY9qufHorr6AwKt5Q0xjD7iUseFDN1jsnAQcbl1kifTcc9lbkSv9+zyBmzVQCSVifITe39YmBBCtGJWbC2+aCs2shcO7XOZrDjYABqlYRP7O1XXo0dJYnvat9EnLMTRwQZZwCXhavn+Iyrt2Odd3Vil3w5jSdIOiXivq2C9suZ5c8HIiAepm1Fvu7evo2OfUxTu9CQKBgQDtGN0wn5LUrcI0AO/FNNUobG+wYr7u4QnuucbwP+j9aF7Eo6LrPdgZw4o4DwMTP/rOC/2lNy4RyhQ6Y8CZ7ehxmZLTkCPeGaKRyzm6Z2fq0x3fielqIH9L3SeIgDnTwTxjJ9/Jq5UOvFsj5a1u6+6W9Z0iqDDVGAb+aWa+ic85iwKBgQCqlTL6mtRni1P2pfm8la3p+SjurJKwFaXlLbd6QphptYud8ox81JnCDeTMXUkXHcYwNRarxkqGKqe43j2oHj7XEmEGJUqOXG/9uUa2CBGVIy2b0EIEFnvw8Tj9T13EFi+3p48ksg9C33Jzv9Kcebjhb3B0h6rJuRu9LXEXSaKJ6wKBgQCkCVXPNDgECQuZqyQ4TmtDgnJrmIX9A5k5nzKyOaVa3YDjj0tCchE3EgBo9InuIY/GSql8SwcGq8b+9tDkLqNpJRVeZhVKrnW5ZN9VxgExiErcw6/ICx/HPwUA/aYEiWbcO1QrVRjVjx+HYHpziawSqW/D8JWIeQ0tq4K4ROQoLQKBgE8DFL3ngYMEkjuo3WhwnEHH2yHSZY+SN2lUJ6xFtHsiUC0078XSY/XyoYvXmcdPT0F9FaczDcnfcBi9OCnq+Ih+Rtql40bVojoP26TtT9eYl8OYTzu9fmM4GIGchX4SGMAkqLUClPcQsN7UdyVrbCtfhuMzA/Sz/Rk/NybmQJdJAoGAOR1qIyDpjal8YE/SeK+pI5ZAosADIW3zSPNrGxSbX8kqtdqTDODtP0JgXWfBuB7B2OM6SiV4AID0y/XRGmmyCD3tom7P/s3HnwUt5LxUhVgQ0Ufcw4IkfScNHVTfXBgu1aVN7eLPQMmfM+Inh7z4Gdcbf/xW2KyOdBFcI7Y8ZKE=
Big difference.
If you compare a symmetric key with an asymmetric key, then you might be surprised to learn that key sizes arent equal in terms of their security strength. For example, a 256-bit AES symmetric key is more secure than a 3072-bit RSA asymmetric key. In its Recommendation for Key Management: Part 1, the National Institute of Standards and Technology (NIST) lists an AES 256-bit key as being roughly equivalent to a 15360-bit RSA key. Furthermore, since asymmetric encryption requires the use of two keys, its slower than symmetric encryption, which only requires one.
The security offered by your cryptographic secrets depends on how well you manage and secure them. A lost or stolen key doesnt do you any good because its at risk of compromise. Once a key is compromised, the security of anything its been used to secure is at risk. Thats bad news for you and great news for cybercriminals.
You can protect your cryptographic keys using a key management system and by following key management best practices. Well speak a little more about that later. But first, lets look at what cryptographic keys do; then, well explore a few of the most common ways they may be used within your organization.
Cryptographic keys are critical elements of public key infrastructure and play important roles in several crucial cryptographic functions:
Not sure if youre currently using any cryptographic keys within your IT environment? Here are several examples of how your organization or others are likely already using them:
By enabling HTTPS on your website, youre securing your data in transit by using transport layer security. You can do this by installing an SSL/TLS certificate on your web server. Using an SSL/TLS certificate on your website ensures that your site users data will transmit via secure, encrypted connections.
These connections protect the data in transit. This stops man-in-the-middle attackers who want to intercept, read, modify, or steal your customers sensitive data as it transmits between their clients and your server.
For added security, enable the support of TLS 1.2 as a minimum on your server. Furthermore, you can use HTTP strict transport security (HSTS) as another layer of security to prevent downgrade attacks (i.e., prevent cybercriminals from forcing a website to downgrade from HTTPS to HTTP).
Encryption isnt just for securing data in transit (i.e., public key encryption uses). Rather, encryption is also commonly used to secure at-rest data as well. This includes virtually any type of data stored digitally on a computer system. For example, this includes computers, database servers, cloud storage, and messages on your email server.
To encrypt data at rest, youll often use a symmetric cryptographic key because its fast and requires fewer resources than a pair of asymmetric keys.
But data encryption and decryption arent the only tricks up a cryptographic keys sleeve (so to speak). These digital secrets also have other uses
Digital identity authentication in digital communications is crucial to data security. Its what validates that youre really you because a trusted authority has vetted your digital identity.
But what if you want to verify whether a user who is trying to access your protected resources is legitimate? Traditionally, this would involve the user entering their username and password. However, login credentials are easily compromised through phishing scams and malware, it means that its no longer a viable way to know that someone is authentic.
An alternative is to use digital certificates to verify your digital identity via public key cryptography:
In each of these cases, the cryptographic key associated with the certificate proves your digital identity because only you should have access to it. As such, once authenticated, you can access resources youre authorized to see and use.
Email security is another important area where organizations rely on cryptographic keys. When you digitally sign an email, you apply a hash function to the email contents and your private key to the resulting hash value.
When an email is digitally signed, the recipient knows:
Now, lets say you want to add another layer of security when sending sensitive or confidential data. You can do this using email encryption. Both the email signing and encryption processes involve the use of S/MIME certificates (i.e., email signing certificates). So, as long as you and your email recipient use email signing certificates and youve exchanged public keys, then yall can exchange secure, encrypted emails. This is particularly important for compliance when sending protected customer, financial, or patient health-related data.
Digitally signing your software enables you to show customers and software users that your product is not only authentic but hasnt been tampered with since it was signed. This is important for software developers, publishers, and service providers that maintain customers systems.
You can use a code signing certificate to attach a digital signature to your code. This involves applying a cryptographic hash function to your code and using your private cryptographic key to digitally sign the resulting hash value. When someone downloads your software, their browser or operating system will check to see if the hash value matches. When it does, itll display your verified organization information.
If you decide to take your identity a step further, you can use an extended validation code signing certificate. Signing your software with that digital certificate ensures your software is automatically trusted by Windows operating systems and the Edge browser. As a result, it wont display Windows Defender SmartScreen warnings like this:
Hopefully, weve driven home the point that cryptographic keys are crucial to the security of digital assets and data. But much like other precious things in life, they must be protected through all means possible.
Storing your cryptographic keys securely isnt optional; its actually a requirement of many industry and regional regulations. And unless you like the idea of forking over thousands or millions of dollars in noncompliance penalties, legal fees, and lawsuit settlements due to data breaches, then we suggest you pay attention.
Historically, only extended validation (EV) code signing certificates came pre-installed on a hardware security token. Now, all organization validation (OV) code signing certificates will also be delivered via secure tokens by default.
You also can use hardware security modules (HSMs) to protect your other cryptographic secrets. These on-prem appliances and cloud-based storage mechanisms provide a way for your authorized users to use your cryptographic keys without having direct access.
Were not going to dive into the specifics of key management best practices here because weve already done that in previous articles. To learn more, check out our key and certificate management, check out the following resources:
Read this article:
Cryptographic Keys 101: What They Are & How They Secure Data - Hashed Out by The SSL Store
Read More..