Key management

Last updated

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols. [1] [2]

Contents

Key management concerns keys at the user level, either between users or systems. This is in contrast to key scheduling, which typically refers to the internal handling of keys within the operation of a cipher.

Successful key management is critical to the security of a cryptosystem. It is the more challenging side of cryptography in a sense that it involves aspects of social engineering such as system policy, user training, organizational and departmental interactions, and coordination between all of these elements, in contrast to pure mathematical practices that can be automated.

Types of keys

Cryptographic systems may use different types of keys, with some systems using more than one. These may include symmetric keys or asymmetric keys. In a symmetric key algorithm the keys involved are identical for both encrypting and decrypting a message. Keys must be chosen carefully, and distributed and stored securely. Asymmetric keys, also known as public keys, in contrast are two distinct keys that are mathematically linked. They are typically used together to communicate. Public key infrastructure (PKI), the implementation of public key cryptography, requires an organization to establish an infrastructure to create and manage public and private key pairs along with digital certificates. [3]

Inventory

The starting point in any certificate and private key management strategy is to create a comprehensive inventory of all certificates, their locations and responsible parties. This is not a trivial matter because certificates from a variety of sources are deployed in a variety of locations by different individuals and teams - it's simply not possible to rely on a list from a single certificate authority. Certificates that are not renewed and replaced before they expire can cause serious downtime and outages. Some other considerations:

Management steps

Once keys are inventoried, key management typically consists of three steps: exchange, storage and use.

Key exchange

Prior to any secured communication, users must set up the details of the cryptography. In some instances this may require exchanging identical keys (in the case of a symmetric key system). In others it may require possessing the other party's public key. While public keys can be openly exchanged (their corresponding private key is kept secret), symmetric keys must be exchanged over a secure communication channel. Formerly, exchange of such a key was extremely troublesome, and was greatly eased by access to secure channels such as a diplomatic bag. Clear text exchange of symmetric keys would enable any interceptor to immediately learn the key, and any encrypted data.

The advance of public key cryptography in the 1970s has made the exchange of keys less troublesome. Since the Diffie-Hellman key exchange protocol was published in 1975, it has become possible to exchange a key over an insecure communications channel, which has substantially reduced the risk of key disclosure during distribution. It is possible, using something akin to a book code, to include key indicators as clear text attached to an encrypted message. The encryption technique used by Richard Sorge's code clerk was of this type, referring to a page in a statistical manual, though it was in fact a code. The German Army Enigma symmetric encryption key was a mixed type early in its use; the key was a combination of secretly distributed key schedules and a user chosen session key component for each message.

In more modern systems, such as OpenPGP compatible systems, a session key for a symmetric key algorithm is distributed encrypted by an asymmetric key algorithm. This approach avoids even the necessity for using a key exchange protocol like Diffie-Hellman key exchange.

Another method of key exchange involves encapsulating one key within another. Typically a master key is generated and exchanged using some secure method. This method is usually cumbersome or expensive (breaking a master key into multiple parts and sending each with a trusted courier for example) and not suitable for use on a larger scale. Once the master key has been securely exchanged, it can then be used to securely exchange subsequent keys with ease. This technique is usually termed key wrap. A common technique uses block ciphers and cryptographic hash functions. [6]

A related method is to exchange a master key (sometimes termed a root key) and derive subsidiary keys as needed from that key and some other data (often referred to as diversification data). The most common use for this method is probably in smartcard-based cryptosystems, such as those found in banking cards. The bank or credit network embeds their secret key into the card's secure key storage during card production at a secured production facility. Then at the point of sale the card and card reader are both able to derive a common set of session keys based on the shared secret key and card-specific data (such as the card serial number). This method can also be used when keys must be related to each other (i.e., departmental keys are tied to divisional keys, and individual keys tied to departmental keys). However, tying keys to each other in this way increases the damage which may result from a security breach as attackers will learn something about more than one key. This reduces entropy, with regard to an attacker, for each key involved.

A recent method uses an oblivious pseudorandom function to issue keys without the key management system ever being in a position to see the keys. [7]

Key storage

However distributed, keys must be stored securely to maintain communications security. Security is a big concern [8] [9] and hence there are various techniques in use to do so. Likely the most common is that an encryption application manages keys for the user and depends on an access password to control use of the key. Likewise, in the case of smartphone keyless access platforms, they keep all identifying door information off mobile phones and servers and encrypt all data, where just like low-tech keys, users give codes only to those they trust. [8]

In terms of regulation, there are few that address key storage in depth. "Some contain minimal guidance like 'don’t store keys with encrypted data' or suggest that 'keys should be kept securely.'" The notable exceptions to that are PCI DSS 3.2.1, NIST 800-53 and NIST 800–57. [9]

For optimal security, keys may be stored in a Hardware Security Module (HSM) or protected using technologies such as Trusted Execution Environment (TEE, e.g. Intel SGX) or Multi-Party Computation (MPC). Additional alternatives include utilizing Trusted Platform Modules (TPM), [10] virtual HSMs, aka "Poor Man's Hardware Security Modules" (pmHSM), [11] or non-volatile Field-Programmable-Gate-Arrays (FPGA) with supporting System-on-Chip configurations. [12] In order to verify the integrity of a key stored without compromising its actual value a KCV algorithm can be used.

Key encryption use

The major issue is length of time a key is to be used, and therefore frequency of replacement. Because it increases any attacker's required effort, keys should be frequently changed. This also limits loss of information, as the number of stored encrypted messages which will become readable when a key is found will decrease as the frequency of key change increases. Historically, symmetric keys have been used for long periods in situations in which key exchange was very difficult or only possible intermittently. Ideally, the symmetric key should change with each message or interaction, so that only that message will become readable if the key is learned (e.g., stolen, cryptanalyzed, or social engineered).

Challenges

Several challenges IT organizations face when trying to control and manage their encryption keys are:

  1. Scalability: Managing a large number of encryption keys.
  2. Security: Vulnerability of keys from outside hackers, malicious insiders.
  3. Availability: Ensuring data accessibility for authorized users.
  4. Heterogeneity: Supporting multiple databases, applications and standards.
  5. Governance: Defining policy-driven access control and protection for data. [13] Governance includes compliance with data protection requirements.

Compliance

Key management compliance refers to the oversight, assurance, and capability of being able to demonstrate that keys are securely managed. This includes the following individual compliance domains:

Compliance can be achieved with respect to national and international data protection standards and regulations, such as Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Sarbanes–Oxley Act, or General Data Protection Regulation. [15]

Management and compliance systems

Key management system

A key management system (KMS), also known as a cryptographic key management system (CKMS) or enterprise key management system (EKMS), is an integrated approach for generating, distributing and managing cryptographic keys for devices and applications. They may cover all aspects of security - from the secure generation of keys over the secure exchange of keys up to secure key handling and storage on the client. Thus, a KMS includes the backend functionality for key generation, distribution, and replacement as well as the client functionality for injecting keys, storing and managing keys on devices.

Standards-based key management

Many specific applications have developed their own key management systems with home grown protocols. However, as systems become more interconnected keys need to be shared between those different systems. To facilitate this, key management standards have evolved to define the protocols used to manage and exchange cryptographic keys and related information.

Key Management Interoperability Protocol (KMIP)

KMIP is an extensible key management protocol that has been developed by many organizations working within the OASIS standards body. The first version was released in 2010, and it has been further developed by an active technical committee.

The protocol allows for the creation of keys and their distribution among disparate software systems that need to utilize them. It covers the full key life cycle of both symmetric and asymmetric keys in a variety of formats, the wrapping of keys, provisioning schemes, and cryptographic operations as well as meta data associated with the keys.

The protocol is backed by an extensive series of test cases, and interoperability testing is performed between compliant systems each year.

A list of some 80 products that conform to the KMIP standard can be found on the OASIS website.

Closed source

Non-KMIP-compliant key management

Open source

  • Barbican, the OpenStack security API. [37]
  • KeyBox - web-based SSH access and key management. [38]
  • EPKS - Echo Public Key Share, system to share encryption keys online in a p2p community. [39]
  • Kmc-Subset137 [40] - key management system implementing UNISIG Subset-137 [41] for ERTMS/ETCS railway application.
  • privacyIDEA - two factor management with support for managing SSH keys. [42]
  • StrongKey - open source, last updated on SourceForge in 2016. [43] There is no more maintenance on this project according to its home page.
  • Vault - secret server from HashiCorp. [44]
  • NuCypher
  • SecretHub - end-to-end encrypted SaaS key management
  • Infisical - end-to-end open-source secret management platform.

Closed source

KMS security policy

The security policy of a key management system provides the rules that are to be used to protect keys and metadata that the key management system supports. As defined by the National Institute of Standards and Technology NIST, the policy shall establish and specify rules for this information that will protect its: [14]

  • Confidentiality
  • Integrity
  • Availability
  • Authentication of source [54]

This protection covers the complete key life-cycle from the time the key becomes operational to its elimination. [1]

Bring your own encryption / key

Bring your own encryption (BYOE)—also called bring your own key (BYOK)—refers to a cloud-computing security model to allow public-cloud customers to use their own encryption software and manage their own encryption keys. This security model is usually considered a marketing stunt, as critical keys are being handed over to third parties (cloud providers) and key owners are still left with the operational burden of generating, rotating and sharing their keys. IBM offers a variant of this capability called Keep Your Own Key where customers have exclusive control of their keys.

Public-key infrastructure (PKI)

A public-key infrastructure is a type of key management system that uses hierarchical digital certificates to provide authentication, and public keys to provide encryption. PKIs are used in World Wide Web traffic, commonly in the form of SSL and TLS.

Multicast group key management

Group key management means managing the keys in a group communication. Most of the group communications use multicast communication so that if the message is sent once by the sender, it will be received by all the users. The main problem in multicast group communication is its security. In order to improve the security, various keys are given to the users. Using the keys, the users can encrypt their messages and send them secretly. IETF.org released RFC 4046, entitled Multicast Security (MSEC) Group Key Management Architecture, which discusses the challenges of group key management. [55]

See also

Related Research Articles

In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm.

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Despite its goal, encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">Kerberos (protocol)</span> Computer authentication protocol

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one else, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse. End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. Because no third parties can decipher the data being communicated or stored, for example, companies that provide end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.

Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over the Internet.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

Multimedia Internet KEYing (MIKEY) is a key management protocol that is intended for use with real-time applications. It can specifically be used to set up encryption keys for multimedia sessions that are secured using SRTP, the security protocol commonly used for securing real-time communications such as VoIP.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely. However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.

In cryptography, a key ceremony is a ceremony held to generate or use a cryptographic key.

<span class="mw-page-title-main">Key Management Interoperability Protocol</span> Communication protocol for the manipulation of cryptographic keys

The Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management. Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also allows for clients to ask a server to encrypt or decrypt data, without needing direct access to the key.

The IBM 4767 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The IBM 4768 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

The IBM 4769 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

References

  1. 1 2 3 Turner, Dawn M. "What Is Key Management? A CISO Perspective". Cryptomathic. Retrieved 30 May 2016.
  2. Krähenbühl, Cyrill; Perrig, Adrian (2023), Mulder, Valentin; Mermoud, Alain; Lenders, Vincent; Tellenbach, Bernhard (eds.), "Key Management", Trends in Data Protection and Encryption Technologies, Cham: Springer Nature Switzerland, pp. 15–20, doi: 10.1007/978-3-031-33386-6_4 , ISBN   978-3-031-33386-6
  3. Boyle, Randall; Panko, Ray (2015). Corporate Computer Security (Fourth ed.). Upper Saddle River New Jersey: Pearson. p. 278.
  4. "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 2022-02-16.
  5. "How do you manage encryption keys and certificates in your organization?". www.linkedin.com. Retrieved 2023-09-25.
  6. "Block Cipher - an overview | ScienceDirect Topics". www.sciencedirect.com. Retrieved 2020-12-12.
  7. Jarecki, Stanislaw; Krawczyk, Hugo; Resch, Jason (2019). "Updatable Oblivious Key Management for Storage Systems". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Vol. November 2019. pp. 379–393. doi:10.1145/3319535.3363196. ISBN   978-1-4503-6747-9 . Retrieved Jan 27, 2024.
  8. 1 2 "An ancient technology gets a key makeover". Crain's New York Business. Crain's New York. 20 November 2013. Retrieved 19 May 2015.
  9. 1 2 "Lost in translation: encryption, key management, and real security". Google Cloud Blog. Retrieved 2021-09-16.
  10. Gopal, Venkatesh; Fadnavis, Shikha; Coffman, Joel (July 2018). "Low-Cost Distributed Key Management". 2018 IEEE World Congress on Services (SERVICES). pp. 57–58. doi:10.1109/SERVICES.2018.00042. ISBN   978-1-5386-7374-4. S2CID   53081136.
  11. Cifuentes, Francisco; Hevia, Alejandro; Montoto, Francisco; Barros, Tomás; Ramiro, Victor; Bustos-Jiménez, Javier (2016-10-13). "Poor Man's Hardware Security Module (PMHSM)". Proceedings of the 9th Latin America Networking Conference. LANC '16. Valparaiso, Chile: Association for Computing Machinery. pp. 59–64. doi:10.1145/2998373.2998452. ISBN   978-1-4503-4591-0. S2CID   16784459.
  12. Parrinha, Diogo; Chaves, Ricardo (December 2017). "Flexible and low-cost HSM based on non-volatile FPGAs". 2017 International Conference on ReConFigurable Computing and FPGAs (ReConFig). pp. 1–8. doi:10.1109/RECONFIG.2017.8279795. ISBN   978-1-5386-3797-5. S2CID   23673629.
  13. "Security Policy and Key Management: Centrally Manage Encryption Key". Slideshare.net. 2012-08-13. Retrieved 2013-08-06.
  14. 1 2 Reinholm, James H. "Simplifying the Complex Process of Auditing a Key Management System for Compliance". Cryptomathic. Retrieved 30 May 2016.
  15. Stubbs, Rob. "Buyer's Guide to Choosing a Crypto Key Management System". Cryptomathic. Retrieved 12 March 2018.
  16. 1 2 "Bloombase KeyCastle - Enterprise Key Life-Cycle Management - Bloombase - Intelligent Storage Firewall".
  17. "Cryptsoft". Cryptsoft. Retrieved 2013-08-06.
  18. "VaultCore - Encryption Key Management Platform | Fornetix". 29 August 2019.
  19. "Fortanix Data Security Manager". Fortanix. Retrieved 2022-06-02.
  20. "Futurex Key Management Servers". Futurex.com. Retrieved 2016-08-18.
  21. "Gazzang zTrustee". Gazzang.com. Archived from the original on 2014-08-07. Retrieved 2013-08-06.
  22. "Data Encryption - Enterprise Secure Key Manager | HP® Official Site". H17007.www1.hp.com. Archived from the original on 2012-07-10. Retrieved 2013-08-06.
  23. "IBM Enterprise Key Management Foundation (EKMF)". 03.ibm.com. Archived from the original on October 13, 2011. Retrieved 2013-08-06.
  24. "IBM Enterprise Key Management Foundation" (PDF). Archived from the original (PDF) on 2014-12-29. Retrieved 2013-02-08.
  25. Fridli, Roman; Greenfield, Andrew; Dufrasne, Bert; Redbooks, I.B.M. (2016-12-28). Data-at-rest Encryption for the IBM Spectrum Accelerate Famil. ISBN   9780738455839 . Retrieved 2017-06-12.
  26. "Getting started with IBM Cloud Hyper Protect Crypto Services".
  27. "Key Manager | Database". Oracle. Retrieved 2018-08-28.
  28. "Key Manager | Storage". Oracle. Retrieved 2013-08-06.
  29. "P6R". P6R. Retrieved 2015-05-11.
  30. "qCrypt". Quintessencelabs.com. Archived from the original on 2015-10-02. Retrieved 2016-04-01.
  31. "RSA Data Protection Manager - Data Encryption, Key Management". EMC. 2013-04-18. Retrieved 2013-08-06.
  32. "Cryptographic Key Management System - Gemalto's SafeNet KeySecure". Safenet.Gemalto.com. Retrieved 2013-08-06.
  33. "Key Management: keyAuthority - a proven solution for centralizing key management". Thales-esecurity.com. Archived from the original on 2012-09-10. Retrieved 2013-08-06.
  34. "Encryption Key Management | Encryption Key Management, Cloud Security, Data Protection". Townsendsecurity.com. Archived from the original on 2016-03-04. Retrieved 2013-08-06.
  35. "What We do – Venafi". Archived from the original on 2014-07-11. Retrieved 2014-09-27.
  36. "Vormetric Data Security Platform". Vormetric.com. Archived from the original on 2016-04-10. Retrieved 2015-12-15.
  37. "Barbican - OpenStack".
  38. SSHKeyBox - Services and Products
  39. "Big Seven Crypto Study - Wikibooks, open books for an open world". Archived from the original on 2016-08-09. Retrieved 2016-07-16.
  40. "KMC-Subject137 Library Project". KMC-Subset137 Project. Retrieved 14 July 2024.
  41. "On-line Key Management FFFIS" (PDF). Archived from the original (PDF) on 2018-07-27.
  42. Authentication System privacyIDEA
  43. "StrongKey". 6 April 2016.
  44. Manage secrets and protect sensitive data with Vault
  45. "Key Management Service (AWS KMS) - Amazon Web Services (AWS)".
  46. "Key Management System". Bell ID. Archived from the original on 2014-01-17. Retrieved 2014-01-17.
  47. Landrock, Peter. "Cryptomathic Key Management System". cryptomathic.com/. Cryptomathic. Retrieved April 20, 2015.
  48. "Doppler | SecretOps Platform". www.doppler.com. Retrieved 2022-08-26.
  49. "IBM Cloud Docs".
  50. "What is Azure Key Vault?". 18 December 2022.
  51. "About Virtual Private Data". Porticor.com. Archived from the original on 2013-07-31. Retrieved 2013-08-06.
  52. "UKM Zero Trust SSH Encryption Key Management".
  53. "Encryption & Key Management Overview".
  54. Barker, Elaine; Smid, Miles; Branstad, Dennis; Chokhani, Santosh. "NIST Special Publication 800 -130: A Framework for Designing Cryptographic Key Management Systems" (PDF). National Institute of Standards and Technology. Retrieved 30 May 2016.
  55. Baugher, M.; Canetti, R.; Dondeti, L.; Lindholm, F. (2005-04-01). "Multicast Security (MSEC) Group Key Management Architecture". Ietf Datatracker. doi:10.17487/RFC4046 . Retrieved 2017-06-12.

45.NeoKeyManager - Hancom Intelligence Inc.

Q* The IEEE Security in Storage Working Group (SISWG) that is creating the P1619.3 standard for Key Management

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.