{"id":5030,"date":"2021-12-15T09:39:42","date_gmt":"2021-12-15T01:39:42","guid":{"rendered":"https:\/\/www.progreso.com.sg\/newsite\/?page_id=5030"},"modified":"2021-12-15T09:46:55","modified_gmt":"2021-12-15T01:46:55","slug":"encryption-key-management-fundamentals-1","status":"publish","type":"page","link":"https:\/\/www.progreso.com.sg\/newsite\/encryption-key-management-fundamentals-1\/","title":{"rendered":"Encryption Key Management Fundamentals-1"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"5030\" class=\"elementor elementor-5030\" data-elementor-settings=\"[]\">\n\t\t\t<div class=\"elementor-inner\">\n\t\t\t\t<div class=\"elementor-section-wrap\">\n\t\t\t\t\t\t\t<section class=\"elementor-element elementor-element-ce1dac0 elementor-section-stretched elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"ce1dac0\" data-element_type=\"section\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;,&quot;motion_fx_motion_fx_scrolling&quot;:&quot;yes&quot;,&quot;motion_fx_devices&quot;:[&quot;desktop&quot;,&quot;tablet&quot;,&quot;mobile&quot;]}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0fbd377 elementor-column elementor-col-100 elementor-top-column\" data-id=\"0fbd377\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d1f08e2 elementor-widget elementor-widget-image\" data-id=\"d1f08e2\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"1024\" height=\"419\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Webpage-header_2-1024x419.jpg\" class=\"attachment-large size-large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Webpage-header_2-1024x419.jpg 1024w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Webpage-header_2-300x123.jpg 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Webpage-header_2-768x314.jpg 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Webpage-header_2-600x246.jpg 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Webpage-header_2.jpg 1463w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-2963335 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"2963335\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-0e5f7e9 elementor-section-stretched elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-top-section\" data-id=\"0e5f7e9\" data-element_type=\"section\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d63a0e3 elementor-column elementor-col-100 elementor-top-column\" data-id=\"d63a0e3\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aaf9aae elementor-widget elementor-widget-text-editor\" data-id=\"aaf9aae\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2 style=\"text-align: center;\"><span style=\"color: #ffcc00;\"><strong>Q: What is Encryption Key Management?<\/strong><\/span><\/h2><p style=\"text-align: center;\"><span style=\"color: #ffffff;\">Encryption key management is administering the full lifecycle of cryptographic keys. This includes: generating, using, storing, archiving, and deleting of keys. Protection of the encryption keys includes limiting access to the keys physically, logically, and through user\/role access.<\/span><\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-fa1c43c elementor-section-stretched elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"fa1c43c\" data-element_type=\"section\" id=\"hardware\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-48de13b elementor-column elementor-col-100 elementor-top-column\" data-id=\"48de13b\" data-element_type=\"column\" id=\"1\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a516a6a uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"a516a6a\" data-element_type=\"widget\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >1. INTRODUCTION<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d4ab72 elementor-aspect-ratio-219 elementor-widget elementor-widget-video\" data-id=\"1d4ab72\" data-element_type=\"widget\" data-settings=\"{&quot;aspect_ratio&quot;:&quot;219&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-wrapper elementor-fit-aspect-ratio elementor-open-inline\">\n\t\t\t<iframe class=\"elementor-video-iframe\" allowfullscreen title=\"youtube Video Player\" src=\"https:\/\/www.youtube.com\/embed\/iivpQaaMrJY?feature=oembed&amp;start&amp;end&amp;wmode=opaque&amp;loop=0&amp;controls=1&amp;mute=0&amp;rel=0&amp;modestbranding=0\"><\/iframe>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ddecf06 elementor-widget elementor-widget-text-editor\" data-id=\"ddecf06\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-4153c07 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"4153c07\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e0e2e1b elementor-column elementor-col-100 elementor-inner-column\" data-id=\"e0e2e1b\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4bbb933 elementor-widget elementor-widget-text-editor\" data-id=\"4bbb933\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p><em>\u201cThe proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.\u201d<\/em><br \/>~<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-57p1r3.pdf\"> NIST Recommendation for Key Management<\/a><\/p><p>NIST\u2019s statement paints an accurate picture. Like a safe\u2019s combination, your encryption keys are only as good as the security you use to protect them. There is an entire physical and digital cryptosystem that must be must be accounted for as well as each key\u2019s full lifecycle. Therefore, a robust\u00a0<a href=\"https:\/\/www.townsendsecurity.com\/products\/centralized-encryption-key-management\" target=\"_blank\" rel=\"noopener\">encryption key management<\/a>\u00a0system and policies includes:<\/p><ul><li>Key lifecycle: key generation, pre-activation, activation, expiration, post-activation, escrow, and destruction<\/li><li>Physical access to the key server(s)<\/li><li>Logical access to the key server(s)<\/li><li>User\/Role access to the encryption keys<\/li><\/ul><p>Let\u2019s get started with a brief overview of the types of encryption keys.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-ce321b5 elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"ce321b5\" data-element_type=\"section\" id=\"key\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ecc655e elementor-column elementor-col-100 elementor-top-column\" data-id=\"ecc655e\" data-element_type=\"column\" id=\"2\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9e62f17 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"9e62f17\" data-element_type=\"widget\" id=\"2\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >2. TYPES OF ENCRYPTION KEYS AND HOW THEY WORK<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-f434297 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"f434297\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e283ae7 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"e283ae7\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bdfe11e elementor-widget elementor-widget-image\" data-id=\"bdfe11e\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"295\" height=\"300\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Symmetric-Keys-FLow-295x300.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Symmetric-Keys-FLow-295x300.webp 295w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Symmetric-Keys-FLow.webp 500w\" sizes=\"(max-width: 295px) 100vw, 295px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-83fd2c9 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"83fd2c9\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5cfabf6 elementor-widget elementor-widget-text-editor\" data-id=\"5cfabf6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2><span style=\"color: #000000;\"><strong>Symmetric Keys: Data-at-Rest<\/strong><\/span><\/h2><p><span style=\"color: #000000;\">In symmetric key cryptography, the same encryption key is used to both encrypt and decrypt the data. This means of encryption is used primarily to protect data at rest. An example would be to encrypt sensitive data into ciphertext while it is stored in a database and decrypt it to plaintext when it is accessed by an authorized user, and vice versa.<\/span><\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-1d92c9e elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"1d92c9e\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-de78846 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"de78846\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0331fc1 elementor-widget elementor-widget-text-editor\" data-id=\"0331fc1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Asymmetric Keys: Data-in-Motion<\/h2><p>Asymmetric keys, on the other hand, are a pair of keys for the encryption and decryption of the data. Both keys are related to each other and created at the same time. They are referred to as a public and a private key:<\/p><ul><li><strong>Public Key:<\/strong>\u00a0this key is primarily used to encrypt the data and can be freely given as it will be used to encrypt data, not decrypt it.<\/li><li><strong>Private Key:<\/strong>\u00a0this key is used to decrypt the data that it\u2019s counterpart, the public key, has encrypted. This key must be safeguarded as it is the only key that can decrypt the encrypted data.<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8b9f5ff elementor-column elementor-col-50 elementor-inner-column\" data-id=\"8b9f5ff\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e920cfa elementor-widget elementor-widget-image\" data-id=\"e920cfa\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"768\" height=\"454\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-768x454.webp\" class=\"attachment-medium_large size-medium_large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-768x454.webp 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-300x177.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-600x354.webp 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x.webp 999w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-33d3d1a elementor-widget elementor-widget-text-editor\" data-id=\"33d3d1a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><ul><li>Asymmetric keys are primarily used to secure data-in-motion. An example might be a virtual private network (VPN) connection. With a VPN:<ul><li>an AES symmetric session key is used to encrypt the data<ul><li>a public key is used to encrypt the session key<\/li><\/ul><\/li><li>once the encrypted data is received, the private key is used to decrypt the session key<ul><li>so that is can be used to decrypt the data.<\/li><\/ul><\/li><\/ul><\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-3562ca2 elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"3562ca2\" data-element_type=\"section\" id=\"pci\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;gradient&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bb15608 elementor-column elementor-col-100 elementor-top-column\" data-id=\"bb15608\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4408019 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"4408019\" data-element_type=\"widget\" id=\"3\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >3. HOW ENCRYPTION KEY SYSTEMS WORK<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-512abce elementor-widget elementor-widget-text-editor\" data-id=\"512abce\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Symmetric Key Systems<\/h2><p>First, let\u2019s establish a few definitions:<\/p><ul><li><strong>Data encryption key (DEK):<\/strong>\u00a0is an encryption key whose function it is to encrypt and decrypt the data.<\/li><li><strong>Key encryption key (KEK):<\/strong>\u00a0is an encryption key whose function it is to encrypt and decrypt the DEK.<\/li><li><strong>Key management application program interface (KM API):<\/strong>\u00a0is an application interface that is designed to securely retrieve and pass along encryption keys from a key management server to the client requesting the keys.<\/li><li><strong>Certificate Authority (CA):<\/strong>\u00a0is an entity that creates public and private keys, creates certificates, verifies certificates and performs other PKI functions.<\/li><li><strong>Transport layer security (TLS):<\/strong>\u00a0is a cryptographic protocol that provides security, through mutual authentication, for data-in-motion over a computer network.<\/li><li><strong>Key Management System (KMS):<\/strong>\u00a0is the system that houses the key management software<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a4ec18a elementor-widget elementor-widget-image\" data-id=\"a4ec18a\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"768\" height=\"589\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KM-System-Flowchart-768x589.jpg\" class=\"attachment-medium_large size-medium_large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KM-System-Flowchart-768x589.jpg 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KM-System-Flowchart-300x230.jpg 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KM-System-Flowchart-600x460.jpg 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KM-System-Flowchart.jpg 976w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2a8524a elementor-widget elementor-widget-text-editor\" data-id=\"2a8524a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>Now that we have the definitions in place, below is a step by step example of how an authorized user accesses encrypted data:<\/p><ol><li>A user requests to access encrypted data.<\/li><li>The database, application, file system, or storage then sends a DEK retrieval request to the client (KM API).<\/li><li>Next, the client (KM API) and KM verify each other\u2019s certificates:<ol><li>The client (KM API) sends a certificate to the KM for verification.<\/li><li>The KM then checks the certificate against the CA for authentication.<\/li><li>Once the client (KM API) certificate has been verified, the KM then sends its certificate to the KM API for authentication and acceptance.<\/li><\/ol><\/li><li>Once the certificates have been accepted, a secure TLS connection is established between the client (KM API) and the KM.<\/li><li>The KM then decrypts the requested DEK with the KEK<\/li><li>The KM sends the DEK to the client (KM API) over the encrypted TLS session.<\/li><li>The KM API then sends the DEK to the database, application, file system, or storage.<\/li><li>The database (may) cache the DEK in temporary secure memory.<\/li><li>The database, application, file system, or storage then sends the plaintext information to the user.<\/li><\/ol><h2>Asymmetric Key Systems<\/h2><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c0cdf02 elementor-widget elementor-widget-image\" data-id=\"c0cdf02\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"768\" height=\"454\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-1-768x454.webp\" class=\"attachment-medium_large size-medium_large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-1-768x454.webp 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-1-300x177.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-1-600x354.webp 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Asymmetric-Key-Flow@2x-1.webp 999w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0bd3eff elementor-widget elementor-widget-text-editor\" data-id=\"0bd3eff\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><ol><li>The Sender and Recipient verify each other\u2019s certificates:<ol><li>The sender sends a certificate to the recipient for verification.<\/li><li>The recipient then checks the certificate against their Certificate Authority (CA) or an external Validation Authority (VA) for authentication.<\/li><li>Once the sender\u2019s certificate has been verified, the recipient then sends their certificate to the sender for authentication and acceptance.<\/li><\/ol><\/li><li>Once the sender and recipient have mutual acceptance:<ol><li>The sender requests the recipient\u2019s public key.<\/li><li>The recipient sends their public key to the sender.<\/li><\/ol><\/li><li>The sender creates an ephemeral symmetric key and encrypts the file to be sent. (an ephemeral symmetric key is a symmetric encryption key used only for one session)<\/li><li>The sender encrypts the symmetric key with the public key.<\/li><li>The sender then sends the encrypted data with the encrypted symmetric key.<\/li><li>The recipient receives the packet and decrypts the symmetric key with the private key.<\/li><li>The recipient decrypts the data with the symmetric key.<\/li><\/ol><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-9d15327 elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"9d15327\" data-element_type=\"section\" id=\"4\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6288679 elementor-column elementor-col-100 elementor-top-column\" data-id=\"6288679\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e9161c2 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"e9161c2\" data-element_type=\"widget\" id=\"4\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >4. THE FULL LIFE-CYCLE OF KEYS<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ee95d45 elementor-widget elementor-widget-text-editor\" data-id=\"ee95d45\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>The encryption key life-cycle, defined by\u00a0<a href=\"https:\/\/csrc.nist.gov\/groups\/ST\/toolkit\/documents\/kms\/lifecycle%20slides%20(b-w).pdf\" target=\"_blank\" rel=\"noopener\">NIST<\/a>\u00a0as having a pre-operational, operational, post-operational, and deletion stages, requires that, among other things, a operational crypto period be defined for each key. A\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/nistpubs\/800-57\/sp800-57-Part1-revised2_Mar08-2007.pdf\" target=\"_blank\" rel=\"noopener\">crypto period<\/a>\u00a0is the &#8220;time span during which a specific key is authorized for use&#8221; and in Section 5.3 of\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/nistpubs\/800-57\/sp800-57-Part1-revised2_Mar08-2007.pdf\" target=\"_blank\" rel=\"noopener\">NIST&#8217;s Guide<\/a>, the crypto period is determined (for example, with a symmetric key) by combining the estimated time during which encryption will\u00a0be applied to data (the O<em>riginator Usage Period (OUP)<\/em>) and the time when it will be decrypted for use (the R<em>ecipient Usage Period (RUP)<\/em>).<\/p><p>So, as an example:<\/p><ul><li>let&#8217;s say that a database is encrypted and for the next 6 months items are added to it. \u00a0Then:<ul><li>the OUP is 6 months<\/li><\/ul><\/li><li>For 2 years the database is also viewed by authorized users. \u00a0Then:<ul><li>the RUP is 2 years (and completely overlaps with the OUP)<\/li><\/ul><\/li><li>Therefore, the crypto period would equal 2 years and the encryption key would need to be active during that time.<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-850a443 elementor-widget elementor-widget-image\" data-id=\"850a443\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"768\" height=\"367\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Crypto-Period-Basic-768x367.webp\" class=\"attachment-medium_large size-medium_large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Crypto-Period-Basic-768x367.webp 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Crypto-Period-Basic-300x143.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Crypto-Period-Basic-1024x489.webp 1024w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Crypto-Period-Basic-1536x733.webp 1536w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Crypto-Period-Basic-2048x978.webp 2048w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Crypto-Period-Basic-600x286.webp 600w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed0a970 elementor-widget elementor-widget-text-editor\" data-id=\"ed0a970\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>But, since an organization may reasonably want to encrypt and decrypt the same\u00a0data for years on end, other factors may come into play to when factoring the crypto period:<\/p><p>You may want to limit the:<\/p><ul><li>&#8220;amount of information protected by a given key&#8221;<\/li><li>&#8220;amount of exposure if a single\u00a0key is compromised&#8221;<\/li><li>&#8220;time available for attempts to penetrate physical, procedural, and logical access&#8221;<\/li><li>&#8220;period within which information may be compromised by inadvertent disclosure&#8221;<\/li><li>&#8220;time available for computationally intensive cryptanalytic attacks&#8221;<\/li><\/ul><p>This can be boiled down to a few key questions:<\/p><ul><li>How long will the data be used<\/li><li>How is the data being used<\/li><li>How much data is there<\/li><li>How sensitive is the data<\/li><li>How much damage will be done when the data is exposed or the keys are lost<\/li><\/ul><p><strong>The general rule:<\/strong>\u00a0as the sensitivity of data being secured increases, the lifetime of an encryption key decreases.<\/p><p>Given this, your encryption key may have an active life shorter than an authorized user&#8217;s access to the data. \u00a0This means that you will need to archive de-activated keys and use them only for decryption. Once the data has been decrypted by the old key, it will be encrypted by the new key, and over time the old key will no longer be used\u00a0to encrypt\/decrypt data\u00a0and can be deleted. (see graphic below)<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e82b88f elementor-widget elementor-widget-image\" data-id=\"e82b88f\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"768\" height=\"367\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CryptoPeriod-Multiple-Keys@2x-768x367.webp\" class=\"attachment-medium_large size-medium_large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CryptoPeriod-Multiple-Keys@2x-768x367.webp 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CryptoPeriod-Multiple-Keys@2x-300x143.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CryptoPeriod-Multiple-Keys@2x-1024x489.webp 1024w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CryptoPeriod-Multiple-Keys@2x-1536x733.webp 1536w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CryptoPeriod-Multiple-Keys@2x-2048x978.webp 2048w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CryptoPeriod-Multiple-Keys@2x-600x286.webp 600w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c25a8e7 elementor-widget elementor-widget-text-editor\" data-id=\"c25a8e7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>See below for a more thorough understanding of a keys full life-cycle.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-82b6dda elementor-widget elementor-widget-image\" data-id=\"82b6dda\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"768\" height=\"437\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Encryption-Key-Lifecycle-768x437.webp\" class=\"attachment-medium_large size-medium_large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Encryption-Key-Lifecycle-768x437.webp 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Encryption-Key-Lifecycle-300x171.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Encryption-Key-Lifecycle-1024x583.webp 1024w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Encryption-Key-Lifecycle-1536x875.webp 1536w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Encryption-Key-Lifecycle-2048x1166.webp 2048w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Encryption-Key-Lifecycle-600x342.webp 600w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c4935ce elementor-widget elementor-widget-text-editor\" data-id=\"c4935ce\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Key Creation (Generation &amp; Pre-Activation)<\/h2><p>The\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-133.pdf\" target=\"_blank\" rel=\"noopener\">encryption key is created<\/a>\u00a0and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it\u2019s attributes, into the key storage database. The attributes stored with the key include its name, activation date, size, instance, the ability for the key to be deleted, as well as its rollover, mirroring, key access, and other attributes. The key can be activated upon its creation or set to be activated automatically or manually at a later time. The encryption key manager should track current and past instances (or versions) of the encryption key. \u00a0You need to be able to choose whether or not the key can be deleted, mirrored to a failover unit, and by which users or groups it can be accessed. Your key manager should allow the administrator to change many of the key\u2019s attributes at any time.<\/p><h2>Key Use and Rollover (Activation through Post-Activation)<\/h2><p>The key manager should allow an activated key to be retrieved by authorized systems and users for encryption or decryption processes. It should also seamlessly manage current and past instances of the encryption key. For example, if a new key is generated and the old one deactivated (or rolled) every year, then the key manager should retain previous versions of the key but dispense only the current instance and activate previous versions for decryption processes. Previous versions can still be retrieved in order to decrypt data encrypted with such versions of the key. The key manager will also roll the key either through a previously established schedule or allow an administrator to manually roll the key.<\/p><h2>Key Revocation<\/h2><p>An administrator should be able to use the key manager to revoke a key so that it is no longer used for encryption and decryption requests. A revoked key can, if needed, be reactivated by an administrator so that, In certain cases the key can be used to decrypt data previously encrypted with it, like old backups. But even that can be restricted.<\/p><h2>Back Up (Escrow)<\/h2><p><a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-57p1r3.pdf\" target=\"_blank\" rel=\"noopener\">NIST (Section 8.3.1)<\/a>\u00a0requires that an archive should be kept for deactivated keys. The archive should \u201cprotect the archived material from unauthorized [disclosure,] modification, deletion, and insertion.\u201d The encryption keys need \u201cto be recoverable \u2026 after the end of its cryptoperiod\u201d and \u201cthe system shall be designed to allow reconstruction\u201d of the keys should they need to be reactivated for use in decrypting the data that it once encrypted.<\/p><h2>Key Deletion (Destruction)<\/h2><p>If a key is no longer in use or if it has somehow been compromised, an administrator can choose to delete the key entirely from the key storage database of the encryption key manager. The key manager will remove it and all its instances, or just certain instances, completely and make the recovery of that key impossible (other than through a restore from a backup image). This should be available as an option if sensitive data is compromised in its encrypted state. If the key is deleted, the compromised data will be completely secure and unrecoverable since it would be impossible to recreate the encryption key for that data.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-ca5bd5a elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"ca5bd5a\" data-element_type=\"section\" id=\"5\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-43e4c8e elementor-column elementor-col-100 elementor-top-column\" data-id=\"43e4c8e\" data-element_type=\"column\" id=\"5\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c79fd89 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"c79fd89\" data-element_type=\"widget\" id=\"5\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >5. SEGREGATED ROLES IN KEY MANAGEMENT<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-0546ff7 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"0546ff7\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-060530d elementor-column elementor-col-50 elementor-inner-column\" data-id=\"060530d\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-85d26d0 elementor-widget elementor-widget-image\" data-id=\"85d26d0\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"228\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Separation-Duties-300x228.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Separation-Duties-300x228.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Separation-Duties.webp 599w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cebbd06 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"cebbd06\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0d1ee0b elementor-widget elementor-widget-text-editor\" data-id=\"0d1ee0b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Separation of Duties<\/h2><p>In \u201c<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-57p2.pdf\" target=\"_blank\" rel=\"noopener\">Recommendation for Key Management \u2013 Part 2<\/a>\u201d NIST defines Separation of Duties as:<\/p><p><em>A security principle that divides critical functions among different staff members in an attempt to ensure that no one individual has enough information or access privilege to perpetrate damaging fraud.<\/em><\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c5e4b8 elementor-widget elementor-widget-text-editor\" data-id=\"4c5e4b8\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>The practice of Separation of Duties reduces the potential for fraud or malfeasance by dividing related responsibilities for critical tasks between different individuals in an organization. It is common in the financial and accounting procedures of most organizations. For example, the person who prints the checks at a company would not be the person who signs the checks. Similarly, the individual who signs checks would not reconcile the bank statements. A company would ensure that business critical duties are categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.<\/p><p>Regarding information security practices, the implementation of Separation of Duties is critical in the area of encryption key management. To prevent unwanted access to protected data, it is important that the person who manages encryption keys not have the ability to access protected data, and vice versa. This is no more difficult to accomplish in an information technology context than in a financial context, but is often overlooked or misunderstood in complex computer systems.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-a6dd8a7 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"a6dd8a7\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f9ad4dd elementor-column elementor-col-50 elementor-inner-column\" data-id=\"f9ad4dd\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b0937c6 elementor-widget elementor-widget-image\" data-id=\"b0937c6\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"263\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Dual-Control-300x263.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Dual-Control-300x263.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Dual-Control-600x527.webp 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Dual-Control.webp 745w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7b01cf2 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"7b01cf2\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-777f74e elementor-widget elementor-widget-text-editor\" data-id=\"777f74e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Dual Control<\/h2><p>Again, NIST, in\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-57p2.pdf\" target=\"_blank\" rel=\"noopener\">Recommendation for Key Management \u2013 Part 2<\/a>, defines Dual Control:<br \/>A process that uses two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. No single entity is able to access or use the materials, e.g., cryptographic keys.<\/p><p>While Separation of Duties involves distributing different parts of a process to different people, Dual Control requires that at least two or more individuals control a single process.<\/p><p>In data security practice it is common to find requirements for Dual Control of encryption key management functions. Because a key management system may be storing encryption keys for multiple applications and business entities, the protection of encryption keys is critically important.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-d664dce elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"d664dce\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2898478 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"2898478\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8e39106 elementor-widget elementor-widget-image\" data-id=\"8e39106\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"263\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Split-Knowledge-300x263.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Split-Knowledge-300x263.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Split-Knowledge-600x527.webp 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Split-Knowledge.webp 745w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2307c24 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"2307c24\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-cf9a7b7 elementor-widget elementor-widget-text-editor\" data-id=\"cf9a7b7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Split Knowledge<\/h2><p>The concept of Split Knowledge applies to any access or handling of unprotected cryptographic material like encryption keys or passphrases used to create encryption keys, and requires that no one person know the complete value of an encryption key. If passphrases are used to create encryption keys, no one person should know the entire passphrase. Rather, two or more people should each know only a part of the pass phrase, and all of them would have to be present to create or recreate an encryption key.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-f7809cd elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"f7809cd\" data-element_type=\"section\" id=\"6\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-35cf7c7 elementor-column elementor-col-100 elementor-top-column\" data-id=\"35cf7c7\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-eb40e25 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"eb40e25\" data-element_type=\"widget\" id=\"6\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >6. THE DOMAINS TO SECURE ENCRYPTION KEYS<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-514a56a elementor-widget elementor-widget-text-editor\" data-id=\"514a56a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Physical Security<\/h2><p>Many, when talking about securing a key manager, will naturally turn to securing the key manager itself with a hardware security module (HSM). While that is a necessary topic (and we will discuss it), we should first talk about securing the physical environment in which your key manager is housed.<br \/><br \/>In NIST\u2019s Special Publication 800-14, they offer this definition of physical security:<\/p><p><em>\u201cPhysical and environmental security controls\u201d should be \u201cimplemented to protect the facility housing system resources, the system resources themselves, and the facilities used to support their operation.\u201d<\/em><\/p><p>An organization&#8217;s physical security plan need to include things like:<\/p><ul><li><strong>Physical access controls:<\/strong>\u00a0limit access to critical systems, including locations of wiring connecting to the system, to as few people as possible.<\/li><li><strong>Ports:<\/strong>\u00a0FIPS 140-2 notes that in the case sending plaintext encryption keys, physical ports should be dedicated for only that purpose, and all other use excluded for level 3 and 4 cryptographic modules.<\/li><li><strong>Fire safety:<\/strong>\u00a0make sure all physical environments housing the system have adequate, and current, fire suppression systems.<\/li><li><strong>Structural integrity:<\/strong>\u00a0ensure that all physical environments housing the system meet current earthquake, flooding, and snow load for roofing regulatory requirements.<\/li><li><strong>Utilities failure:<\/strong>\u00a0systems such as electricity, air conditioning, and heating can malfunction. Ensure that each is functioning properly with back-ups in place, where necessary.<\/li><li><strong>Interception of data:<\/strong>\u00a0ensure that all transmission of sensitive data is properly encrypted with public\/private keys.<\/li><li><strong>Mobile device management:<\/strong>\u00a0all devices that can remotely access the system should be cataloged and managed in a permissions database.<\/li><\/ul><p>Now comes securing the cryptographic module itself. The Federal Information Processing Standards (FIPS) has identified four levels of increasing security in\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/fips\/fips140-2\/fips1402.pdf\" target=\"_blank\" rel=\"noopener\">FIPS 140-2<\/a>\u00a0that can be applied to the module, each corresponding to the commensurate threat level:<\/p><ul><li><strong>Level 1:<\/strong>\u00a0\u201cNo specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components. \u2026 Security Level 1 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an unevaluated operating system.\u201d<\/li><li><strong>Level 2:<\/strong>\u00a0\u201cenhances the physical security mechanisms of a Security Level 1 cryptographic module by adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the module.\u201d<\/li><li><strong>Level 3:<\/strong>\u00a0\u201cattempts to prevent the intruder from gaining access to [Critical security parameters (CSPs)] held within the cryptographic module. &#8230; The physical security mechanisms may include the use of strong enclosures and tamper detection\/response circuitry that zeroizes all plaintext CSPs when the removable covers\/doors of the cryptographic module are opened.\u201d<\/li><li><strong>Level 4:<\/strong>\u00a0\u201cprovides the highest level of security defined in this standard. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate zeroization of all plaintext CSPs.\u201d<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-326e910 elementor-widget elementor-widget-text-editor\" data-id=\"326e910\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>How an Encryption Key Manager is Validated<\/h2><p>Every data security product available makes claims as to superior functionality or data protection. But when protecting sensitive data, organizations need to have assurance that a product&#8217;s stated security claim is valid. This is certainly true when it comes to an encryption key manager. \u00a0To address this, NIST has devised a system to validate cryptographic modules and ensure that they comply with FIPS 140-2 standards. Here are the steps an encryption key manager vendor must to take to show full compliance:<\/p><ol><li>First they will contract with an\u00a0<a href=\"https:\/\/csrc.nist.gov\/groups\/STM\/testing_labs\/index.html\">accredited laboratory<\/a>, who has successfully undergone the\u00a0<a href=\"https:\/\/www.nist.gov\/nvlap\">National Voluntary Laboratory Accreditation Program (NVLAP)<\/a>, to conduct \u201cadequate testing and validation of the cryptographic module and its underlying cryptographic algorithms against established standards\u201d to look for \u201cweaknesses such as poor design or weak algorithms.\u201d<\/li><li>Next, the accredited laboratory will conduct the\u00a0<a href=\"https:\/\/csrc.nist.gov\/groups\/STM\/cavp\/index.html\">Cryptographic Algorithm Validation Program (CAVP)<\/a>. With this testing, they will provide \u201cvalidation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components.\u201d<\/li><li>Once that testing is complete and the key manager has meet all standards, the lab will then move on to the\u00a0<a href=\"https:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html\">Cryptographic Module Validation Program (CMVP)<\/a>\u00a0testing. The \u201claboratories use the\u00a0<a href=\"https:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/documents\/fips140-2\/FIPS1402DTR.pdf\">Derived Test Requirements (DTR)<\/a>,\u00a0<a href=\"https:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/documents\/fips140-2\/FIPS1402IG.pdf\">Implementation Guidance (IG)<\/a>\u00a0and applicable CMVP programmatic guidance to test cryptographic modules against the applicable standards.\u201d<\/li><li>Finally, once the encryption key manager has been shown to meet all FIPS 140-2 standards, the independent lab issues the FIPS 140-2 Validation Certificate and the cryptographic module is placed on the\u00a0<a href=\"https:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/documents\/140-1\/1401vend.htm\">FIPS 140-1 and FIPS 140-2 Vendor List<\/a>.<\/li><\/ol><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-251be40 elementor-widget elementor-widget-text-editor\" data-id=\"251be40\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>Logical Access Security<\/h2><p>The next arena in which you can protect your encryption keys is by logically separating the different cryptographic components housing the keys from the rest of the larger network. There are three main items to consider:<\/p><ul><li><strong>Interfaces:<\/strong>\u00a0In\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/fips\/fips140-2\/fips1402.pdf\" target=\"_blank\" rel=\"noopener\">FIPS 140-2<\/a>, Section 4.2, it gives this criteria for needing to separate logical interfaces:<ul><li><strong>Level 1 and 2:<\/strong>\u00a0the \u201clogical interface(s) used for the input and output of plaintext cryptographic keys, cryptographic key components, authentication data, and CSPs may be shared physically and logically with other ports and interfaces of the cryptographic module.\u201d<\/li><li><strong>Level 3 and 4:<\/strong>\u00a0\u201cthe logical interfaces used for the input and output of plaintext cryptographic key components, authentication data, and CSPs shall be logically separated from all other interfaces using a trusted path.\u201d<\/li><\/ul><\/li><li><strong>DEK from encrypted data:<\/strong>\u00a0In level 1 environments, where the encryption key manager is not in a physically separated HSM, the DEK(s) should be logically separated from the data that is encrypted. This effectively keeps the DEK(s) from being used to decrypt the data in case unauthorized users gain access to the sensitive material.<\/li><li><strong>KEK from DEK:<\/strong>\u00a0Within the encryption key manager, the KEK(s) should be logically separated from the DEK(s). This ensures that though the database DEKs be compromised, they will be rendered unusable because the KEK is in a logically separate location from the DEKs.<\/li><\/ul><h2>User\/ Role Access<\/h2><p>Once Physical Security and Logical Security are addressed, the final component is user roles and privileges. The core concept promulgated by NIST is the concept of least privilege: where you restrict \u201cthe access privileges of authorized personnel (e.g., program execution privileges, file modification privileges) to the minimum necessary to perform their jobs.\u201d<\/p><p>NIST gives guidance, in Sections 5.3.5 of\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-57p2.pdf\" target=\"_blank\" rel=\"noopener\">Recommendation for Key Management \u2013 Part 2<\/a>, on the access controls and privileges necessary to properly manage user access to the key management system.<\/p><ul><li>Document and implement which roles within the organization will be authorized to access the KMS and to what level.<\/li><li>What functions will the role be able to execute on (i.e. generation, handling, distribution, storage, deletion).<\/li><li>What means of authentication will be used (i.e. passwords, personal identification numbers, biometrics, and their expiration dates).<\/li><\/ul><p>Beyond limiting access to the key management server, you should also limit access to the keys themselves based on user and group. The users and group access can be defined on a system level, or at the level of each key. When you create a key you can define the restrictions on user and group access. As an example: There is an AES encryption key available on the key management server used to protect an employee&#8217;s personal data. It is restricted so that only members of the Human Resources group can use that key. So any individual with &#8220;Human Resources&#8221; defined as their individual or group role can successfully request that key, all others are turned away.<\/p><h2>High Availability and Business Continuity<\/h2><p>Once you have physical security, logical security, and user roles in place, you must also consider business continuity. If an intruder does comprise your data or your production server(s) are taken offline for a variety of reasons, you must be able to bounce back in a relatively short time with pre-prescribed steps. Here are a couple definitions to start us off:<\/p><p><strong>Business Continuity:<\/strong>\u00a0As defined by\u00a0<a href=\"https:\/\/www.iso.org\/iso\/catalogue_detail?csnumber=50038\" target=\"_blank\" rel=\"noopener\">ISO 22301:2012 (Section 3.3)<\/a>, it is the \u201ccapability of the organization to continue delivery of products or services at acceptable\u201d levels after a \u201cdisruptive incident.\u201d<\/p><p><strong>Hot failover:<\/strong>\u00a0In a network environment, a hot failover is switching to a backup server that is regularly updated from the production server and is ready, at any time, should the production server no longer be able to function normally for any length of time.<\/p><p>In the case of key management, each production key management server should be mirrored with a high availability server in a geographically separate location in case the production server is compromised and taken offline for any length of time. As an abbreviated list, here are some features to look for in key management solutions or what you will want to address if you build your own:<\/p><ul><li>Hardware &#8211; hot swappable RAID disk drives<\/li><li>Hardware &#8211; dual redundant power supplies<\/li><li>Hardware &#8211; independent network interfaces<\/li><li>Active-Active secure key server mirroring<\/li><li>Active-Passive secure key server mirroring<\/li><li>Real time key mirroring<\/li><li>Real time access policy mirroring<\/li><li>Key manager integrity checking on startup<\/li><li>Key retrieval integrity checking<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-9cd6e82 elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"9cd6e82\" data-element_type=\"section\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-91db01a elementor-column elementor-col-100 elementor-top-column\" data-id=\"91db01a\" data-element_type=\"column\" id=\"8\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c63d8f9 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"c63d8f9\" data-element_type=\"widget\" id=\"7\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >7. PLATFORMS FOR HOUSING THE ENCRYPTION KEY MANAGER<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cdadc3a elementor-widget elementor-widget-text-editor\" data-id=\"cdadc3a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><h2>HSM<\/h2><p>The hardware security module (HSM) has been discussed already in \u201cPhysical Security\u201d mostly referred to as the \u201ccryptographic module.\u201d But, to summarize, a HSM is typically a server with different levels of security protection or \u201chardening\u201d that prevents tampering or loss. These can be summarized as:<\/p><ul><li><strong>Tamper Evident:<\/strong>\u00a0adding tamper-evident coatings or seals on screws or locks on all removable covers or doors<\/li><li><strong>Tamper Resistant:<\/strong>\u00a0adding \u201ctamper detection\/response circuitry\u201d that wipes out all sensitive data such as DEKs and KEKs<\/li><li><strong>Tamper Proof:<\/strong>\u00a0complete hardening of the module with tamper evident\/resistant screws and locks along with the highest sensitivity to \u201ctamper detection\/response circuitry\u201d that wipes out all sensitive data<\/li><\/ul><h2>Hosted HSM<\/h2><p>With many organizations moving some or all of their operations to the cloud, the need for moving their security has also arisen. The good news, many key management providers have partnered with cloud hosting providers to rack up traditional HSMs in cloud environments. The same levels of \u201chardening\u201d would still apply, as it is a traditional HSM in an offsite environment.<\/p><h2>Virtual<\/h2><p>Virtual instances of an encryption key manager offer a great deal more flexibility than their HSM counterparts. In many cases, a virtual key manager can be downloaded from a vendor in a matter of minutes and deployed in a virtual environment. An HSM, on the other hand, can take days or weeks being shipped to the site and then requires a physical installation. Further, virtual instances can be installed anywhere that supports the virtual platform that the key manager runs in, VMware, as an example.<\/p><p>The downside, of course, is that by it\u2019s nature of being virtual with no set physical components, a virtual key manager\u2019s software can only be FIPS 140-2 compliant, but not validated. So, if your business need(s) or compliance regulation(s) require FIPS 140-2 validation, then a HSM is your only option.<\/p><p>That being said, the logical security that FIPS 140-2 compliant virtual key managers provide is normally more than enough for most organizational needs.<\/p><h2>AWS, Microsoft Azure, and More: Dedicated or \u201cas a Service\u201d<\/h2><p>Cloud providers, such as Amazon Web Services (AWS), Microsoft Azure (Azure), and more have marketplace offerings for encryption key management as well as their own key management as a service (KMaaS). AWS and Azure\u2019s KMaaS is typically multi-tenant, meaning more than one user\u2019s key(s) are present on the same key management instance. This can raise concerns for organizations that need dedicated services to mitigate security concerns of other users accessing the same key data stores.<\/p><p>To combat this issue, most cloud providers will also offer dedicated services. In their marketplaces, there are also independent vendors that provide dedicated services that typically come in two forms: Pay-Per-Usage and \u201cbring your own license.\u201d Townsend Security provides for both platforms and for both licensing models:\u00a0<a href=\"https:\/\/townsendsecurity.com\/products\/encryption-and-key-management-for-AWS\" target=\"_blank\" rel=\"noopener\">Alliance Key Manager for AWS<\/a>\u00a0and\u00a0<a href=\"https:\/\/townsendsecurity.com\/products\/encryption-key-management-for-Microsoft-Azure\" target=\"_blank\" rel=\"noopener\">Alliance Key Manager for Azure<\/a>. Both the AWS and the Azure instances are dedicated key managers in an IaaS virtual instance and also enjoy the flexibility of being the same key manager that is deployed as an\u00a0<a href=\"https:\/\/townsendsecurity.com\/products\/encryption-key-management\" target=\"_blank\" rel=\"noopener\">HSM<\/a>,\u00a0<a href=\"https:\/\/townsendsecurity.com\/products\/encryption-key-management-hosted-in-the-cloud\" target=\"_blank\" rel=\"noopener\">Cloud HSM<\/a>, and\u00a0<a href=\"https:\/\/townsendsecurity.com\/products\/encryption-and-key-management-for-VMware\" target=\"_blank\" rel=\"noopener\">VMware<\/a>\u00a0instance so that your environment can scale past AWS and Azure, if needed. This is useful for organizations with existing (or future) physical data center(s), because having the same technology secure your data everywhere reduces complexity for your IT staff as they use and maintain it.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-2b390f2 elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"2b390f2\" data-element_type=\"section\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5e9cd05 elementor-column elementor-col-100 elementor-top-column\" data-id=\"5e9cd05\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bfadc39 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"bfadc39\" data-element_type=\"widget\" id=\"8\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >8. COMMUNICATION PROTOCOLS<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-e0764ef elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"e0764ef\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-409992b elementor-column elementor-col-50 elementor-inner-column\" data-id=\"409992b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-37f1550 elementor-widget elementor-widget-image\" data-id=\"37f1550\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"263\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Internal-PKI-300x263.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Internal-PKI-300x263.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Internal-PKI.webp 599w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-09898a8 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"09898a8\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f24cf03 elementor-widget elementor-widget-text-editor\" data-id=\"f24cf03\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p><strong>Public key infrastructure (PKI):<\/strong>\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-32.pdf\" target=\"_blank\" rel=\"noopener\">NIST defines PKI<\/a>\u00a0as an infrastructure that \u201cbinds public keys to entities, enables other entities to verify public key bindings, and provides the services needed for ongoing management of keys in a distributed system.\u201d Put another way, it is a cryptographic infrastructure consisting of the software, hardware, roles, procedures, and policies needed to properly manage and distribute public keys (such as a digital certificate) and private keys.<\/p><p>A very simple internal PKI installation (as shown in the graphic would flow like this:<\/p><ol><li>A user requests a certificate.<\/li><li>The Registration Authority authenticates the user and the user\u2019s request, and once authenticated, sends the request to the Certificate Authority. (A Registration Authority is optional, the Certificate Authority can handle these requests, if necessary.)<\/li><li>The Certificate Authority receives the request and issues the certificate to the user.<\/li><\/ol><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-a5b7c57 elementor-widget elementor-widget-text-editor\" data-id=\"a5b7c57\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>As defined by NIST in, \u201c<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-32.pdf\" target=\"_blank\" rel=\"noopener\">Introduction to Public Key Technology and the Federal PKI Infrastructure<\/a>\u201d, the PKI environment consists of:<\/p><ul><li><strong>Certification Authority (CA):<\/strong>\u00a0NIST likens it \u201cto a notary. The CA confirms the identities of parties sending and receiving electronic payments or other communications.\u201d It digitally signs and publishes the public key bound to a given user or machine and authenticates the identity of authorized users of each certificate.<\/li><li><strong>Registration Authority (RA):<\/strong>\u00a0(or subordinate CA) NIST explains, it \u201cis an entity that is trusted by the CA to register or vouch for the identity of users to a CA.\u201d It accepts requests for certificates, authenticates the user\/machine making request, and issues the certificate for uses granted by the CA.<\/li><li><strong>Central Directory:<\/strong>\u00a0Again, from NIST: it \u201cis a database of active digital certificates for a CA system. The main business of the repository is to provide data that allows users to confirm the status of digital certificates for individuals and businesses that receive digitally signed messages.\u201d<\/li><li><strong>Archive:<\/strong>\u00a0is a database of public keys and certificates. The archive should store sufficient information to determine if a digital signature on an \u201cold\u201d document should be trusted.<\/li><li><strong>Public Key Certificate:<\/strong>\u00a0NIST requires one \u201cfor each identity, confirming that the identity has the appropriate credentials. A digital certificate typically includes the public key, information about the identity of the party holding the corresponding private key, the operational period for the certificate, and the CA\u2019s own digital signature.\u201d<\/li><li><strong>Certificate Revocation List (CRL):<\/strong>\u00a0Simply put, a list of certificates that have been revoked.<\/li><li><strong>PKI Users:<\/strong>\u00a0NIST defines them as, \u201corganizations or individuals that use the PKI, but do not issue certificates. They rely on the other components of the PKI to obtain certificates, and to verify the certificates of other entities that they do business with.\u201d<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ddcc6bd elementor-widget elementor-widget-image\" data-id=\"ddcc6bd\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"768\" height=\"437\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KMIP-Funtions-768x437.webp\" class=\"attachment-medium_large size-medium_large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KMIP-Funtions-768x437.webp 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KMIP-Funtions-300x171.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KMIP-Funtions-1024x583.webp 1024w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KMIP-Funtions-1536x875.webp 1536w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KMIP-Funtions-2048x1166.webp 2048w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/KMIP-Funtions-600x342.webp 600w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-baf9eaf elementor-widget elementor-widget-text-editor\" data-id=\"baf9eaf\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p><strong>Key Management Interoperability Protocol (KMIP):<\/strong>\u00a0<a href=\"https:\/\/docs.oasis-open.org\/kmip\/spec\/v1.2\/os\/kmip-spec-v1.2-os.html\" target=\"_blank\" rel=\"noopener\">As defined by OASIS<\/a>, KMIP is a communication \u201cprotocol used for the communication between clients and servers to perform certain management operations on objects stored and maintained by a key management system.\u201d This protocol is a standardized way of managing encryption keys throughout the lifecycle of the key and is designed to facilitate \u201csymmetric and asymmetric cryptographic keys, digital certificates, and templates used to simplify the creation of objects and control their use.\u201d<br \/><br \/>Below is a curated list of what OASIS further defines in Section 4 as what the key management client can request of the key management server:<\/p><ul><li><strong>Create a Key or Key Pair:<\/strong>\u00a0\u201cto generate a new symmetric key\u201d or \u201cnew public\/private key pair\u201d and register the \u201ccorresponding new Managed Cryptographic Objects.\u201d<\/li><li><strong>Register:<\/strong>\u00a0\u201cto register a Managed Object,\u201d typically keys, passwords, or other cryptographic materials, \u201cthat was created by the client or obtained by the client through some other means, allowing the server to manage the object.\u201d<\/li><li><strong>Re-Key or Re-key Key Pair:<\/strong>\u00a0\u201cto generate a replacement key,\u201d also called a key change, \u201cfor an existing symmetric key\u201d or \u201ckey pair for an existing public\/private key pair.\u201d<\/li><li><strong>Derive Key:<\/strong>\u00a0\u201cto derive a Symmetric Key or Secret Data object from keys or Secret Data objects that are already known to the key management system.\u201d<\/li><li><strong>Certify or Re-certify:<\/strong>\u00a0\u201cto generate a Certificate object for a public key\u201d or \u201crenew an existing certificate.\u201d<\/li><li><strong>Locate:<\/strong>\u00a0to \u201csearch for one or more Managed Objects, depending on the attributes specified in the request.\u201d<\/li><li><strong>Check:<\/strong>\u00a0to \u201ccheck for the use of a Managed Object according to values specified in the request.\u201d<\/li><li><strong>Get or Get Attributes:<\/strong>\u00a0to return \u201cthe Managed Object specified by its Unique Identifier\u201d or request \u201cone or more attributes associated with a Managed Object.\u201d<\/li><li><strong>Add, Modify, or Delete Attribute:<\/strong>\u00a0to add, modify, delete an \u201cattribute instance to be associated with a Managed Object and set its value.\u201d<\/li><li><strong>Activate:<\/strong>\u00a0\u201cto activate a Managed Cryptographic Object.\u201d<\/li><li><strong>Revoke:<\/strong>\u00a0\u201cto revoke a Managed Cryptographic Object or an Opaque Object.\u201d<\/li><li><strong>Destroy:<\/strong>\u00a0\u201cthat the key material for the specified Managed Object SHALL be destroyed.\u201d<\/li><li><strong>Archive:<\/strong>\u00a0\u201cto specify that a Managed Object MAY be archived.\u201d<\/li><li><strong>Recover:<\/strong>\u00a0\u201cto obtain access to a Managed Object that has been archived.\u201d<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-67c9222 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"67c9222\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-93e81d1 elementor-column elementor-col-100 elementor-inner-column\" data-id=\"93e81d1\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-6d1b53b elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"6d1b53b\" data-element_type=\"section\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ee309d5 elementor-column elementor-col-100 elementor-top-column\" data-id=\"ee309d5\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-95fd702 uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"95fd702\" data-element_type=\"widget\" id=\"9\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >9. ENCRYPTION KEY MANAGEMENT IN MEETING COMPLIANCE<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-b250260 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"b250260\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ae3a8cc elementor-column elementor-col-50 elementor-inner-column\" data-id=\"ae3a8cc\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8638766 elementor-widget elementor-widget-image\" data-id=\"8638766\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"91\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/PCI-Logo-300x91.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/PCI-Logo-300x91.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/PCI-Logo.webp 314w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a35b98b elementor-column elementor-col-50 elementor-inner-column\" data-id=\"a35b98b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7191d7b elementor-widget elementor-widget-text-editor\" data-id=\"7191d7b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p><a href=\"https:\/\/www.pcisecuritystandards.org\/document_library?category=pcidss&amp;document=pci_dss\" target=\"_blank\" rel=\"noopener\">Payment card industry Data Security Standard (PCI DSS)<\/a>\u00a0is a widely accepted set of regulations intended to secure credit, debit and cash card transactions and cardholder data. PCI DSS requires that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-b3d957a elementor-widget elementor-widget-text-editor\" data-id=\"b3d957a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>In\u00a0<strong>Section 3.5 of PCI DSS<\/strong>, organizations that process, store, or transmit cardholder data should, \u201cdocument and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.\u201d This includes:<\/p><ul><li>maintaining \u201ca documented description of the cryptographic architecture\u201d used to protect the data<\/li><li>restricting \u201caccess to cryptographic keys to the fewest number of custodians necessary\u201d<\/li><li>store encryption keys \u201cin one (or more) of the following forms at all times:\u201d<ul><li>encrypt the data encryption key with a key encryption key<\/li><li>within a secure cryptographic device<\/li><\/ul><\/li><\/ul><p>Likewise,\u00a0<strong>Section 3.6<\/strong>\u00a0requires that you \u201cfully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data.\u201d This includes securely:<\/p><ul><li>generating cryptographically strong encryption keys<\/li><li>secure distribution of keys<\/li><li>secure storage of keys<\/li><li>establishment of cryptoperiods for all keys<\/li><li>retiring and destroying the keys<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-3b5b334 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"3b5b334\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c71f745 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"c71f745\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e6a141b elementor-widget elementor-widget-image\" data-id=\"e6a141b\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"96\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/HIPAA-1-300x96.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/HIPAA-1-300x96.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/HIPAA-1-600x192.webp 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/HIPAA-1.webp 638w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-230021b elementor-column elementor-col-50 elementor-inner-column\" data-id=\"230021b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-40e0a01 elementor-widget elementor-widget-text-editor\" data-id=\"40e0a01\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p><a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/laws-regulations\/\" target=\"_blank\" rel=\"noopener\">The Health Insurance Portability and Accountability Act (HIPAA)<\/a>\u00a0and the\u00a0<a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/special-topics\/HITECH-act-enforcement-interim-final-rule\/\" target=\"_blank\" rel=\"noopener\">Health Information Technology for Economic and Clinical Health (HITECH) Act<\/a>\u00a0both seek greater adoption and meaningful use of health information technology. Both also lay out guidelines and regulations for proper data security around Electronic Protected Health Information (ePHI). Compliance with the HIPAA Security Rules and HIPAA Privacy Rules for ePHI requires the use of security technologies and best practices to demonstrate strong efforts towards complying with this federal regulation.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-30dcb2e elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"30dcb2e\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1f71a5a elementor-column elementor-col-50 elementor-inner-column\" data-id=\"1f71a5a\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-42610c7 elementor-widget elementor-widget-image\" data-id=\"42610c7\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"125\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/SOX-300x125.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/SOX-300x125.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/SOX.webp 400w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0c22b9d elementor-column elementor-col-50 elementor-inner-column\" data-id=\"0c22b9d\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fc6e5d8 elementor-widget elementor-widget-text-editor\" data-id=\"fc6e5d8\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p><a href=\"https:\/\/www.sec.gov\/about\/laws\/soa2002.pdf\" target=\"_blank\" rel=\"noopener\">The Sarbanes-Oxley (SOX) Act<\/a>\u00a0was passed to protect investors from the possibility of fraudulent accounting activities by corporations. The Sarbanes-Oxley Act (SOX) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. Sections 302, 304, and 404 of the Sarbanes-Oxley Act mandate that organizations build, maintain, and annually report on the data security and internal controls used safeguard their sensitive data from misuse and fraud.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-4b3468b elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"4b3468b\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-11eadaf elementor-column elementor-col-50 elementor-inner-column\" data-id=\"11eadaf\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-70aa2e1 elementor-widget elementor-widget-image\" data-id=\"70aa2e1\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"112\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CSA-Logo@2x-300x112.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CSA-Logo@2x-300x112.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CSA-Logo@2x-768x288.webp 768w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CSA-Logo@2x-600x225.webp 600w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/CSA-Logo@2x.webp 854w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c7d8646 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"c7d8646\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2771e28 elementor-widget elementor-widget-text-editor\" data-id=\"2771e28\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>While the\u00a0<a href=\"https:\/\/cloudsecurityalliance.org\/\">Cloud Security Alliance<\/a>\u00a0is not a governmental agency able to levy fines for non-compliance of their standards, it is an not-for-profit organization of cloud vendors, users, and security experts whose mission is \u201cTo promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.\u201d \u00a0They currently have over 80,000 members and growing. So conforming to their standards is in the best interest of many companies worldwide.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-a52f4f1 elementor-widget elementor-widget-text-editor\" data-id=\"a52f4f1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>As a part of this mission the organization has published a document, \u201c<a href=\"https:\/\/downloads.cloudsecurityalliance.org\/initiatives\/guidance\/csaguide.v3.0.pdf\">Security Guidance For Critical Areas of Focus In Cloud Computing<\/a>,\u201d to help vendors and customers achieve more secure applications in cloud environments. The published guidance is now in its third edition and is available from the organization\u2019s web site. The guidance provides recommendations for encryption key management in the section \u201cDomain 11 \u2013 Encryption and Key Management\u201d.<\/p><h2>Domain 11 &#8211; Encryption &amp; Key Management<\/h2><p>Here are the three main points that the CSA stresses for encryption key management:<\/p><ul><li><strong>Secure key stores.<\/strong>\u00a0Key stores must themselves be protected, just as any other sensitive data. They must be protected in storage, in transit, and in backup. Improper key storage could lead to the compromise of all encrypted data.<\/li><li><strong>Access to key stores.<\/strong>\u00a0Access to key stores must be limited to the entities that specifically need the individual keys. There should also be policies governing the key stores, which use separation of roles to help control access; an entity that uses a given key should not be the entity that stores that key.<\/li><li><strong>Key backup and recoverability.<\/strong>\u00a0Loss of keys inevitably means loss of the data that those keys protect. While this is an effective way to destroy data, accidental loss of keys protecting mission critical data would be devastating to a business, so secure backup and recovery solutions must be implemented.<\/li><\/ul><p>Here also is a curated list of their requirements for encryption and key management:<\/p><ul><li>\u201cIn order to maintain best practices &#8230; the organization should manage their keys in the custody of their own enterprise or that of a credible service.\u201d<\/li><li>\u201cKeys used in existing encryption technology &#8230; should be managed by central, internal to the enterprise, key storage technology.\u201d<\/li><li>\u201cManage keys used by the cryptographic processes using binding cryptographic operations.\u201d<\/li><li>\u201cBinding cryptographic operations and key management to corporate identity systems will provide the organization with the most flexible integration.\u201d<\/li><\/ul><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-1ff530f elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"1ff530f\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-35c4b62 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"35c4b62\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5fa476b elementor-widget elementor-widget-image\" data-id=\"5fa476b\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"200\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/EU-Flag-300x200.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/EU-Flag-300x200.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/EU-Flag.webp 597w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-df9b7ea elementor-column elementor-col-50 elementor-inner-column\" data-id=\"df9b7ea\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1ce6c30 elementor-widget elementor-widget-text-editor\" data-id=\"1ce6c30\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>The new\u00a0<a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&amp;from=EN\" target=\"_blank\" rel=\"noopener\">European Union General Data Protection Regulation (EU GDPR)<\/a>\u00a0has now passed both the EU Council and Parliament and replaces the earlier Data Protection Directive (Directive 94\/46\/EC). In Provision 83 it states:<\/p><p>The new\u00a0<a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&amp;from=EN\" target=\"_blank\" rel=\"noopener\">European Union General Data Protection Regulation (EU GDPR)<\/a>\u00a0has now passed both the EU Council and Parliament and replaces the earlier Data Protection Directive (Directive 94\/46\/EC). In Provision 83 it states:<\/p><p>\u00a0<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-963b6bb elementor-widget elementor-widget-text-editor\" data-id=\"963b6bb\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>Article 32 also calls for \u201cthe pseudonymisation and encryption of personal data.\u201d If an organization does so, Article 34 states that the strict data breach disclosure laws of Article 33 will not be enforced if,<\/p><p style=\"padding-left: 40px;\"><em>the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.<\/em><\/p><p>The GDPR places a high priority on protecting data at rest with encryption. Since encryption key management is part of an overall encryption strategy, it should be considered part in parcel with complying with EU law.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-677d1b1 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"677d1b1\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-73fda1c elementor-column elementor-col-50 elementor-inner-column\" data-id=\"73fda1c\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ab419ac elementor-widget elementor-widget-image\" data-id=\"ab419ac\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"300\" height=\"200\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Hong-Kong-Flag-300x200.webp\" class=\"attachment-medium size-medium\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Hong-Kong-Flag-300x200.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Hong-Kong-Flag.webp 597w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9b83429 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"9b83429\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fd20c45 elementor-widget elementor-widget-text-editor\" data-id=\"fd20c45\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p><a href=\"http:\/\/www.legislation.gov.hk\/blis_pdf.nsf\/6799165D2FEE3FA94825755E0033E532\/B4DF8B4125C4214D482575EF000EC5FF\/$FILE\/CAP_486_e_b5.pdf\" target=\"_blank\" rel=\"noopener\">Hong Kong\u2019s CAP 486 Personal Data (Privacy) Ordinance<\/a>\u00a0requires that all practical steps will be taken to ensure that personally identifiable information, held by a data user, are protected against unauthorized or accidental access. Such considerations should be the kind of data stored and the harm that could result if any of those things should occur; the physical location where the data is stored; and any security measures incorporated into any equipment in which the data is stored.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-c301efe elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"c301efe\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a0be7f9 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"a0be7f9\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e8e104b elementor-widget elementor-widget-image\" data-id=\"e8e104b\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"621\" height=\"422\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Japan-Flag.webp\" class=\"attachment-large size-large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Japan-Flag.webp 621w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Japan-Flag-300x204.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Japan-Flag-600x408.webp 600w\" sizes=\"(max-width: 621px) 100vw, 621px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e8b7a1e elementor-column elementor-col-50 elementor-inner-column\" data-id=\"e8b7a1e\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-de65da6 elementor-widget elementor-widget-text-editor\" data-id=\"de65da6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>Japan\u2019s\u00a0<a href=\"https:\/\/www.cas.go.jp\/jp\/seisaku\/hourei\/data\/APPI.pdf\" target=\"_blank\" rel=\"noopener\">Act on the Protection of Personal Information<\/a>\u00a0contains policies that are guidelines, but not laws, governing the protection of personal information. It requires that businesses handling personal information should take all necessary and proper measures for the prevention of leakage, loss, or damage.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-f072b83 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"f072b83\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f4962d2 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"f4962d2\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bd76ab9 elementor-widget elementor-widget-image\" data-id=\"bd76ab9\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image\">\n\t\t\t\t\t\t\t\t\t\t<img width=\"640\" height=\"320\" src=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Australia-Flag.webp\" class=\"attachment-large size-large\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Australia-Flag.webp 640w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Australia-Flag-300x150.webp 300w, https:\/\/www.progreso.com.sg\/newsite\/wp-content\/uploads\/2021\/12\/Australia-Flag-600x300.webp 600w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4149874 elementor-column elementor-col-50 elementor-inner-column\" data-id=\"4149874\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f300c74 elementor-widget elementor-widget-text-editor\" data-id=\"f300c74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>Australia\u2019s\u00a0<a href=\"https:\/\/www.oaic.gov.au\/privacy-law\/privacy-act\/\" target=\"_blank\" rel=\"noopener\">Privacy Act of 1988<\/a>\u00a0and the\u00a0<a href=\"https:\/\/www.legislation.gov.au\/Details\/C2004A00748\" target=\"_blank\" rel=\"noopener\">Privacy Amendment Act of 2000<\/a>\u00a0govern data security for the Down Under. In it, businesses must take all reasonable steps to protect personally identifiable information in its databases from abuse or theft. An organization must also destroy or permanently de\u2011identify personal information if it is no longer needed.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-7afbda2 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"7afbda2\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9b4f9e0 elementor-column elementor-col-100 elementor-inner-column\" data-id=\"9b4f9e0\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-6f5a800 elementor-section-stretched ps2id elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-invisible elementor-section elementor-top-section\" data-id=\"6f5a800\" data-element_type=\"section\" data-settings=\"{&quot;stretch_section&quot;:&quot;section-stretched&quot;,&quot;background_background&quot;:&quot;classic&quot;,&quot;animation&quot;:&quot;fadeIn&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d3a7dbf elementor-column elementor-col-100 elementor-top-column\" data-id=\"d3a7dbf\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-51e1a3d uael-heading-align-left uael-heading-fill-color elementor-widget elementor-widget-uael-advanced-heading\" data-id=\"51e1a3d\" data-element_type=\"widget\" id=\"10\" data-widget_type=\"uael-advanced-heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n\t\t<div class=\"uael-module-content uael-heading-wrapper\">\n\t\t\t\n\t\t\t<h1 class=\"uael-heading\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"uael-heading-text elementor-inline-editing uael-size--default\" data-elementor-setting-key=\"heading_title\" data-elementor-inline-editing-toolbar=\"basic\" >10. BONUS CONTENT: A BRIEF HISTORY - THE NEED FOR ENCRYPTION KEY MANAGEMENT<\/span>\n\t\t\t\t\t\t\t<\/h1>\n\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-element elementor-element-cba590a elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"cba590a\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fbdf088 elementor-column elementor-col-100 elementor-inner-column\" data-id=\"fbdf088\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9171644 elementor-widget elementor-widget-text-editor\" data-id=\"9171644\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>Encryption has been around for millenniums. Some of the earliest mentions of it come from the\u00a0<a href=\"https:\/\/www.ancient.eu\/Arthashastra\/\" target=\"_blank\" rel=\"noopener\">Arthashastra<\/a>, a treatise on Imperial Indian governance written c2nd century BCE. In it, it describes giving messages to state spies in &#8220;<a href=\"https:\/\/books.google.com\/books?id=lpjb-mxge3EC&amp;pg=PA286&amp;lpg=PA286&amp;dq=Arthashastra+%22secret+writing%22&amp;source=bl&amp;ots=ImeHEyAh_V&amp;sig=4zukGBq6mdweMTJTocG5JnF4s7M&amp;hl=en&amp;sa=X&amp;ved=0ahUKEwjniv_5jcnPAhUQwGMKHWaVA2YQ6AEIIzAB#v=onepage&amp;q=Arthashastra%20%22secret%20writing%22&amp;f=false\" target=\"_blank\" rel=\"noopener\">secret writing<\/a>\u201d. Later, and in arguably the most famous form of ancient encryption, Julius Caesar sent messages to his battle front generals in code. Known as the\u00a0<a href=\"http:\/\/practicalcryptography.com\/ciphers\/caesar-cipher\/\" target=\"_blank\" rel=\"noopener\">Caesar Cipher<\/a>, it is a:<\/p><p style=\"padding-left: 40px;\"><em>\u201csubstitution cipher in which each letter in the plaintext is &#8216;shifted&#8217; a certain number of places down the alphabet. For example, with a shift of 1, A would be replaced by B, B would become C, and so on.\u201d<\/em><\/p><p>Unfortunately for Caesar, and fortunately for his opponents, once the cipher is known, all messages can be easily read. Thus rendering the cipher useless. There needed to be a better way.<br \/><br \/>Fast forward to the electronic age. In the 1921 Edward Hebern patented the\u00a0<a href=\"https:\/\/americanhistory.si.edu\/collections\/search\/object\/nmah_694514\" target=\"_blank\" rel=\"noopener\">Hebern Electric Super Code Cipher Machine<\/a>. It was the first to code the message with a secret key embedded in a detachable rotor. In\u00a0<a href=\"https:\/\/www.nsa.gov\/news-features\/declassified-documents\/friedman-documents\/assets\/files\/patent-equipment\/FOLDER_116\/41762849080198.pdf\" target=\"_blank\" rel=\"noopener\">recently declassified documents<\/a>, the NSA showed that the machine enciphered the message by having the operator type the message in and the ciphertext would appear in a light-board, one letter at a time.<br \/><br \/>But since the encryption key was limited by the use of one rotor, consisting of 26 circuit points, it was ultimately broken by cryptanalysis, specifically\u00a0<a href=\"http:\/\/practicalcryptography.com\/ciphers\/caesar-cipher\/\" target=\"_blank\" rel=\"noopener\">letter frequencies<\/a>.<br \/><br \/>The real leap forward was the Enigma Machine of World War II, developed by the Germans in the 1920s. It used three rotors and was thought unbreakable since the Germans, during the war, changed the rotors once a day, \u201cgiving 159 million million million possible settings to choose from,\u201d estimates\u00a0<a href=\"https:\/\/www.bletchleypark.org.uk\/content\/hist\/worldwartwo\/enigma.rhtm\" target=\"_blank\" rel=\"noopener\">Bletchley Park<\/a>.<br \/><br \/>But, the Enigma machine was compromised by the Poles in 1932 using\u00a0<a href=\"https:\/\/www.dailymail.co.uk\/sciencetech\/article-3448817\/How-Poles-cracked-Enigma-Turing-Country-launches-campaign-heroes-broke-code-1930s-recognised.html\" target=\"_blank\" rel=\"noopener\">mathematical techniques<\/a>. Later, this early work was used to read encrypted messages during World War II by, among others,\u00a0<a href=\"https:\/\/www.iwm.org.uk\/history\/how-alan-turing-cracked-the-enigma-code\" target=\"_blank\" rel=\"noopener\">Alan Turing<\/a>\u00a0(at Bletchley Park) and the use of the then latest data crunching computers.<br \/><br \/>Sending messages securely had come a long way from simple substitution ciphers. Keys were now being used &#8211; but they could be cracked using the brute force of the latest computers. Enter: Data Encryption Standard.<br \/><br \/>First published as the FIPS 46 standard in 1977, in 1987 the US Government, under the Computer Security Act, mandated that the National Institute of Standards and Technology (NIST) issue the\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/fips\/fips46-3\/fips46-3.pdf\" target=\"_blank\" rel=\"noopener\">Data Encryption Standard (DES)<\/a>\u00a0in which it \u201cspecifies two FIPS approved cryptographic algorithms.\u201d It also mandated that the \u201cDES key consists of 64 binary digits (&#8220;0&#8243;s or &#8220;1&#8221;s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, may be used for error detection.\u201d<br \/><br \/>DES was considered very secure at the time. But in little more than a decade, and as computers became exponentially faster, DES keys quickly became vulnerable to brute force attacks.<br \/><br \/>Two options were proposed to address the issue around the same time. The first, introduced in 1997, was\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/fips\/fips46-3\/fips46-3.pdf\" target=\"_blank\" rel=\"noopener\">Triple Data Encryption Algorithm (TDEA)<\/a>\u00a0or as it is more commonly know: Triple Data Encryption Standard (3DES). As NIST describes the cryptographic technique:<\/p><p style=\"padding-left: 40px;\"><em>[3DES] encrypts each block three times with the DES algorithm, using either two or three different 56-bit keys. This approach yields effective key lengths of 112 or 168 bits<\/em><\/p><p>But 3DES, when using only 112 bits, is still vulnerable to attacks such as\u00a0<a href=\"https:\/\/cs.jhu.edu\/~sdoshi\/crypto\/papers\/p465-merkle.pdf\" target=\"_blank\" rel=\"noopener\">chosen-plaintext attacks<\/a>. Also, since 3DES is a multi-step encryption process using two or three encryption keys, a stronger, more efficient method was needed.<br \/><br \/>In 1997 NIST started a process to identify a replacement for DES. NIST invited cryptography and data security specialists from around the world to participate in the discussion and selection process. Five encryption algorithms were adopted for study. Through a process of consensus the encryption algorithm proposed by the Belgian cryptographers Joan Daeman and Vincent Rijmen was selected. Prior to selection Daeman and Rijmen used the name Rijndael (derived from their names) for the algorithm. After adoption the encryption algorithm was given the name Advanced Encryption Standard (AES) which is in common use today.<br \/><br \/>In 2000 NIST formally adopted the AES encryption algorithm and published it as a federal standard under the designation\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/fips\/fips197\/fips-197.pdf\" target=\"_blank\" rel=\"noopener\">FIPS-197<\/a>. AES encryption uses a single key as a part of the encryption process. The key can be 128 bits (16 bytes), 192 bits (24 bytes), or 256 bits (32 bytes) in length. Given that the fastest computer would take billions of years to run through every permutation of a 256-bit key, AES is considered an extremely secure encryption standard.<br \/><br \/>This brings us to today. AES is a very sophisticated encryption standard with an encryption key and can withstand the onslaught of the fastest computers. It\u2019s only vulnerability? The encryption keys falling into the wrong hands. That is why, after you have deployed your encryption, your best line of defense is a robust encryption key management strategy.<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-element elementor-element-086c916 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-inner-section\" data-id=\"086c916\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6d5277d elementor-column elementor-col-100 elementor-inner-column\" data-id=\"6d5277d\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Content Overview 1. Introduction 2. Types of Encryption Keys and How They Work 3. How Encryption Key Systems Work 4. The Full Life-Cycle of Keys 5. Segregated Roles in Key Management 6. The Domains to Secure Encryption Keys 7. Platforms for Housing the Encryption Key Manager 8. Communication Protocols 9. Encryption Key Management in Meeting [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":20,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_links_to":"","_links_to_target":""},"_links":{"self":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/pages\/5030"}],"collection":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/comments?post=5030"}],"version-history":[{"count":3,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/pages\/5030\/revisions"}],"predecessor-version":[{"id":5033,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/pages\/5030\/revisions\/5033"}],"wp:attachment":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/media?parent=5030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}