T 2.19 Inadequate key management for encryption

If cryptographic systems are used for protecting the confidentiality of data to be transferred, inadequate key management can undermine the required protection if:

• cryptographic keys are generated or stored in an unprotected environment

• unsuitable or easily-guessed cryptographic keys are used

• encryption or decryption keys are not sent to the communication partner by means of a safe avenue.

Examples:

• The simplest negative example of this can be the dispatch of encrypted information and the cryptographic key on the same floppy disk, provided that the encryption method is known.

• Cryptographic keys are usually generated by random processes and may be post-worke.If the source of random numbers is unsuitable, insecure keys may be produced.

• It is vital for security that the cryptographic keys generated are not weak, particularly in the case of masterkeys. Weak keys can be keys that are easily guessed or keys which are unsuitable for encryption (e.g. weak and semi-weak DES keys). If it is not checked whether keys are weak when they are derived from masterkeys, then weak keys may come into active use.

• If identical partial keys are used in the triple DES algorithm, the triple DES encryption only has the effect of a simple DES encryption. The gain in security is lost.

However, it is not only the disclosure but also the loss of cryptographic keys that can cause substantial problems. Cryptographic keys can

• be lost or forgotten,

• cease to be available, for example if the person in possession of the key has left the firm, or

• be destroyed in that they are accidentally deleted or in that they are changed, e.g. through a data media failure or bit errors.

If keys are no longer available, data protected by them can no longer be decrypted or tested for its authenticity.