[S-18] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] ——————————————————————————————— MAY/JUNE

H ow many keys have you use d so f ar to day? For most of us, this question

calls to mind a limited number of traditional keys that we use at home, to start our car, to open a file cabi-net, and so on. It is relatively easy to keep track of these keys because they are so visible and so frequent-ly needed. And if we do misplace or lose a traditional key, we have a straightforward means of replacing it — we simply call a locksmith or the car dealership, and request a new one. If the loss is due to a theft, we may take the extra precaution of requesting that the lock be re-keyed, so that the stolen key will no longer work.

Ask someone who is responsible for the security of an entire building, or who manages the access privileg-es of a large and varied workforce, about keys and you will get a very different type of response. In today’s corporate security environment, tra-ditional keys have given way to a variety of digital keys inside access tokens such as key cards. Imple -menting secure access control for thousands of doors or other assets, and ensuring that the individuals authorized for access will get it read-ily while everyone else will be kept out is a challenging task. It requires a combination of hardware (often in

Key Management for Physical Access ControlWhether a physical or digital key, policies and practices for their use must be in place

By Tam Hulusi

MAY/JUNE ——————————————————————————————— [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] [S-19]

the form of key cards and card read-ers), software, an understanding of digital security and encryption, and carefully developed key management policies and practices.

T his ar t ic le present s an over-view of the decisions and process-es involved in successful physical access control from a key manage-ment perspective.

Key management fundamentalsKeeping track of digital keys is called key management. The purpose of a key management system is to pro-vide the information necessary to enforce a key management policy. The primar y way a key manage -ment system does this is by keeping a cradle-to-grave record of the life of every key, every when, why and how of its creation, use, breach and destruction. That may sound like an impossible task—and it would be if digital keys were managed along the same lines as the traditional keys in our pockets.

IT professionals and key manage-ment vendors have worked for years to design key management systems that will serve the needs of all types and sizes of organizations. A key management system enables you to see and monitor the digital keys that are deployed in your corporation with the same degree of detail as you track your personal keychain, or manage the accounts receivable and other internal systems.

I will focus on the three primary phases in the life of a managed key: key generation, key usage and key breach. While it may be helpful to have in mind the keys inside a smart card such as an HID iCLASS card, these three phases define the life of any managed key, no matter where it is stored or where it is used.

Key generationWhether it is a physical key or a digi-tal key, the management of a key

starts with key generation. You have probably noticed that there are some keys in your pocket or purse that the local hardware store can duplicate and some that it cannot.

In wel l -managed systems, key generation takes place in a carefully controlled environment. Each and every key generation is recorded in a permanent log. The log includes when, where, what, why, how and who. In not-so-well-managed sys-tems, no records are made of who is generating keys, why they are being generated, what they going to be used for or how they are going to be protected. A moment’s reflection tells you that unmanaged key gen-eration is the headwater of a river of downstream trouble.

It is during the generation phase that decisions about cryptographic algorithms, key length and key dis-tribution are made. For example, in the smart card case, this is the time to decide questions such as whether cards may share keys for specif ic types of access or whether all keys must be unique.

Key useO n e way the physic al keys and digital keys are exactly alike is that you cannot use them unless you actually possess the key. The obviousness of this statement for physi-cal keys is matched by the lack of obviousness o f t h e s t a t e m e n t f o r digital keys. This stark difference in awareness is due in part to the fact that while we all understand what having a physical key means, it is not so clear what “having” a digital key means in practice.

In both cases, it means that if an interloper takes the key from you while you are in the act of using it, that interloper can subsequent-ly use it too. In particular, in the digital key case, it means that the

key is exposed in its unprotected, unwrapped, unclothed and natural form for everyone to see. That con-stitutes a key breach, which requires remedial action. So protecting the digital key during use becomes a high priority for key management.

Key management is not “fire and forget” — or, in the specif ic case of digital keys, “generate and for-get.” Best-practice key management is a continuous process that moni-tors the health of every key every day and is prepared to take immedi-ate action should the health of a key start to fail. This is one reason why forward-looking companies are start-ing to offer key management servic-es to its access control customers.

Key breachQuite unlike the management of physical keys, the management of digital keys is often disconnected from the physical manifestation of the keys themselves. One area where this becomes most evident is policies

regarding key breaches.Key breach means that some inci-

dent has exposed the key to unau-thorized use. In the case of a physi-cal key, it does not mean necessarily that a malicious person is in posses-sion of the key; and in the case of a digital key, it does not mean that the person knows the value of the key. It just means that somebody can use the key that should not be able to.

In physical reality, key breach can

[S-20] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] ——————————————————————————————— MAY/JUNE

mean an authorized user losing the key, or somebody making a unau-thorized copy of the key. But physical key breach can also mean getting hold of a master key, learning how to bump a lock, or coming into pos-session of a good set of lock picks. In whatever form, the breach of a physical key — both the breach itself and the harvesting of the breach — will have numerous physical manifes-tations that careful observation has a very good chance of detecting.

It is quite different in digital real-ity. Indeed, one of the most trouble-some — and most ignored — chal-

lenges of digital key management is detecting key breach. Unless some-thing really egregious takes place whose only logical cause could be the compromise of a key, digital key breach may go undiscovered and therefore unaddressed.

Let ’s assume that a key breach has been discovered. In the case of a physical key loss, one remedy is to change all the locks that the breached key f its and then issue a new key to each authorized person. In almost every case, the list of locks

and the list of people are complete-ly known. Knowing the list of locks is usually suff icient, since rekeying the locks will cause the key hold-ers to step forward and request a replacement.

What has to be done in the case of a breached digital key is just as obvious. The key has to be rolled. But doing that for a digital key is as no means as straightforward. First, the responsible key manager has to locate all the places and situations in which the digital key is being used. In the case of a physical access con-trol system, this process might be as easy as in the case of physical key since, after all, the digital door access is replacing a physical lock. In other cases — for example cards used to log- in to computers , or for document encryption and data access — it may not be so easy to find all the breached keys.

Even when an instance of the breached value is found, changing it to a new value can surface pre-viously unacknowledged problems. One problem can be acquiring the authorization to change the key value at all. Just because a digital key is in use does not mean that somebody can be found who can change it. In fact, there are cases in which policy decisions may make it impossible to change the value.

Suppose that somebody in securi-ty or IT can be found that does have the authorization to change the key value. It is highly likely that proce-dures for generating a new key value and for getting it into a form that can be used for key rolling are not frequently practiced even if they are

known. All aspects of key breach detection and key rolling need to be addressed in practice to ensure that the written policies are possible and cost-effective to implement when-ever the need arises.

To reconnect with the realities and practicalities of the key management for digital keys, it may be helpful to work backward from a key breach scenario. The surfacing of a road-block to key rolling and recovery from a key breach well before an actual security issue arises has obvi-ous advantages. It may also help to shine more light on other areas in an existing key management program where policies and practices are less than optimal.

Key management benefitsThis overview of key management processes provides a starting point for evaluating your company’s cur-rent key management prac t ices — whether you are working with a turnkey system from a vendor, or have implemented selected policies internally. It may also raise questions about the value of developing a com-prehensive key management strat-egy. According to BITS, a security

Further Reading

Matt Blaze’s classic paper on master keys is a beautiful case study of the similarities and differences of physical and cryptographic keys: http://www.crypto.com/papers/mk.pdf

MAY/JUNE ——————————————————————————————— [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] [S-21]

working group for the financial ser-vices industry, a good key manage-ment program can assist in accom-plishing the following:

Improve usability and effective-ness of key and key usage;

Increase reliability and effi-ciency of key structure and key implementation;

Reduce costs by leveraging com-mon infrastructure and administra-tive processes;

Reduce complexity and improve transparency by re-using well-defined processes and interfaces;

Automate manual steps to reduce human error and improve consistency;

Support a variety of keys con-sumed by a variety of encryption/decryption processes delivered by commercial, open-source and customer-developed applications on multiple platforms;

Allow for segregation of key man-agement from encryption/decryp-tion operations;

Improve transparency by aligning and integrating with the business-es processes; and

Provide evidence of having implemented sound and secure practices.

Strong keys coupled with best-practice key management are at the foundation of token-based access control systems. Strong keys alone are not sufficient. If you are running a keyed security system, then either you buy a key management system and put in place a continuously-run-ning key management process, or you seek a vendor that can provide these ser vices. Running a keyed security system without a key man-agement system underneath should not be considered an option. �

Visit www.securityinfowatch.com/ste/einquiry and Select No. 389

Tam Hulusi is senior vice president of strate-gic innovation and intellectual property at HID Global, the trusted leader in providing access and ID management solutions for the delivery of secure identity.