Thursday, November 24, 2011

Key Management Plan Review

I mentioned, how to write a Key Management Plan in my previous post with guidelines on what to be included and what are the keys aspects that needed to be addressed as part of Key Life cycle management. In this post, i will talk about the "what to look for" within the Key management plan while reviewing. Having a standard guidelines on Key Management plan review, will ensure the plan has adequate information for Key administrator to use once when the keys are sent to production
Key Generation Process







Provide dates; location details if appropriate 
§  Date and Time
§  Required attendees (CBA and Non CBA)
§  Key Register (If required)
§  List of Actions and Outcome
Description of how the key(s) will be sourced. This may be via another agency or may be key(s) generation processes or equipment
How the key is to be physically loaded into the hardware and/or software cryptographic system
Describes how the key(s) are to be used
1.       When encryption and decryption occurs;
2.      What data is to be encrypted and decrypted; and
3.      The keys and algorithms are to be used in these transformations
Crypto period(s) for the various key
Details of how the key(s) will be electronically and physically stored
Key Accounting and Distribution
Detail the number of copies of key to be produced and distributed to the various parties
If appropriate, detail how key(s) are to be destroyed
Details on how keys will be distributed electronically or physically. This should include security details of courier(s), if used, as well as how the couriers will handle contingencies such as loss or compromise of keys
Provide explanation/procedure on the circumstance under which a key may be destroyed
Key archiving usually requires provisions for moving the key to new storage media when the old media are no longer readable because of aging of, or technical changes to, the media readers
Key Contingency
Describe the conditions under which a compromise of cryptographic key material should be declared
Detail the procedures for recovery of keys and encrypted material
Detail the key compromise procedure on how the incident will be investigated and how to escalate the incident.
Key Retrieval
The KMP design shall specify how, and the circumstances under which, keys and their bound metadata may be retrieved from a key database storage facility
Maintenance Schedule
Detail the procedures for testing or verification of software upgrades to critical cryptographic services in either the hardware (through firmware) or software
Key Resources
List of parties involved with their contact details.Depending on the criticality  verify the names of backup custodians as necessary
Key Conveyance form
Does the KMP covers on agreed format of Key exchange. All parties involved in key Conveyance exchange/Acknowledgement and Key Destroy.