๐ป My Cryptography Guide ๐จ
Hello everyone๐
My name is Elif Hilal! ๐ฎ I have been working on Blockchain for years. Again, again and again, Iโm back with another post! First of all, thank you for reading my articles and blog posts. If some do not know me or have heard my name for the first time, I will leave a link here to introduce myself! (All opinions are my own, it has nothing to do with the companies I work for)
Whatโs in this content?
๐ต What is key management, and how does it work?
๐ต Encryption Key Management
๐ต Why is Key Management important?
๐ต How does key encryption work?
๐ต What are the encryption types?
๐ต What are symmetric and asymmetric cryptography?
๐ต What is a public key and private key?
๐ต What are encryption errors?
๐ต What should be considered in this regard? and more :)
If youโre ready, let's get started!
๐ฉ What is Key Management, and How Does It Work?
Cryptographic keys are vital in protecting sensitive information, preventing data breaches, and complying with regulations. Unfortunately, a lost or stolen key can lead to costly system and data losses; therefore, any security-minded company should implement robust key management protocols. Especially if the company in question is a worldwide company, data security becomes more important. :) We donโt want our data to be leaked all the time, do we?
๐ท What is Encryption Key Management?
Encryption key management is a set of practices and rules that ensure the secure use of cryptographic keys.
Proper key management ensures that a key remains secure throughout its lifecycle, from generation, use, storage, and deletion.
A cryptographic key is a file that, when processed by a crypto algorithm, corrupts a string of letters and numbers that can encrypt and decrypt data.
The main purpose of key management is to keep these files away from unauthorized users and systems.
๐ด As you can imagine, losing a key can have serious consequences, so a solid encryption key management strategy is required. Well then, letโs ask, what should a reliable and robust encryption key management include? :
๐ Those working at different stages and in different units should โabsolutelyโ share instructions on how to manage keys
๐Security measures should be taken to prevent unauthorized physical and virtual access to the server that stores the keys
๐ Policies should be set for key functions
๐ Role-based controls that define who can access keys and when
๐ Directions for how different departments should interact and coordinate keys should be predetermined
When you read it, it sounds like itโs straightforward and the precautions everyone takes, but unfortunately, itโs not like that in real life ๐
A business or workplace can approach key management in three different ways:
๐ข If you ask me, the safest approach is to establish a centralized strategy and move to a decentralized structure once teams have complete control over how they store, share, and use private keys. So I believe there should be a central policy or a guide. This issue should not be risked!
Why is Key Management Important?
As I mentioned above, careful management of keys is vital for effectively using cryptography in cybersecurity strategy or in industries such as crypto.
Itโs similar to the key safe combination: No safe can stop a thief if the perpetrator knows how to unlock the safe. Similarly, weak key management can render even the best encryption algorithms worthless.
๐ก A compromised key allows an attacker to:
๐ก Reliable key management guarantees a high level of security regarding encrypted data and provides strictly:
๐So, How Does Key Encryption Work?
Encryption is actually the first requirement of data privacy. We can summarize what encryption does as follows:
Encryption; It allows us to exchange data while keeping a content unreadable by everyone except the sender and receiver.
๐ก But how? Encrypted data exchange is a two-step transaction :
The most important information here is that during this process, information cannot be read by people who do not have the key to solve the password.
๐ก The encryption is completely automatic, and the two sides who exchange data do not need to code or solve the code. The main factors and operations in the encryption process are as follows:
You can use encryption to protect your data, both fixed and on movement:
If we understand this, whatโs the next issue now? Did I say it was a long article? :)
๐ Types of Encryption
Now letโs go deeper; there are two main encryption types:
As the name suggests, in symmetrical encryption, the same key message both passwords and solves the password.
As the name suggests, a key encrypts content and solves the password of a different key data. These two keys are mathematically related to each other.
As you can imagine, symmetrical encryption is easier to use and install. Because only 1 key is mentioned. However, relying on the same key to encode and solve the content makes this strategy less safe than asymmetric encryption. Therefore, the use of asymmetric encryption makes the system safer. Remember ๐
๐จ Symmetrical Cryptography ๐จ
๐As I said at least three times above, symmetrical cryptography uses the same key for both data encryption and password-solving. ๐ The privacy of the key is essential because a single key protects the whole process.
Below, there is a diagram showing what a symmetrical encryption process looks like:
There is a diagram about how the process in the scheme above works, but I still want to explain step by step how this system works:
1. First of all, the user sends a request to the application and asks him to access encrypted data. 2. Then the application sends the customerโs request to the customerโs KM API (Key Management). 3. The client (through KM API) and km confirm each otherโs certificates 4. If the identity information is valid, KM API and KM will create a safe TLS connection 5. Km solves the requested dekโs password with KEK (key encryption key) 6. Key Manager sends DEK to KM API 7. Then, KM API sends DEK to the application 8. And finally, the application sends straight text data to the user ๐
In the meantime, companies usually use symmetrical encryption to protect waiting data.
Now if we have learned about symmetrical cryptography, there is asymmetric cryptography.
๐จ What is Asymmetric Encryption?? ๐จ
As I mentioned above, there are two different keys in the asymmetric encryption. One of the two keys is to encrypt the data, and the other is to dissolve the password. Now what is important here is the separation of Public and Private Keys.
โ Public Key
A public key allows you to get crypto money transactions. While everyone can send transactions to Public Key, you need a private key to โunlockโ and prove that you own the cryptocurrency taken in the transaction.
You can freely share your Public Key without worrying. (Iban or e-mail sharing the same function). You may have seen donation pages for content creators or charities with open keys for crypto addresses online. Although everyone can donate, you will need Private Key to unlock and access the donated funds!
An **public key** example is as follows :
3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31 C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B C01B CAB 423 CB040 CB021B CAB 4000 CR744 2654 C01B 2F40 CR74F 922B F01B 2F40 CR74F 922B F01B 2F40 CR74F 922B F01B 2F40 CR744 265B F01B 2F40 CRDS CRIGED
โ Private Key
A private Key solves the password of data and is a unique equivalent of the open key. It is very important to keep this key safe because there is only a way to solve the code of data with a Private Key.
โ โ โ Here is some essential advice that should not be forgotten: Never share your private key with anyone. The private key allows you to prove ownership or spend funds associated with your general address.
A private key can be used in many ways:
(Let me talk about the wallets, the differences between wallets and the storage of keys in another article; this is already prolonged :)
Both keys are unique, special and created at the same time.
โ Here is a diagram showing how the asymmetric encryption allowed the two sides to exchange files safely:
๐ฑ Although this diagram summarizes most things, I still want to make a description of this diagram and summarize how asymmetric cryptography works.
I hope nothing is understood in the parts I have explained so far; if you have a question mark, you know how you can reach me. ๐
โ What are the management errors of encryption keys?
It is a mistake to ensure the safe use of encryption keys without considering every stage of a password's life cycle. If you are curious about other common mistakes made by companies, I can summarize as follows:
- Trusting weak, extremely short keys and passwords - Using the same key for different purposes and tasks (for example, using a password for ten different websites) - Reuse of old key versions - Storing special keys on the same server or database as encrypted data - Keeping keys in an unexpected way - Transport of keys between systems and users without appropriate protection
โ As a lawyer, I want to tell you about an area that I love very much. ๐คฉ
โ What should companies pay attention to about passwords? โ
Would you like to look at what your team or workplace should pay attention to at every stage of the life cycle of a key to ensure the safe use of encryption keys? If it is not paid attention to, it is an issue that creates a constant problem. โบ
๐ Key Generation ๐
Companies and business centers normally create encryption keys on a key management server and store them. First of all, make sure that the โkey creation,โ which we call a generator to prevent hackers from using simple techniques to break the code, only creates long and complex keys.๐
The server typically uses a safe random bit generator and stores the key in a storage database with all its attributes.
๐น As a second piece of information, I would like to say that a key manager should allow managers to regulate the key features at any time.๐
๐ The key activation occurs during the creation or on a subsequent date (automatic or manual). In addition, defining a crypto period for each key makes it easier for you. This period is when the key is functional, ie working. Two factors affect the duration of the crypto period:
Note: For example, you encrypt a database and plan to add items to it for the next six months. In this case, the OUP sits in six months. If you plan to allow users to access the database and use the database for two years, this is RUP. In this example, the crypto period is for two years because OUP and RUP coincide.
๐ As another piece of advice, when you create a key, make sure that the server stores it in an encrypted situation. The keys should only be found uncomfortably in a safe, protected environment against manipulation. Also, do not store the key in the same database as the encrypted data it protects, which is very painful.
โ Key Use and Rollover๐
๐ The key manager has to allow authorized systems and users to get keys for encryption or passwordโsolving operations.
The key manager has to allow authorized systems and users to get keys for encryption or password -solving operations.
๐ For example, if the software creates a new key every year and disables the old one (or directs it to the new one), the administrator must hold the previous versions of the key but must only distribute the current example.
๐ Today, many companies prefer to turn-key rotations into an automatic process. For additional security, you may also consider recording key usage to a technology diary and providing traces of control.
๐ Make sure that the team does not use the same key for different purposes. If a hacker seizes a single key, each task must work with a unique key to prevent potential lateral movement between the systems.
Of course, these are my thoughts; whatever you want, you use it๐ค
๐น Key Revocation
To manage everything, a manager should be able to use the key manager to cancel a key and prevent its use. Why is this important?
Reactivating a canceled key can help managers solve the password of encrypted data, such as old backups. However, it is important to know who has access to canceled keys. Therefore, the manager must follow the cancellations of the password.
โ Backup ๐
All keys require a backup before being disabled, so the administrator must hold the mirror archive of all disabled keys.
After the crypto period, the recovery allows managers to rebuild the keys if they need to re-activate (crypto period described above).
The fact that a key is not recovered means that all the data remaining with the password is dissolved with the key is lost. There is nothing to do!
Deleting Key๐ธ
The manager can delete the key [storage database]. The deletion option is vital in these cases:
The removal of a key can delete all or part of the samples. If someone endangers encrypted data, the ability to quickly delete the key can keep the data safe and irrevocable. When the security team eliminates the threat, a manager can use the image to recreate the key and solve the data password.
There is no safe cryptography without solid and reliable key management ๐ฌ ๐
I said so much in this article :) But Iโm very excited about other articles!๐ฆ
๐ง ๐ป By the way, you can sign up for my Meetup page, join my Telegram group, and follow me on Twitter to be informed about the events I organize in the Blockchain ecosystem!๐ป I hope my articles and contents are beneficial to you. ๐งโ๐ค๐ฉ๐ผโ๐ค Do not hesitate to contact me ๐๐
Let me leave a sunflower here ๐ป