You're planning to give a presentation on Symmetric Key Infrastructures (SKI) and how it will
likely play an even more important role in IT security than Public Key Infrastructures (PKI) in the
years ahead. Talk about the differences between PKI and SKI and why SKI may grow in importance
going forward.
Both
Requires Free Membership to View
SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!
Michael S. Mimoso, Editorial Director
PKIs
and SKIs are concerned with full lifecycle management for cryptographic keys: creation and
distribution, archive and recovery, revocation and deletion. In SKIs, the keys must be kept secret.
A key needs to be available either to a single principal or a small group of principals who share
the key. Public keys in PKIs, of course, can be made public and available to everyone. Private keys
in PKIs, on the other hand, must be kept secret. A private key generally needs to be available only
to a single principal, and is not shared.
Most of the application of cryptography to date has been for data "on the fly"--over networks or via email. Here, the encryption and decryption typically happen when the data is sent or received, or the message is sent or opened. The keys are identified and already available to the principals involved in the process. The data is typically encrypted with a symmetric key, where the symmetric key is conveyed using public-key techniques. However, the symmetric key itself does not need to be managed explicitly. The only long-term secret that needs to be managed is usually a PKI private key, and it generally needs to be available only to a single principal.
The renaissance of SKIs is due to the emerging emphasis on applying cryptography to data "at
rest"--in a database or on a disk or tape. Here, the decryption might happen a long time after the
encryption, and by a principal not involved when the data was originally encrypted. The symmetric
key in this case typically does have to be managed explicitly. Furthermore, the key may need to be
available to more than one principal. Managing these keys thus requires a richer and more complex
infrastructure than for PKI private keys. What are some concrete aspects of SKI that could help IT
professionals secure their companies against today's threats? How could the features make the
business of security easier on them?
If data compromise is the threat, encryption is a countermeasure -- but it's only effective if the
decryption keys are available when needed to the parties that need them, and available only to them
and no one else. In this sense, decryption keys are another information asset that IT professionals
need to manage. SKIs can help IT professionals manage them more easily and effectively. Your
company's management and your customers may be telling you, "Encrypt the data." It's a lot easier
to do so if you have an infrastructure for managing the keys. What do you expect to be some of the
highlights at the RSA show in terms of speakers and topics?
As usual, I'm expecting the show to be an informative event that gives motivation for the year
ahead. Innovation has always been an underlying theme for the conference, but the 2007 event is
bringing it to the forefront with a lineup of keynote speakers. In addition to senior executives
from major IT companies, Gen. Colin Powell, Ray Kurzweil and IDEO's Tom Kelley will be presenting
their expert perspectives on innovation in today's world. Additionally, the RSA Conference has
added an entire track on consumer protection to address the increasing need for the information
security industry to approach applications from the consumer's standpoint. I'll be moderating the
cryptographers' panel once again. Finally, for the more technically oriented, we continue the
cryptographers' track, an academic research workshop within the conference, chaired by Masayuki Abe
of NTT.