Design and Implementation of a Key-Lifecycle Management System

Key management is the Achilles' heel of cryptography. This work presents a novel Key-Lifecycle Management System (KLMS), which
addresses two issues that have not been addressed comprehensively so far.

First, KLMS introduces a pattern-based method to simplify and to automate the deployment task for keys and certificates, i.e., the task of associating them with endpoints that use them. Currently, the best practice is often a manual process, which does not scale and suffers from human errors. Our approach eliminates these problems and takes into account specifically the lifecycle of keys and certificates. The result is a centralized, scalable system, addressing the current demand for automation of key management.

Second, KLMS provides a novel form of strict access control to keys and realizes the first cryptographically sound and secure access-control policy for a key-management interface. Strict access control takes into account the cryptographic semantics of certain key-management operations (such as key wrapping and key derivation) to prevent attacks through the interface, which plagued earlier key-management interfaces with less sophisticated access control.

Moreover, KLMS addresses the needs of a variety of different applications and endpoints, and includes an interface to the Key Management Interoperability Protocol (KMIP) that is currently under standardization.

A revised and condensed version of this report appears in: "Financial Cryptography and Data Security," Proc. Fourteenth Intl Conf. on Financial Cryptography and Data Security '10 "FC'10," Tenerife, Spain, Lecture Notes in Computer Science, vol. 6052 (Springer-Verlag, Berlin Heidelberg, January 2010), 160-174.