Some weeks ago I experienced that sinking feeling that comes with locking your keys in the car. Fortunately, I was only a phone call and a 20-minute wait away from rescue. But how can that happen, you ask, given all the modern safeguards built into automotive key technology? Don’t cars these days alert you or automatically unlock the doors when you leave the key inside?
They do if the key is within range. I learned the hard way, though, that being buried in a briefcase at the tail end of a large SUV didn’t quite qualify as “in range”!
Encryption Keys 101
So what do automotive keys have to do with digital encryption keys? More than you might think. Both serve as the last barrier to unauthorized access, and both can be hacked or circumvented. Many of today’s automotive keys are, in fact, more digital than physical, and utilize rolling encryption codes in their transponders, allowing also for proximity-based push-button start. Such encryption—the conversion of plain text or data into an unintelligible form— is enabled by an algorithm that requires one or more keys (think passwords) to lock and unlock the data. Encryption keys typically take one of two forms: symmetric, which uses the same key to lock and unlock data and is known as Secret Key Cryptography; and asymmetric, which uses a pair of associated keys, also known as Public Key Cryptography.
Encryption is Only as Secure as Its Key
Data encryption is often recommended as the silver bullet for protection of sensitive information, such as PHI or PII. Indeed, the Payment Card Industry Data Security Standards (PCI-DSS) requires encryption of Social Security numbers, except for the last four digits, and encryption is generally a safe harbor under the breach notification statutes of the various states. But encryption is only a safeguard if the encryption key remains protected. Notably, under at least 12 states’ breach notification statutes, encryption of PII is not a safe harbor if the encryption keys were compromised in the breach. Because encryption is a complex mathematical topic that is Greek to most laypersons, the methods by which keys are used to encrypt and decrypt data are seldom discussed outside of IT, and the absolute necessity of protecting those keys is often overlooked.
Leaving encryption keys unprotected invites theft in the same way as leaving your car key in the car. Who has access to the keys to your encrypted data? Where are the keys stored? Are there copies? How often are they changed or updated? Detailed technical guidance may be found in The National Institute of Standards and Technology’s “Recommendation for Key Management—Part 1: General (Revision 3),” NIST Special Publication 800-57. Recommendations include “key wrapping,” or encrypting keys for transmission, and periodically decrypting data and re-encrypting it with a new key.
Protection concepts found in the NIST publication mirror those found in more general records and information management guidance, as well as the CIA Triad model for security policy: Confidentiality, Integrity, and Availability. NIST states that encryption keys need to be Available as long as the data is protected; keys must be protected from modification to ensure their Integrity; and the Confidentiality of keys must be ensured through physical protection or by ensuring that it is “no easier to recover the key-encrypting key than it is to recover the key being encrypted.” Further, Accountability “involves the identification of those entities that have access to, or control of, cryptographic keys throughout their lifecycles.”
So, just as we try never to leave our keys in the car, we should take special care to protect our data encryption keys. That starts with knowing where they are stored, by whom, and with what controls. Documenting this information should be part of your annual security risk assessment, if it isn’t already.