If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Patrick Townsend Security Solutions provides encryption and encryption key management for all Enterprise platforms. Our Data at Rest and Key Management solutions support all platforms in the Enterprise, including Windows, Linux, UNIX, System z and System i. Our Data in Motion products reside on the System i platform and securely move data between all platforms."
Source: Patrick Townsend Security Solutions
Choosing a Key Management Solution
Key Management Solution is also known as :
Key Managers,
Key Management Software,
Key Management Needs,
Encryption Keys,
Key Retrieval,
Key Management Services,
Key Management Skills,
Security Key Management,
Key Management Process, Cryptographic Key Management, Key Management Plan, Key Management Functions, Key Management Protocol, Key Management Infrastructure, Key Management Questions, Cryptography Key Management Solutions, Key Management Tool, Key Management Solution, Key Managers, Key Management Software, Key Management Needs, Key Management Techniques, Encryption Keys, Key Retrieval, Key Management Company, Choosing a Key Management Solution, Standard for Key Retrieval, Vendor of Key Management Solutions, Encryption Key Management Solutions, Deploying Key Management.
This white paper discusses the challenges of deploying key management for encryption in business applications. The modern Enterprise deploys a variety of server platforms, operating systems, and programming languages. A major barrier to deploying encryption has been the challenge of accessing encryption keys from these widely divergent environments. This paper will help define the key management needs of your Enterprise, while defining the elements necessary to reduce the technical challenges and cost of deployment.
Key Managers and Key Retrieval
Encryption key management solutions have the primary goal of managing and protecting encryption keys, and making them available to authorized applications in a secure fashion. Key retrieval includes the process by which an application requests an encryption key from the key server, how the key is protected during the delivery of the key, and the format of the encryption key and policy information that is delivered. While work is under way to define a common standard for key retrieval, there is currently no published or de facto standard for key retrieval. Each vendor of key management solutions defines the key retrieval mechanism used in their solution.
Key management solutions vary greatly in the complexity of the key retrieval process. The more complex the key retrieval interface, the greater the challenge for the Enterprise IT team in deploying key retrieval in applications. Understanding this fact can help IT decision makers assess different vendor solutions and the likely costs of deploying a solution in their Enterprise.
Common Key Retrieval Interface
Currently, there is a published standard application interface named Public Key Cryptography Standard 11 (PKCS#11). This standard was developed by RSA Security, but has not gained wide acceptance. Some vendors of key management solutions provide PKCS#11 application interfaces on some platforms, but there remain significant gaps in platform implementations. The PKCS#11 standard defines the application interface, but not the key retrieval interface.
Because of the lack of a durable standard for key retrieval, efforts are underway by standards bodies such as IEEE and Oasis to define a standard. These groups have made some progress towards a standard, but it is likely to take some months or years before a standard is finalized and implemented in vendor key management solutions.
It has fallen to vendors of key management solutions to implement common key retrieval interfaces across their supported platforms. Unfortunately, some key management solutions have taken an ad hoc approach to platform interfaces and provide different APIs and processing on different platforms. This leads to additional barriers for IT developers responsible for deploying key management in applications. Good key management solutions provide a common key retrieval interface on all platforms - maximizing developer resources and minimizing time-to-deployment.
Payload Complexity
When a key server provides an encryption key to a client application, it packages the encryption key with additional information about the key. This additional information may include usage policy (can the key be used for encryption, digital signature, and so forth), key expiration information, and key access information. The packaging of this information may be more complex or less complex. While more complex packaging can provide more flexibility, it can also reduce the ability of developers to use the contents of the package on new platforms. A complex package can represent a "Rubik's cube" challenge for developers - slowing deployment and delaying projects.
In some cases Enterprise customers have been forced to hire specialized consultants from the key management vendor just to implement the application interface for key retrieval. In this case the consulting costs can quickly exceed the costs of the key management solution itself.
Sample Source Code Speeds Deployment
One way that vendors can help their customers deploy key management solutions quickly is to provide sample source code and platform-specific programming guides. Sample source code will help a developer quickly understand how to implement the key retrieval solution in your applications, and understand the best practices for programming to the vendor's interface. Sample source code also provides the developer an easy means of validating the implementation. If the sample code is adequate, it can be compiled and demonstrate successful key retrieval in a very short period of time.
When a vendor provides sample source they are also making a statement about the ease of use of their product. Sample source code provides a road map for the developer and shows the simplicity (or complexity) of the implementation. This gives IT professionals a good yardstick to determine the actual cost of the implementation.
Key Retrieval From Windows Applications
The Windows platform can represent the biggest challenge from a key retrieval perspective. There are many programming languages on the platform, and many versions of the Windows operating system. At a minimum the following language environments should be supported for key retrieval:
- C and C++
- C# (C Sharp)
- Cobol
- VBNET (VB NET)
- Java
- Visual Basic and Access VB
This wide array of languages presents a daunting challenge to a key management vendor. A well thoughtout strategy is needed to be sure that encryption keys can be retrieved into all of these environments.
Since Microsoft has clearly defined the .NET platform as their strategic development platform, the key management vendor should provide a .NET Assembly as a core platform for key retrieval. The Windows developer will be able to incorporate the assembly into any of the modern Microsoft languages.
In addition to support for the newer .NET Assembly, a key management vendor should also support the traditional Dynamic Link Library (DLL). DLLs are used in older Microsoft and third party languages. There are many thousands of legacy applications that use this older approach to application development, and support for this approach is crucial for success on the Microsoft Windows platform.
The many versions of Microsoft Windows can also present a challenge to the key management vendor. Typically the Enterprise customer will run a variety of third party solutions which require different version of the Windows server and PC operating systems. It is not uncommon to see applications running on Windows NT or even earlier versions of the Windows operating system. Minimally, you should see support for the following Microsoft platforms:
- Windows NT
- Windows 2000
- Windows 2003
- Windows 2008
- Windows XP
- Windows Vista
The Java programming language is a special case. See the section below for more information about Java.
Key Retrieval From Linux/UNIX Applications
There are a variety of languages used for applications on the Linux and UNIX platforms. Java, C and C++, Perl, and PHP are some of the popular languages. Java is a special case and is covered in more detail below. In spite of the number of languages available on Linux and UNIX, the job of providing key retrieval support is a bit easier for the key management vendor. Linux and UNIX programming languages support shared libraries, and the key management vendor should provide this type of support for key retrieval.
Key Retrieval From IBM i
The IBM i (AS/400, iSeries, System i) server platform is found in most Enterprise environments providing support for back office applications. The programming languages used on this platform include RPG and Cobol, with the large majority of applications built using the RPG language. Encryption key retrieval should support both of these languages.
An effective way to provide key retrieval support on the IBM i platform is by using service programs. Service programs are very similar to shared libraries and Dynamic Link Libraries (DLLs). They can be easily added to most RPG and Cobol applications. The key management vendor should provide key retrieval support using a service program so that the IBM I developer can use it with any IBM I application programming language.
Key Retrieval From IBM z
The IBM z (Mainframe, z/OS, OS/390) platform runs a variety of operating systems and supports a variety of programming languages. Most Enterprise customers run the z/OS operating system and use Cobol for their back office applications. Key retrieval support for this environment is crucial for the Enterprise customer. However, there are often applications written in other languages such as PL/I and Assembler.
The key management vendor should provide support for key retrieval both as a Dynamic Link Library and as an object module.
It is especially helpful to the mainframe developer to have sample Cobol source code as a guide for implementing key retrieval via a DLL interface. The sample code will help the developer understand the DLL architecture for key retrieval, and provide a quick method to validate key retrieval in the more complex z/OS environment.
Key Retrieval From Java
The Java language is popular because applications written in this language can be deployed on a wide variety of hardware platforms and operating systems. Key management vendors have two different approaches to key retrieval from the Java language: standard Java, or Java Native Interface (JNI). Standard Java access provides an interface that is fully implemented in the Java language. The JNI interface links the Java language to other language objects such as DLLs and Shared Libraries. Java developers prefer standard Java solutions because they are simpler to install and use than JNI interfaces.
If the key retrieval interface involves complex packaging of the key information, the key management vendor often has no choice but to use the JNI interface. Simpler packaging allows for the use of the standard Java interface without the use of other language objects.
The Google Android platform supports a very rich Java implementation and users of a natural Java key retrieval interface will find key retrieval very straight-forward. Android supports the full SSL/TLS Java library for secure connections. When combined with the native Java AES encryption capabilities, application developers will find great support for strong encryption and key management on the Android platform.
Java can present some challenges when implementing secure key retrieval using the SSL/TLS protocol. Java SSL/TLS is complex and involves the use of Java Key Stores for certificate management. Be sure your key management vendor can provide you with sample Java source that demonstrates secure key retrieval.
Summary
Deploying encryption and key management across the Enterprise involves work on the part of application developers on each Enterprise computing platform. This work can be easier or harder depending on the key management vendor's dedication to appropriate implementations on each platform, ease of use of the key retrieval interface, and the availability of sample source code. Solutions which are difficult to deploy in business applications raise the costs of encryption and key management. In some cases implementation can cost more than the initial key management solution.
Patrick Townsend Security Solutions (PTSS) has developed this guide based on more than ten years of experience supplying encryption solutions to some of the largest Enterprises in the Retail, Healthcare, Financial, and Manufacturing markets. The company also works with OEM and ISV partners to provide encryption and key management to millions of end users. For more information on PTSS and our products, please visit
http://www.patownsend.com/ or call (800) 357-1019.
Key Management Vendor Check list
10 questions to ask your key management vendor
- How would you describe the encryption key payload as retrieved from the key server? Is it simple or complex?
- Is there a common key retrieval application interface on all platforms? What are the differences?
- What platforms do you support for key retrieval? (Note any gaps in platform coverage for your company)
- Do you provide working sample code for the platforms I need? (Windows, Linux, UNIX, System i, System z)
- Do you have a .NET Assembly for use with Windows applications?
- Do you provide Linux and UNIX shared libraries for key retrieval?
- Do you provide an IBM System z interface that can be used from Cobol and USS?
- Do you provide an IBM System i service program for RPG and Cobol applications?
- Do you have a Java key retrieval class and examples? Is it standard Java or JNI?
- Do you charge separate license fees for each client operating system?
Once you have the answer to the above questions, it should be easier to choose the right key management vendor for your Enterprise. If you have any questions not covered here, we would be happy to help you find the answers. Give us a call for a more complete needs assessment.