Key management is the process of controlling access to and verifying keys in a cryptographic system. In cryptography, information is scrambled using a cipher. This cipher mixes up the information in a very specific way that allows anyone with the proper key to unscramble the data and return it to its original form. Proper key management is essential to keeping keys in locations where they need to be and verifying that keys are correct before decoding information.
Keys are the weakest link in a cryptographic system. It is possible to make a code that is so devious or complex that it may never be broken, but if no one can unscramble it, any encoded information is lost. In order for the code to function properly, it needs a key. Any place the code will need decoding requires a copy of it, and each of those locations is a place where the key may be abused.
In order to prevent keys from being stolen or counterfeit, cryptography uses two methods; key scheduling and key management. A key schedule is the internal aspect of a key in the encoded material. These keys often interact with those outside to verify key authenticity and generate sub-keys to access encoded data within the encoded data. Since key schedules generally require an authentic key to function, they are often seen as low-risk keys.
On a basic level, key management relates to securing access to the key when idle and when in use. In a common system, keys are kept in a secure, offline location. Before computers, this was often a restricted access area—now, it is typically a non-networked computer system. When the key is needed, the key server will link to the network, enter the proper information and disconnect. It is only during the actual key use that the systems will connect. This limits the time a potential thief can use to access the system.
A key management system extends out beyond the information. Proper management involves restricting personal access to key storage locations, random key updates and encoded key storage servers. A true management system involves every aspect of network access and personnel management. As a result, large-scale key management systems are difficult to implement and expensive to oversee.
This problem is often compounded through human error. Improperly trained workers will underestimate restricting key access and leave avenues open for theft. Department oversight will often have conflicts, as key management potentially falls within the purview of the information technology, accounting and internal security departments. This will cause the system to have too many managers, creating policy conflicts, or too few, as every department feels the other has it under control.