Key Management

Key management is huge in the world of cryptography. We have symmetric keys that can be used with symmetric algorithms such as hashing and encryption. We have asymmetric keys such as public-private key pairs that can be used with asymmetric algorithms such as digital signatures, among other things. We could say that the key to security with all of these algorithms that we have taken a look at is the keys themselves.

Key management deals with generating keys, verifying keys, exchanging keys, storing keys, and at the end of their lifetime, destroying keys. An example of why this is critical is if two devices that want to establish a VPN session send the encryption keys over at the beginning of their session in plain text. If that happens, an eavesdropper who sees the keys could go ahead and use them to change cipher text into understandable data, which would result in a lack of confidentiality within the VPN.

Keyspace refers to all the possible key values for a key. The bigger the key, the more secure the algorithm will be. The only negative of having an extremely long key is that the longer the key, the more the CPU is used for the decryption and encryption of data.

Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm, and replaces the DH key exchange with ECDH. ECDSA is an elliptic curve variant of the DSA algorithm, which has been a standard since 1994. The new key exchange uses DH with P-256 and P-384 curves.

AES in the Galois/Counter Mode (GCM) of operation.

ECC Digital Signature Algorithm.

SHA-256, SHA-384, and SHA-512.