密钥和机密管理

 

自带密钥是什么?

While cloud computing offers many advantages, a major disadvantage has been security, because data physically resides with the cloud service provider (CSP) and out of the direct control of the owner of the data. For enterprises that elect to use encryption to protect their data, securing their encryption keys is of paramount importance.Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. However, some BYOK plans upload the encryption keys to the CSP infrastructure. In these cases, the enterprise has once again forfeited control of its keys.A best-practice solution to this "Bring Your Own Key" problem is for the enterprise to generate strong keys in a tamper-resistant hardware security module (HSM) and control the secure export of its keys to the cloud, thereby strengthening its key management practices.

 

什么是凭证管理系统?

To control access to sensitive data, organizations require user credentials. Deploying a sound credential management system—or several credential management systems—is critical to secure all systems and information. Authorities must be able to create and revoke credentials as customers and employees come and go or simply change roles, and as business processes and policies evolve. Furthermore, the rise of privacy regulations and other security mandates increases the need for organizations to demonstrate the ability to validate the identity of online consumers and internal privileged users.

 

应对与凭据管理相关的挑战

  • 能够控制您的凭证管理系统的攻击者可以签发使其成为内部人员的凭据,并可能具有在不被检测到的情况下破坏系统的权限。
  • 凭证管理流程受到破坏会导致需要重新签发凭证,这可能是一个昂贵且耗时的过程。
  • 凭证验证率可能会有很大差异,并且很容易超出凭证管理系统的性能特征,从而危及业务连续性。
  • 业务应用程序所有者对安全性和信任模型的期望越来越高,可能会暴露出凭据管理是薄弱环节,可能危及合规性声明。

 

硬件安全模块 (HSM)

尽管可以在纯粹基于软件的系统中部署凭据管理平台,但这种方法本质上不太安全。 在认证 HSM 的加密边界之外处理的令牌签名和加密密钥明显更容易受到攻击,这些攻击可能会危及令牌签名和分发过程。 HSM 是唯一可靠且可审计的方式,可确保宝贵加密材料的安全并提供 FIPS 批准的硬件保护。

 

HSM 使您的企业能够:

  • 在精心设计的加密边界内确保令牌签名密钥的安全,采用强大的访问控制机制,强制执行职责分离,以确保密钥仅由授权实体使用
  • 采用复杂的密钥管理、存储和冗余功能,以确保可用性
  • 提供高性能,以满足企业对从不同设备和地点访问资源的日益苛刻的要求

 

什么是非对称密钥或非对称密钥加密?

Asymmetric cryptography uses a pair of linked keys to secure data. One key, the private key, is kept secret by its owner, and is used for signing and/or decryption. The other, the public key, is published and can be used by anyone to verify messages signed by the private key or to encrypt documents to the owner of the private key.



什么是对称密钥?

In cryptography, a symmetric key is one that is used for encryption, decryption, and message authentication. This practice, which is also referred to as ‘secret key cryptography’, means that to decrypt information, one must have the same key that was used to encrypt it. The keys, in practice, represent a shared secret between parties that can be used to maintain a private information link. The keys can be used by two or more parties. They can also be used by just one party (e.g. for the purpose of encrypting backups).

One benefit of symmetric cryptography is that it is notably faster than asymmetric cryptography. A well-known example of a symmetric cryptographic use case is tokenization.

 

什么是密钥传输?

在密钥传输过程中(一方选择秘密密钥材料),加密的秘密密钥材料将从发送者传输到接收者。 密钥传输方案采用公钥技术或者公钥和对称密钥技术的组合(混合)。 发送秘密密钥材料的一方称为发送者,另一方称为接收者。

 

什么是密钥协议?

During key agreement, the derived secret keying material is the result of contributions made by both parties. Key agreement schemes may use either symmetric key or asymmetric key (public key) techniques. The party that begins a key agreement scheme is called the initiator, and the other party is called the responder.



什么是密钥创建?

可以通过使用密钥创建方案(即,使用密钥协议方案或密钥传输方案),在各方之间以电子方式创建秘密密钥材料。