APIs by Example: Cryptographic Services APIs, Part 3

In today’s issue of APIs by Example, I take up the challenge of cryptographic key management. How do you protect a cipher key against disclosure and at the same time make it readily available to your applications?

The idea behind key management is based on the simple fact that encrypted data is protected against unauthorized access only as long as the data encryption key is kept secret. Anyone having access to the data encryption key, and the encrypted data, of course, can get access to the clear-text data.

The simple answer to this problem is to encrypt the data encryption key. For that purpose, key-encrypting keys (KEKs) are implemented. So whenever a data encryption key is stored, it is first encrypted using a KEK.

This leaves you with the challenge of protecting the KEK against disclosure. So a final key layer is introduced: The master key. Using a master key, I can encrypt all KEKs before storing them on disk. And so they are also safe and protected. But now how do I protect the master key?

Download the save file containing the source code.

Read the entire article

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s