SEkey: A Distributed Hardware-based Key Management System

Abstract

Cryptography plays a key role in all the aspects of today cybersecurity and any cryptographic approach relies on cryptographic keys, i.e., series of bits that determine how a plain text is encrypted and decrypted, according to an agreed algorithm. The secrecy and security of an encryption key are thus crucial and fundamental: if the cryptographic key is compromised and known, everyone can decrypt a text encrypted according to the strongest encryption algorithm. As a consequence, several Key Management Systems (KMS) have been developed to easily support the management of cryptographic keys, whose number is constantly increasing, due to the amount of devices and communications that take place today, even in very restricted contexts. SEkey is a key management system developed targeting a distributed environment, where it is possible to identify a single central manager that acts as a Key Distribution Center (KDC) and many users that locally store and manage their own keys. Users, to a certain extent, can also work `offline' without being always in direct communication with the central manager. SEkey is built leveraging the functionalities and physical properties of the SEcube™ Hardware Security Module (HSM). All the key values and critical information are stored inside the SEcube™ and never leave the device in clear, and all the cryptographic operations are performed by the SEcube™ itself. The guidelines provided by NIST where followed during the whole development process, guaranteeing all the most important security features and principles.