WEBVTT 1 00:00:00.210 --> 00:00:01.380 In this lesson, 2 00:00:01.380 --> 00:00:03.810 we will learn about Key Management. 3 00:00:03.810 --> 00:00:06.900 Key management is made up of the processes 4 00:00:06.900 --> 00:00:10.710 and protocols that generate, distribute, store, 5 00:00:10.710 --> 00:00:13.680 and securely handle cryptographic keys 6 00:00:13.680 --> 00:00:15.390 throughout their lifecycle. 7 00:00:15.390 --> 00:00:18.810 Key management concepts include key stretching 8 00:00:18.810 --> 00:00:20.400 and key splitting. 9 00:00:20.400 --> 00:00:22.710 Key stretching is a technique used 10 00:00:22.710 --> 00:00:27.300 to enhance the security of weak or short cryptographic keys 11 00:00:27.300 --> 00:00:29.280 by applying iterative hashing 12 00:00:29.280 --> 00:00:31.830 or encryption functions to the key. 13 00:00:31.830 --> 00:00:33.780 Key splitting, on the other hand, 14 00:00:33.780 --> 00:00:36.780 is the practice of dividing a cryptographic key 15 00:00:36.780 --> 00:00:38.550 into multiple parts. 16 00:00:38.550 --> 00:00:42.600 Let's learn more about key stretching and key splitting. 17 00:00:42.600 --> 00:00:45.300 First, we have key stretching. 18 00:00:45.300 --> 00:00:49.440 Key stretching works by repeatedly processing the user's key 19 00:00:49.440 --> 00:00:52.950 through thousands of rounds of hashing or encryption, 20 00:00:52.950 --> 00:00:55.140 transforming a simpler key 21 00:00:55.140 --> 00:00:59.250 into a longer and more complex one that's harder to crack, 22 00:00:59.250 --> 00:01:02.640 often extending the effective length of the key 23 00:01:02.640 --> 00:01:05.550 to at least 128 bits. 24 00:01:05.550 --> 00:01:08.250 This enhances the security of weak 25 00:01:08.250 --> 00:01:12.240 or short cryptographic keys by applying iterative hashing 26 00:01:12.240 --> 00:01:14.490 or encryption functions to them. 27 00:01:14.490 --> 00:01:16.380 This method strengthens keys, 28 00:01:16.380 --> 00:01:20.220 such as user-generated passwords or passphrases 29 00:01:20.220 --> 00:01:22.260 by making brute force attacks 30 00:01:22.260 --> 00:01:26.610 significantly more time consuming and resource intensive. 31 00:01:26.610 --> 00:01:28.410 While key stretching does not 32 00:01:28.410 --> 00:01:31.530 inherently make the key itself stronger, 33 00:01:31.530 --> 00:01:34.470 it greatly increases the computational power 34 00:01:34.470 --> 00:01:38.670 and time required for an attacker to brute force the key. 35 00:01:38.670 --> 00:01:41.700 This is because each brute force attempt 36 00:01:41.700 --> 00:01:45.570 must also go through the same key stretching process 37 00:01:45.570 --> 00:01:48.390 involving thousands of iterations. 38 00:01:48.390 --> 00:01:51.570 This slows down the attacker's progress, 39 00:01:51.570 --> 00:01:55.530 providing better security even for weak passwords. 40 00:01:55.530 --> 00:01:58.530 Two commonly used key stretching methods 41 00:01:58.530 --> 00:02:02.760 are Password-Based Key Derivation Function 2, 42 00:02:02.760 --> 00:02:06.450 or PBKDF2, and Bcrypt. 43 00:02:06.450 --> 00:02:09.840 PBKDF2 enhances security 44 00:02:09.840 --> 00:02:13.950 by combining the user's inputted password with a salt, 45 00:02:13.950 --> 00:02:18.300 which is random data added to make each password unique. 46 00:02:18.300 --> 00:02:21.600 PBKDF2 then uses a function 47 00:02:21.600 --> 00:02:25.800 called hash-based message authentication code, or HMAC, 48 00:02:25.800 --> 00:02:28.320 to mix the password and salt together. 49 00:02:28.320 --> 00:02:32.460 This mixing process is repeated thousands of times, 50 00:02:32.460 --> 00:02:35.220 making the resulting cryptographic key 51 00:02:35.220 --> 00:02:37.020 much harder to crack. 52 00:02:37.020 --> 00:02:42.020 Initially, PBKDF2 used about 1,000 iterations to be secure, 53 00:02:43.800 --> 00:02:47.160 but as computing power has increased, 54 00:02:47.160 --> 00:02:49.950 modern standards now often recommend 55 00:02:49.950 --> 00:02:53.160 at least 310,000 iterations 56 00:02:53.160 --> 00:02:56.730 when using HMAC with Secure Hash Algorithm 57 00:02:56.730 --> 00:03:01.080 or SHA-256 to strong protection. 58 00:03:01.080 --> 00:03:04.650 Salting is an integral part of key stretching. 59 00:03:04.650 --> 00:03:09.000 It adds random data to each password before hashing. 60 00:03:09.000 --> 00:03:12.300 This helps defend against password cracking methods 61 00:03:12.300 --> 00:03:15.870 such as dictionary attacks and rainbow tables. 62 00:03:15.870 --> 00:03:18.600 Each password gets a unique salt, 63 00:03:18.600 --> 00:03:21.780 ensuring that even identical passwords 64 00:03:21.780 --> 00:03:24.030 result in different hashes. 65 00:03:24.030 --> 00:03:27.780 This approach makes it much more difficult for attackers 66 00:03:27.780 --> 00:03:32.250 to use pre-computed rainbow tables to crack passwords, 67 00:03:32.250 --> 00:03:35.460 and it adds an additional layer of security 68 00:03:35.460 --> 00:03:39.420 without requiring users to change their password habits. 69 00:03:39.420 --> 00:03:43.200 So by using salts, key stretching ensures 70 00:03:43.200 --> 00:03:46.020 that even if one system is compromised, 71 00:03:46.020 --> 00:03:50.370 the unique salt prevents the reuse of the cracked password 72 00:03:50.370 --> 00:03:52.110 on other platforms, 73 00:03:52.110 --> 00:03:56.310 safeguarding user data across different environments. 74 00:03:56.310 --> 00:04:00.750 Next, Bcrypt is a popular key stretching method 75 00:04:00.750 --> 00:04:05.490 that uses repeated hashing and salting to enhance security. 76 00:04:05.490 --> 00:04:09.090 Bcrypt is designed as an adaptive function, 77 00:04:09.090 --> 00:04:12.960 allowing it to increase the iteration count over time, 78 00:04:12.960 --> 00:04:16.680 making it slower and more resistant to brute force attacks 79 00:04:16.680 --> 00:04:19.350 as hardware capabilities improve. 80 00:04:19.350 --> 00:04:24.350 This adaptability helps Bcrypt maintain robust security 81 00:04:24.420 --> 00:04:28.980 and is why it is widely used in many operating systems, 82 00:04:28.980 --> 00:04:33.980 including OpenBSD and various Linux distributions, 83 00:04:34.170 --> 00:04:38.130 to protect stored passwords against brute force 84 00:04:38.130 --> 00:04:40.530 and rainbow table attacks. 85 00:04:40.530 --> 00:04:43.530 A rainbow table attack is a hacking technique 86 00:04:43.530 --> 00:04:47.670 that uses pre-computed tables of hashed values 87 00:04:47.670 --> 00:04:50.250 paired with their plaintext inputs 88 00:04:50.250 --> 00:04:53.130 to quickly crack hashed passwords 89 00:04:53.130 --> 00:04:56.010 by finding hash value matches. 90 00:04:56.010 --> 00:04:59.970 This allows an attacker to compare an extracted hash 91 00:04:59.970 --> 00:05:03.120 with a list of pre-computed hashes 92 00:05:03.120 --> 00:05:06.270 and their associated plaintext passwords, 93 00:05:06.270 --> 00:05:09.060 significantly speeding up the process 94 00:05:09.060 --> 00:05:11.460 of finding the original password 95 00:05:11.460 --> 00:05:15.600 without having to guess each one individually. 96 00:05:15.600 --> 00:05:18.060 Second, we have key splitting. 97 00:05:18.060 --> 00:05:22.440 Key splitting enhances the protection of cryptographic keys 98 00:05:22.440 --> 00:05:25.290 by dividing them into multiple parts. 99 00:05:25.290 --> 00:05:29.100 That is to say taking a single cryptographic key 100 00:05:29.100 --> 00:05:31.590 and splitting it into separate pieces 101 00:05:31.590 --> 00:05:35.910 with each one being stored independently and separately. 102 00:05:35.910 --> 00:05:40.260 The idea is to ensure that no single part of the key 103 00:05:40.260 --> 00:05:43.080 can be used to access encrypt data. 104 00:05:43.080 --> 00:05:46.830 Only by combining all the separately stored parts 105 00:05:46.830 --> 00:05:51.030 can the original key be reconstructed and used. 106 00:05:51.030 --> 00:05:53.850 Key splitting increases security 107 00:05:53.850 --> 00:05:58.200 by reducing the risk associated with key compromise. 108 00:05:58.200 --> 00:06:01.140 Because even if an attacker gains access 109 00:06:01.140 --> 00:06:03.570 to one part of the split key, 110 00:06:03.570 --> 00:06:05.940 they cannot decrypt the information 111 00:06:05.940 --> 00:06:08.850 without obtaining all other key parts. 112 00:06:08.850 --> 00:06:13.320 This division of the key makes it significantly harder 113 00:06:13.320 --> 00:06:17.130 for attackers to exploit a single point of failure. 114 00:06:17.130 --> 00:06:18.480 For this reason, 115 00:06:18.480 --> 00:06:22.500 key splitting is often used in highly secure environments 116 00:06:22.500 --> 00:06:25.410 where multiple parties must work together 117 00:06:25.410 --> 00:06:28.020 to access sensitive information, 118 00:06:28.020 --> 00:06:32.460 ensuring that no single individual has complete control 119 00:06:32.460 --> 00:06:35.280 over the entire cryptographic key. 120 00:06:35.280 --> 00:06:40.050 For example, consider a secure online banking system 121 00:06:40.050 --> 00:06:42.810 where access to sensitive financial data 122 00:06:42.810 --> 00:06:46.500 requires three different components to work together. 123 00:06:46.500 --> 00:06:51.120 One part of the key is stored on the bank's secure servers. 124 00:06:51.120 --> 00:06:54.780 Another part is kept in a hardware security module 125 00:06:54.780 --> 00:06:57.450 that the IT department can access, 126 00:06:57.450 --> 00:07:02.190 and the final part is generated as a one-time access code 127 00:07:02.190 --> 00:07:04.950 that is sent directly to a user's device 128 00:07:04.950 --> 00:07:09.030 via a secure channel, such as an authenticator app. 129 00:07:09.030 --> 00:07:13.530 To gain access, all three parts of the key must be combined, 130 00:07:13.530 --> 00:07:16.860 the server stored key, the hardware module key, 131 00:07:16.860 --> 00:07:18.990 and a user's one-time code. 132 00:07:18.990 --> 00:07:22.830 This setup reflects key splitting in cryptography, 133 00:07:22.830 --> 00:07:25.410 where dividing keys into separate parts 134 00:07:25.410 --> 00:07:28.170 ensures that access is only granted 135 00:07:28.170 --> 00:07:31.320 when all necessary elements come together. 136 00:07:31.320 --> 00:07:35.010 Key splitting is particularly useful in scenarios 137 00:07:35.010 --> 00:07:38.490 requiring high levels of trust and security, 138 00:07:38.490 --> 00:07:42.570 such as financial transactions, government data protection, 139 00:07:42.570 --> 00:07:44.880 or sensitive corporate information. 140 00:07:44.880 --> 00:07:46.650 It helps mitigate risks 141 00:07:46.650 --> 00:07:49.110 by ensuring that no single entity 142 00:07:49.110 --> 00:07:51.900 has full access to the entire key, 143 00:07:51.900 --> 00:07:55.680 making unauthorized access much more challenging. 144 00:07:55.680 --> 00:07:59.910 So remember, key management involves generating, 145 00:07:59.910 --> 00:08:04.080 distributing, storing, and handling cryptographic keys 146 00:08:04.080 --> 00:08:06.600 securely throughout their lifecycle. 147 00:08:06.600 --> 00:08:10.350 To important key management techniques are key stretching 148 00:08:10.350 --> 00:08:11.820 and key splitting, 149 00:08:11.820 --> 00:08:15.690 each designed to enhance security in different ways. 150 00:08:15.690 --> 00:08:17.880 Key stretching strengthens weak 151 00:08:17.880 --> 00:08:20.040 or short cryptographic keys 152 00:08:20.040 --> 00:08:23.280 by applying iterative hashing or encryption, 153 00:08:23.280 --> 00:08:26.460 making brute force attacks much more difficult 154 00:08:26.460 --> 00:08:28.020 and time consuming. 155 00:08:28.020 --> 00:08:31.350 Key splitting, on the other hand, increases security 156 00:08:31.350 --> 00:08:35.340 by dividing a cryptographic key into multiple parts, 157 00:08:35.340 --> 00:08:39.810 ensuring that no single part can be used to access data 158 00:08:39.810 --> 00:08:42.690 and requiring all parts to be combined 159 00:08:42.690 --> 00:08:45.573 to reconstruct the original key.