Guide: What is KMI (Key Management Infrastructure)?
One of the most critical elements of modern information security is encryption. Encryption is a complex field based solely on the arms race between people seeking secure ways to encode and encrypt data at rest and in transit and those seeking to break that encryption.
Encryption is extremely commonplace. Most websites you visit use SSL, the Secure Socket Layer, which uses encryption to secure data traveling between your device and the servers hosting the website. Systems like Google Drive encrypt data in their servers, so that the only way to access it is through an account given access to do so.
On the opposite end of the spectrum, secure encryption standards are a key part of NIST security controls for both FedRAMP and CMMC. ISO 27001 highly encourages cryptographic standards for security business data.
Without encryption, there can be no digital security. Anyone who can find a piece of data, whether it’s opening a door to it or peeking in a window, can read it as clear as day.
What does all of this have to do with KMI? KMI stands for Key Management Infrastructure, and it’s a critical part of modern-day cryptography. To understand, we need a bit of a crash course in encryption, so let’s dig right in.
The Basics of Encryption
Before we begin, this section is an extremely simplified overview and serves solely to illustrate basic concepts, not as any sort of guide for implementation.
Encryption is a way of taking useful data – whether it’s a sentence or a huge file – and making it unintelligible to all but those authorized to understand it. It’s something children do in school to share notes, and it’s something governments do to secure military operations.
A very simple example is a Caesar cipher or ROT cipher. Take this sentence:
“This is a test sentence.”
Apply an encryption method to it, and you get:
“Guvf vf n grfg fragrapr.”
A Caesar Cipher is very simple; it just shifts the letters of the alphabet down some number of steps. A ROT-5 cipher would shift a letter five over: A becomes F, B becomes G, and so on.
The “key” to the cipher is the number that would be needed to shift the letters that many steps to decode the text. In this case, it’s ROT13, one of the most common options.
Obviously, this isn’t a complex method of encryption. It’s trivial to notice, trivial to decode, and not secure at all. It’s useful for hiding spoilers when discussing TV shows, not for sensitive data. But it’s a useful example to demonstrate what a key is: the data needed to encrypt and/or decrypt the data.
Modern cryptography requires complex advanced mathematics and factorials to create garbled data that requires a specific kind of key to decrypt. The more complex the algorithm, the more secure it is – less complex algorithms can be brute forced through modern computing power – but in order to be useful, it still needs to have a key.
Managing the keys to encrypted data is essential. After all, if the key is compromised, the encryption is valueless.
What is Key Management Infrastructure?
You can now recognize that keys are important, and managing those keys is critical, so you can get an idea that key management infrastructure, or KMI, is the way that’s done. But what is KMI, in a practical sense?
The definition of KMI from NIST is:
“The framework and services that provide the generation, production, storage, protection, distribution, control, tracking, and destruction for all cryptographic keying material, symmetric keys as well as public keys and public key certificates.”
KMI is part of encryption, which is part of COMSEC, which is part of InfoSEC. As such, different organizations have different definitions, allowable paradigms, and sets of hardware and software to manage it all.
At Ignyte, we’re primarily concerned with the interaction between private businesses and the government through frameworks like FedRAMP and CMMC. That means when it comes to KMI, we’re going to be looking at what the government mandates.
In this case, while COMSEC itself can be disparate and have different meanings and rules for different entities (like different branches of the military or government contractors), KMI does not. Government KMI stems from the National Security Agency’s programs.
The NSA launched the planning initiative for KMI all the way back in 1999. Modern KMI is a replacement of a previous system, known as EKMS or Electronic Key Management Systems. Same concept, different execution.
Any governmental system that needs to be considered secure and NSA-approved will need to use this NSA-backed KMI system. Branches of the military and agencies within the Department of Defense all deal with this directly. It’s also used throughout other federal agencies and even partners in coalitions and governmental allies.
In a specific sense, KMI is a combination of digital and physical services. On the digital front, it includes the algorithms used to generate keys, the software used to encrypt and decrypt data using those keys, and the protocols used to transmit encrypted data. Physically, it encompasses a variety of hardware used for both key management and authentication, such as:
- Barcode scanners.
- Physical authentication tokens.
- HAIPEs, or High Assurance Internet Protocol Encryptors.
- AKPs, or Advanced Key Processors.
KMI does not include individual training or behavior. Training and behavior are required to properly use secure systems, but that’s part of COMSEC, not part of KMI itself.
What Are the Benefits of NSA KMI?
Using the key management infrastructure provided by the NSA brings with it many benefits.
One of the most important is, of course, the encryption itself. The NSA is at the forefront of encryption technologies, positioned as they are as the primary adversary for other governments seeking to break it – and as our agency for breaking the encryption of others. Using the NSA-standard encryption protocols and hardware provides effectively the best possible encryption.
A secondary benefit, but one that is no less important, is that the NSA handles all of the support and management of their KMI systems. Prior to the NSA starting the KMI program, key management was largely left to individual departments and contractors. This meant that there could be a wide range of different standards of implementation and that support had a long, expensive tail.
Third, KMI systems are all on the same standard and, thus, interoperable. Each branch of the military, for example, uses the same KMI systems so they can operate together without undue friction. This extends to contractors within the defense ecosystem as well.
Who Needs NSA KMI?
So far we’ve talked a lot about what encryption is, what KMI is, and the benefits it brings to the table. Now we come to the crux of the issue: who needs NSA KMI?
The NSA provides its key management infrastructure to agencies, departments, military branches, and defense contractors who need it. However, there’s a reasonable chance that if you’re reading this, you’re not one of those entities.
This is because here at Ignyte, we’re generally talking about security and authentication frameworks like CMMC and FedRAMP. These frameworks exist for companies seeking to work with government agencies as contractors handling CUI or Controlled Unclassified Information.
The critical word here is the middle one: Unclassified.
Frameworks like CMMC specify that systems must have encryption in place. However, they do not require NSA-standard KMI for that encryption.
This is because, while the NSA provides KMI to standardize encryption across governmental agencies and allies, it’s still relatively restricted in who can access it. The more widespread it is, the more opportunity there is for enemies and assailants to obtain, analyze, reverse-engineer, compromise, or break the KMI systems.
NSA KMI is meant for entities one step above those that CMMC applies to: business partners and government entities that handle classified information. It’s serious business, taken seriously, and at that level, something more than commercial off-the-shelf encryption standards is required.
This is all exemplified by the fact that the NSA documentation for much of their KMI systems isn’t even accessible if you’re not already on a DoD-authenticated system.
This is why a business looking to pass a CMMC audit can apply encryption but doesn’t necessarily need specific authentication token devices or things like AKPs or HAIPEs. While they could provide better security, that better security is both not necessary at that level and potentially poses a risk to the systems that do need it.
NSA KMI is used by the NSA itself, other entities throughout the Department of Defense, other governmental agencies, the military, and a limited selection of domestic business partners that need to access and handle classified and secret data. Some allied agencies may also use it.
Could You Adopt NSA KMI?
No.
Generally speaking, unless you are in a position to be handling truly classified data, you are not going to have access to the NSA’s key management infrastructure.
When we discuss frameworks like CMMC, we often mention that it’s only required to be a government contractor, but a private business could implement the practices (or even pursue certification) to prove their security level and potentially win contracts.
That concept applies to the level where CUI is handled but not where classified data is handled. In a way, NSA KMI can be viewed as out of reach for all but the highest, most trusted entities.
That said, if you handle sensitive enough data and you want higher-tier security akin to NSA KMI, there are options available.
Private Sector KMI
Key management is important for any encrypted systems, even if those systems are not part of the government. While there’s an argument to be made that it’s always going to be a step behind what the NSA has to offer – and that the NSA has ways to compromise most non-NSA systems – it’s still critical to maintain adequate security in the face of non-national enemies.
Key management infrastructure is not unique to the NSA, though the term “KMI” is almost universally applied just to the NSA’s implementation. Key management, in general, is a concept well-discussed throughout the security sphere.
Commercial key management involves handling potentially hundreds or thousands of encryption keys at any given time and keeping them secure throughout the life cycle of a key:
- The generation of the encryption key
- The distribution of the encryption key to those who need it
- The storage of the key in a secure fashion where it can be used as authorized but safe from unauthorized use
- The actual use of the encryption key for cryptographic operations
- The rotation of different keys to maintain ongoing security
- The eventual revocation and destruction of keys when they are no longer necessary
Commercial key management can be done with hardware security, key management services, or open-source key management protocols. Numerous companies provide key management services, available and integrated throughout the private sector.
So, if you’re a business and you want some form of key management to assist with ensuring the strongest security you can implement, there are many options out there. They may or may not be fully relevant to the goals you want to achieve as part of CMMC or other commonplace security frameworks, but they’re a step ahead of casual security from less conscious businesses.
How can we help? At Ignyte, we aren’t providing key management or encryption services. While we’ve worked with military organizations like the Air Force on projects like the design of the Ignyte Assurance Platform, it’s not in our realm to step on the toes of the NSA here.
So, if you’re looking to become part of the Defense Industrial Base or work with the federal government, and you need to achieve standards for frameworks like DFARs, CMMC, or FedRAMP, we can help. Feel free to reach out at any time! If you’re seeking higher-tier security and want to use the NSA’s key management infrastructure, you’re better served talking to the program management office directly. And, if you want non-NSA key management services, there are many options available commercially for a wide range of different needs.
*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/kmi-key-management-infrastructure/
