Cryptography in today’s IT security industry is, at its core, the field of inquiry surrounding the encryption and decryption of information. Cryptographic algorithms are developed, tested and then applied, ideally securing information so that only authorized users have access to it. IT security standards find their place in promoting mechanisms that are reliable and increasing their interoperability, as well as helping to prevent the inadvertent introduction of security weaknesses.
Since the advent of the computer, the complexity of both cryptographic algorithms and cryptanalysis (systematic encryption breaking), as well as sheer processing power have all been steadily increasing, making it so that most encryption methods used today are not perfectly secure but rather so difficult to break as to be practically and realistically unbreakable at the time of their implementation. However, as progress is made in the field of cryptography, earlier algorithms become vulnerable and insecure. Here, IT security standards advocate the use of mechanisms (specific algorithms and their implementations) that are determined to be secure for a given task.
Key management is the direct application of cryptography in the IT security field. Essentially, key management is situated between cryptography and cryptographic entity authentication. As the security of encrypted information depends on the security of the key that decrypts it, IT security standards also address the various environments within which cryptographic keys are established and distributed. In doing so, IT security standards assure that any subsequent information encrypted with keys established and distributed securely will also be secure, increasing the security of the system as a whole.
Today’s cryptographic key management is largely based around symmetric and asymmetric encryption algorithms. Symmetric algorithms use a single private key for both encryption and decryption of data. Asymmetric algorithms differ in that they encrypt data with a public key and then decrypt it with a private key. The advantage of asymmetric encryption is rooted in the publically known encryption key, allowing anybody to encrypt information in such a way that only the entity holding the private key can decrypt it. In exchange for this advantage, asymmetric key algorithms are significantly more resource intensive and rely upon complicated theorems in mathematics, themselves creating a demand for progress in the field of mathematics.
One underlying aspect of the field of cryptography is the widespread acceptance of Shannon’s Maxim, “The enemy knows the system,” a design philosophy that requires methods of encryption to remain secure even if a malevolent entity knows everything there is to know about the system with the exception of the private key. This allows for cryptographic algorithms and key management mechanisms to be released for wide review prior to widespread use. Combining this with a development process focusing heavily on consensus, IT security standards reflect what the IT industry as a whole considers secure.
Some packages of IT security standards regarding Cryptography and Key Management, as well as individual ones:
- DIGITAL SIGNATURE/CRYPTOGRAPHY PACKAGE
- ISO 11568 – BANKING KEY MANAGEMENT PACKAGE
- ANSI Key Management
- Prime number generation
- Key establishment using Integer Factorization Cryptography
- NFC-SEC cryptography standard using ECDH and AES
- NFC-SEC cryptography standard using ECDH-256 and AES-GCM
- Cryptographic techniques based on elliptical curves
- Digital signatures with appendix