Free Essay

Key Manage, Emt

In:

Submitted By midnightcowgrrl
Words 1040
Pages 5
Key Management Cheat Sheet

Introduction
This Key Management Cheat Sheet provides developers with guidance for implementation of cryptographic key management within an application in a secure manner. It is important to document and harmonize rules and practices for: key life cycle management (generation, distribution, destruction) key compromise, recovery and zeroization key storage key agreement across the organization.
Key Management General Guidelines and Considerations
Formulate a strategy for the overall organization's cryptographic strategy to guide developers working on different applications and ensure that each application's cryptographic capability meets minimum requirements and best practices. Identify the cryptographic and key management requirements for your application and map all components that process or store cryptographic key material.
Use only reputable crypto libraries that are well maintained and updated, as well as tested and validated by 3rd party organizations (e.g., NIST/FIPS)

Key Selection
Selection of the cryptographic and key management algorithms to use within a given application should begin with an understanding of the objectives of the application. For example, if the application is required to store data securely, then the developer should select an algorithm suite that supports the objective of Data-At-Rest (DAR) security. Applications that are required to transmit and receive data would select an algorithm suite that supports the objective of Data-in-Transit security. We have provided recommendations on the selection of crypto suites within an application based on application and security objectives.
Application developers oftentimes begin the development of crypto and key management capabilities by examining what is available in a library. However, an analysis of the real needs of the application should be conducted to determine the optimal key management approach. Begin by understanding the security objectives of the application which will then drive a determination of the cryptographic protocols that should be used.
For example, the objectives of the application may be: - Confidentiality of data at rest - Confidentiality of data in use - authenticity of data origin - authenticity of the end device - Integrity of data in transit - Confidentiality of data in transit
Once the understanding of the security needs of the application is achieved, developers can determine what protocols and algorithms are required. Once the protocols and algorithms are understood, you can you can begin to define the different types of keys that will need support the application's objectives. There are a diverse set of key types and certificates to consider, for example:
Encryption: - Symmetric encryption keys - Asymmetric encryption keys (public and private)
Authentication of End Devices: - Pre-shared symmetric keys - Trusted certificates - Trust Anchors
Data Origin Authentication - HMAC
Integrity Protection - Message Authentication Codes (MACs)
Key Encryption Keys
Key Strength
Review NIST SP 800-57 (Recommendation for Key Management) for recommended guidelines on key strength for specific algorithm implementations. Also, consider these best practices:
1. Establish what the application's minimum computational resistance to attack should be. Understanding the minimum computational resistance to attack should take into consideration the sophistication of your adversaries, how long data needs to be protected, where data is stored and if it is exposed. Identifying the computational resistance to attack will inform engineers as to the minimum length of the cryptographic key required to protect data over the life of that data. Consult NIST SP 800-131a for additional guidance on determining the appropriate key lengths for the algorithm of choice.
2. When encrypting keys for storage or distribution, always encrypt a cryptographic key with another key of equal or greater cryptographic strength.
3. When moving to Elliptic Curve-based algorithms, choose a key length that meets or exceeds the comparative strength of other algorithms in use within your system. Use NIST SP 800-57 Table 2

Formulate a strategy for the overall organization's cryptographic strategy to guide developers working on different applications and ensure that each application's cryptographic capability meets minimum requirements and best practices.
Memory Management Considerations
Perfect Forward Secrecy
Proxy Handling
Key Management Lifecycle Best Practices
Generation
Distribution
EndPoint Authentication
Algorithms and Protools
Integrity and Confidentiality
Storage
Developers must understand where cryptographic keys are stored within the application. Understand what memory devices the keys are stored on.
Keys must be protected on both volatile and persistent memory, ideally processed within secure cryptographic modules.
Keys should never be stored in plaintext format.
If you are planning on storing keys in offline devices/databases, then encrypt the keys using Key Encryption Keys (KEKs) prior to the export of the key material. KEK length (and algorithm) should be equivalent to or greater in strength than the keys being protected.
Ensure that keys have integrity protections applied while in storage (consider dual purpose algorithms that support encryption and Message Code Authentication (MAC)).
Escrow and Backup
Data that has been encrypted with lost cryptographic keys will never be recovered. Therefore, it is essential that the application incorporate a secure key backup capability, especially for applications that support data at rest encryption for long-term data stores. When backing up keys, ensure that the database that is used to store the keys is encrypted using a FIPS 140-2 validated module.
It is sometimes useful to escrow key material for use in investigations and for re-provisioning of key material to users in the event that the key is lost or corrupted. Never escrow keys used for performing digital signatures, but consider the need to escrow keys that support encryption. Oftentimes, escrow can be performed by the Certificate Authority (CA) or key management system that provisions certificates and keys, however in some instances separate APIs must be implemented to allow the system to perform the escrow for the application.
Tracking and Audit
Key Compromise and Recovery
Trust Stores
Design controls to secure the trust store against injection of 3rd party root certificates. The access controls are managed and enforced on an entity and application basis
Implement integrity controls on objects stored in the trust store.
Do not allow for export of keys held within the trust store without authentication and authorization.
Setup strict policies and procedures for exporting key material from applications to network applications and other components.
Implement a secure process for updating the trust store
Cryptographic Module Topics
Cryptographic Key Management Libraries
This article is focused on providing application security testing professionals with a guide to assist in managing cryptographic keys.

Similar Documents

Premium Essay

Bcp Planning and Development

...Company Virtual Solutions Inc. Foundations of Business Continuity Management Table of Contents Executive Summary 3 Introduction 5 About Company Virtual Solutions 6 The Current Status of Business Continuity Planning 6 Historical Context 6 The New Plan 8 Using Recovery Planner 8 Configuration for TPT 9 Presentation 9 Compliance 10 Comprehensive Planning 10 Leadership Approval 12 The Plan Strategy 12 Team Structure 12 Figure 1: The Business Continuity Plan Team Organizational Chart 13 Emergency Management Team 13 Business Continuity Team 14 Business Unit Teams 15 Fly Out Teams 16 Fire Teams 16 The Four Phases of the Plan 16 Figure 2: The four phases of the Plan 16 Phase I - Appraisal 17 Phase II – Recovery Coordination 18 Phase III - Production 18 Phase IV – Site Restoration 19 Business Unit Plan Structure 20 Alternative Sites 21 Planning Refinement Recommendations 22 Risk Assessment 22 Business Impact Analysis 22 Emergency Response 23 Disaster Recovery 23 Testing and Restoration 24 Future State 25 Comprehensive Business Planning 25 ACP Workflow Planning 26 Awareness and Training 27 Maintaining Support 27 Projected Timeline 28 Figure 3: Projected Timeline 29 Tasks 29 Conclusion 30 Sources 31 Appendix...

Words: 6761 - Pages: 28

Free Essay

System Evaluation Paper

...System Evaluation Paper CIS/207 January 05,2014 The system I will be discussing is used in an organization that I used to work in many years ago, but working in the medical environment, all systems seem to tie into new technology and growth for businesses to streamline, be cost effective, save time and to be able to manage the environment by a click of a mouse. The system used while I was working as an EMT, (Emergency Medical Technician) initially started with just radio communication between the ambulance and the ER. All documentation was written on a triplicate carbon progress note. The paperwork would be legal documentation that would transfer to the ER to continue with treating the patient. As new technology, insurance requirements, and federal and state guidelines changed regarding legibility of these documents so came the introduction of the wireless mobile units, which later developed into the use of a laptop and also integration of software that allowed the ability to transfer medical documentation in real time to any ER (Emergency Room) facility. The system also provides for the use of GPS (Global positioning system) tracking, which would give accurate locations of accident or emergencies. The new technology allows the portable system to be taken right to the patient, whether the patient is on the first floor, tenth floor or stuck in the attic. In years past, the assessment for the patient and medical history would have to wait until the patient...

Words: 691 - Pages: 3

Premium Essay

Ppaca

...EMRS in Ambulance Outline I. Introduction: EMRs for Ambulances/Paramedics – The term EMR is an electronic medical record system used to replace paper medical records with an online record which tracks a patient’s hospital history and medical care. A. Benefits: To incorporate the use of EMRs in ambulances would help not only the improvement of the clinical standards in health, but also the ability to manage key performance indicators, and health research. 1. This program is designed to improve such tasks as training for paramedics, review clinical standards, conduct pre-hospital research, audit dispatch priority codes, and design services for the future. 2. Health services will always adapt to meet growing population needs. The EMR will significantly improve the delivery and quality of patient care as well as streamline clinical workflow, therefore is in the best interest to adopt this program. II. Demand Analysis: The expected demand is substantial because of the extent of the geographic service area covered, the huge number of ambulances where EMR’s will be installed in the geographic service area, the real and urgent need the product will address. A. The geographic service area which will benefit from EMR would be the entire United States considering that ambulance service is made available to patients by all hospitals all over the country and by Emergency medical teams in every city. B. The total number of ambulances all over the country...

Words: 2309 - Pages: 10

Premium Essay

Student Needing Help

...scope of this plan is limited to . This is a business continuity plan, not a daily problem resolution procedures document. Plan Objectives 0 Serves as a guide for the TnA recovery teams. 1 References and points to the location of any data that resides outside this document. 2 Provides procedures and resources needed to assist in recovery. 3 Identifies vendors and customers that must be notified in the event of a disaster. 4 Assists in avoiding confusion experienced during a crisis by documenting, testing and reviewing recovery procedures. 5 Identifies alternate sources for supplies, resources and locations. 6 Documents storage, safeguarding and retrieval procedures for vital records. Assumptions 7 Key...

Words: 5176 - Pages: 21

Free Essay

Emt Education Standards

...Emergency Medical Technician-Basic: National Standard Curriculum EMT-Basic: National Standard Curriculum Instructor's Course Guide ------------------------------------- EMT-BASIC: NATIONAL STANDARD CURRICULUM PROJECT DIRECTOR David J. Samuels, MBA System Director Samaritan AirEvac/Emergency Medical Services Samaritan Health System Phoenix, AZ CO-MEDICAL DIRECTORS Henry C. Bock, MD, FACEP Emergency Physician Methodist Hospital of Indiana, Inc. Indianapolis, IN Kimball I. Maull, MD, FACS Director R Adams Cowley Shock Trauma Center Baltimore, MD PRINCIPAL INVESTIGATOR Walt A. Stoy, Ph.D., EMT-P Director of Educational Programs Center for Emergency Medicine Research Assistant Professor of Medicine University of Pittsburgh School of Medicine Pittsburgh, PA Contract Number DTNH22-90-C-05189 -------------------------------------United States Department of Transportation National Highway Traffic Safety Administration EMT-Basic: National Standard Curriculum i EMT-Basic: National Standard Curriculum Instructor's Course Guide ------------------------------------- CURRICULUM DEVELOPMENT GROUP James Bothwell, EMT-P National Flight Paramedics Association William Brown, RN, NREMT-P National Registry of Emergency Medical Technicians Ricky Davidson International Association of Fire Chiefs Karla Holmes, RN National Council of State EMS Training Coordinators Richard Judd, Ph.D., EMSI National Association of Emergency Medical Technicians Kathryn Lewis, RN, Ph...

Words: 36133 - Pages: 145

Premium Essay

Computer

...Chapter 1 1. In which of the IT domains is a database considered a major component of risk? LAN domain 2. What are the risk management techniques? Avoidance, Transfer, Mitigation, Acceptance, 3. A CBA is an effort to Cost and benefit. 4. True or false: Programming bugs is a technique for mitigating vulnerabilities. 5. True or false: Intrusion detection is a technique for mitigating vulnerabilities. 6. True or false: Incident response is a technique for mitigating vulnerabilities. 7. True or false: Continuous monitoring is a technique for mitigating vulnerabilities. 8. A DoS attack is a threat action affecting which IT domain? Wan Domain Chapter 3 9. True or false: HIPAA applies to Federal agencies. 10. True or false: HIPAA applies to health insurance companies. 11. True or false: HIPAA applies to publicly-traded companies. 12. True or false: HIPAA applies to educational institutions. 13. True or false: FERPA applies to Federal agencies. 14. True or false: FERPA applies to health insurance companies. 15. True or false: FERPA applies to publicly-traded companies. 16. True or false: FERPA applies to educational institutions. 17. Which standard contains eight principles specific to security? 18. Which standard gives detailed descriptions of IT practices and comprehensive checklists, tasks, and procedures that can be tailored by IT organizations to fit their needs? ITIL 19. Which agency enforces the SOX...

Words: 777 - Pages: 4

Premium Essay

Final Project Risk Managment

...Introduction of the purpose and importance of risk management Risk management planning is a critical and often overlooked process on every project.  Allowing for the proper amount of risk planning in your project schedule can mean the difference between project success and project failure when those potential risks become real issues. The plan is only the output of the process. It details how the process will be implemented, monitored, and controlled through the life of this project. It details how the group will manage risks but doesn’t attempt to define the responses to individual risks. Risks come about for many reasons, some are internal to the project, and some are external such as but not limited to the project environment, the management process, planning process, inadequate resources, and other unforseen instances that can contribute to risk. Risks associated with the project generally concern the objectives, which turn to impact time, cost, or quality, or combination of those three things. Risk management provides assurance that an organization can create and implement an effective plan to prevent losses or reduce the impact if the a loss occurs. A good plan includes strategies and techniques for recognizing and confronting the threats, solutions for both preventing and solving the situation and indicates financial opportunities. An effective risk management practice does not terminate risks. However, an effective and operational risk management practice demonstrates...

Words: 3711 - Pages: 15

Free Essay

Personal Impact Paper

...2016 Personal Impact Paper Living with a chronic disorder may affect a person and their family's lives. These disorders affect a person's physical and psychological health, emotions, independence, and their jobs. Depending on the disorder and severity determines treatment options that can affect the person financially. With today's medicine, technology, and resources people can manage and live a life. Learning to live with a chronic disorder can be emotional and takes time to accept. Millions of people worldwide live with epilepsy. One in twenty-six will develop epilepsy. The causes are unknown in two-thirds of patients. This neurological disorder causes a disruption in brain cells, which can cause seizures, sensations, unusual behavior, or loss of consciousness. Epilepsy treatment depends on the severity and frequency of seizures, a person's overall health, medical history, and age. These treatments may include medication, diets, surgery, epilepsy devices, and epilepsy first aid. A young woman, Nichole was nineteen years old, and just completed an emergency medical technician (EMT) school when she had her first grand mal seizure. She had to learn about and how to live with this disorder. As a way to help herself and others, she began posting videos titled Nichole's epilepsy on youtube.com: https://www.youtube.com/channel/UC1BIjErzoq8oH9apq_DPpiw. She shares her feelings of depression and the loss of her independence. Over time, she found a way to focus on what...

Words: 1120 - Pages: 5

Premium Essay

New Paper

...1. List the Seven Domains of a Typical IT infrastructure and their Weakness. a. User Domain- People b. Workstation Domain- Malware and patches not up to date c. LAN Domain- Data in the network d. LAN-to-WAN Domain- Malicious software outside the network e. Remote Access Domain- Infected with virus and not knowing f. WAN Domain- Anything over the internet g. System/ Application Domain- Servers 2. What is Risk Management and list the various risk management techniques. Risk management is the thought of handling risk. The techniques are avoidance, transfer, mitigate, and accept 3. List examples for the various risk mitigating techniques. h. Alter the physical environment i. Change procedures j. Add fault tolerance k. Modify the technical environment l. Train employees 4. What is a CBA and why would you perform one? A CBA is a cost benefit analysis and you would perform one to help determine which controls or counter-measures to implement. 5. U.S. Laws Affecting Compliance Law | Security Summary | Affects | Federal Information Security Management Act (FISMA) | Ensure that federal agencies protect their data | Federal Agencies- the government | Health Insurance Portability and Accountability Act (HIPPA) | Ensures that health information data is protected | Anybody with health information | Gramm-Leach-Bliley Act (GLBA) | Ensures that companies protect customers data, |...

Words: 1408 - Pages: 6

Free Essay

Ethical Behavior on Managers

...energy efficiency. Smart Metering System: it consisting of Smart meters – two-way communications-enabled meters that capture the amount of power consumed when it occurred – plus metering telecommunications and an Automated Data Collection System. Program Delivery Scope: The scope consisting of overall activities and services including project management and controls such as inspection and quality control; revenue meter deployment; customer complaint handling; administration and contract management; information and data coordination, stakeholder engagement and community communications. Organizational Structure: An organizational structure has been designed to facilitate delivery of the smart metering (SM) Program. The considered key units are 1. Meter Deployment Office which is responsible for delivering the entire smart meter installation; it is liable to organize and coordinate deployment teams, crews and technicians in the service centers. 2. Meter and Customer Data Coordination Office which is responsible to organize every meter change related data and send to the Regional billing system. 3....

Words: 4261 - Pages: 18

Premium Essay

Project Management Software

...DEPARTMENT OF ESTATE MANAGEMENT FACULTY OF ARCHITECTURE, PLANNING AND SURVEYING, UNIVERSITI TEKNOLOGI MARA PERAK GROUP ASSIGNMENT FOLDER Course Code EMT 110 Course Name Information Technology In Property Management Name of Group Members | Matric No | MUHAMAD KAMARUDDIN BIN MAT MAIDI | 2013609712 | MUHAMMAD IKLAS BIN ALI | 2013658224 | MUHAMAD FIKRIE BIN MOHAMED | 2013400158 | NUR AZWA ASNINA BINTI A.AZIZ | 2013604618 | NUR FAZLIN BINTI MAZLAN TAJUDDIN | 2013676002 | Name of Group Leader: Matric No: MUHAMAD KAMARUDDIN BIN MAT MAIDI 2013609712 | Assignment Title : PROJECT MANAGEMENT SOFTWARE | Due date of Assignment : 14/8/2013 Submission Date : 14/8/2013 | DECLARATION : We declare that no part of of this assignment has been copied from other person’s work except where due acknowledgement is made in the text, and no part of this assignment has been written for me by any other person except where such collaboration has been authorised by the lecturer concerned Group’s Leader Signature............................................................. Date........................................ A lecturer/tutor has and may exercise a right not to mark this assignment if the the above declaration has not been signed. If the above declaration is found to be false, no mark...

Words: 2246 - Pages: 9

Premium Essay

Task Force of New Orleans Disaster Recovery Research

...The global risk of hurricane disaster is increasing due to human activity. Populations are concentrating along the world's coastlines, particularly in large urban areas. Improved forecasting and emergency response have lowered hurricane casualty rates, but as more people and infrastructure move into harm's way, storms are likely to become more destructive. The primary cause of hurricane-related fatalities over the past 30 years has not been storm surge or winds, but inland flooding. Most hurricanes produce rainfall of 6 to 12 inches (15 to 30 centimeters), and slow-moving storms can be particularly dangerous for inland residents. Hurricane Katrina of the 2005 Atlantic hurricane season was the costliest natural disaster, as well as one of the five deadliest hurricanes, in the history of the United States. Among recorded Atlantic hurricanes, it was the sixth strongest overall. At least 1,836 people died in the actual hurricane and in the subsequent floods, making it the deadliest U.S. hurricane since the 1928 Okeechobee hurricane and Hurricane Andrew in 1992. Hurricane Katrina formed over the Bahamas on August 23, 2005 and crossed southern Florida as a moderate Category 1 hurricane, causing some deaths and flooding there before strengthening rapidly in the Gulf of Mexico. The storm weakened before making its second landfall as a Category 3 storm on the morning of Monday, August 29 in southeast Louisiana. It caused severe destruction along the Gulf coast from central Florida to...

Words: 1615 - Pages: 7

Premium Essay

Huawei Case Study

...p110) With the development of Huawei , the company become bigger and bigger , consist of around180,000 employees around the world and 36 joint innovation centres , 15 research centres added to the innovation process .Huawei.com This fast pace expanding bring communication issues , at such , new ideas of innovation passing from country to country , department to department become difficult . As a Chinese multinational hi-tech company, Huawei needs to adapt itself to different local cultural and embed its innovation by nature character, embrace openness, competition and collaboration complement each other. Bringing excellent innovative individual to work together to contribute to the company, minimise employee’s resistance to change and how to manage employees from diverse cultures are another challenge that Huawei is...

Words: 1815 - Pages: 8

Free Essay

Job Working for the Gov

...Job Application Background What is your citizenship status? Are you willing to relocate to the Washington, DC area? Are you currently living/working outside the United States or its territories? Are you planning to travel outside the United States or its territories in the next year? Do you authorize us to share your resume with other elements of the federal government for employment purposes? How did you learn about this web site? US Citizen Yes No Yes Yes I went straight to the CIA website Preferences and Expertise Preference Salary Preferences Is salary negotiable? Work Preferences Travel Preferences Additional Job Information $40,000.00 Yes Full Time Frequent Domestic and Foreign Travel Experiences X None are applicable Adjudication experience Arabic language skills Autotrack Canine Handler/Team Member Canine Training Chinese language skills Commentator profiles Elicitation experience Explosives Federal government personnel security investigations Foreign media collection French language skills Greek language skills HAZMAT/CBRN response Indonesian language skills Instructor - Security and/or law enforcement training Internet research Interpretation techniques Interrogation experience Interviewing experience Investigative experience Japanese language skills Korean language skills Law enforcement Marine security guard Medical defensive tactics Microsoft Access Microsoft Excel Microsoft PowerPoint Microsoft Publisher Microsoft Word Military police officer Military...

Words: 2588 - Pages: 11

Premium Essay

Mister

...The School Access to Emergency Epinephrine Act (S.1884 and H.R 3627) is a bill that will inspire states to enact laws that will permit schools to keep stock epinephrine (epipen) in the school medicine cabinet. The epinephrine will not be prescribed for any particular student and will be readily available for any student having anaphylaxis. The bill will also allow school staff to administer epinephrine without any liability. Moreover, any school that adopts this legislation will be given preferences when applying for asthma related government grants from health and human resources department (TheHill.com, 2012). Just recently, a first grader, Amarria Johnson of Virginia State died after experiencing an episode of anaphylaxis from eating peanut. Her death could have been prevented, but the school had no epinephrine on hand to save her life(TheHill.com,2012).According to the National Institute of Allergy and Infectious Disease (2011),the delay in using epinephrine is closely associated with death from anaphylaxis,expecially anaphylaxis resulting from peanuts allergy (niaid,2011).Symptoms of anaphylaxis include itching ,swelling of lips and tongue, tightness of throat, skin hives, vomiting, diarrhea ,cramps, shortness of breath, cough, wheezing, weak pulse, dizziness and passing out (niaid,2011). According to Gregory Nancy (July 2012), about eight percent of American children are affected by allergies. Six million children have food allergy and about forty percent of those...

Words: 4877 - Pages: 20