1
00:00:00,700 --> 00:00:02,300
<v ->In the lessons in this section,</v>

2
00:00:02,300 --> 00:00:04,910
I've spoken a lot about encryption keys.

3
00:00:04,910 --> 00:00:06,010
I've also mentioned earlier

4
00:00:06,010 --> 00:00:07,740
that the strength of any encryption

5
00:00:07,740 --> 00:00:10,100
is based on the security of that key.

6
00:00:10,100 --> 00:00:10,933
Because of this,

7
00:00:10,933 --> 00:00:13,480
it's important to understand proper key management.

8
00:00:13,480 --> 00:00:15,940
But what exactly is key management?

9
00:00:15,940 --> 00:00:18,280
Well, key management refers to how an organization

10
00:00:18,280 --> 00:00:19,290
is going to generate,

11
00:00:19,290 --> 00:00:20,123
exchange,

12
00:00:20,123 --> 00:00:20,956
store,

13
00:00:20,956 --> 00:00:22,440
and use encryption keys.

14
00:00:22,440 --> 00:00:23,360
Let's pretend for a moment

15
00:00:23,360 --> 00:00:25,440
that you're a manager of an office building.

16
00:00:25,440 --> 00:00:26,710
In this office building there are

17
00:00:26,710 --> 00:00:28,500
50 different offices for rent.

18
00:00:28,500 --> 00:00:29,460
As the building manager,

19
00:00:29,460 --> 00:00:30,980
it's your responsibility to ensure

20
00:00:30,980 --> 00:00:33,100
that each company that rents an office from you

21
00:00:33,100 --> 00:00:35,680
gets the proper key. If you were to make a mistake

22
00:00:35,680 --> 00:00:37,430
and gave my key to a different tenant,

23
00:00:37,430 --> 00:00:40,710
they could go into my office and breach my confidentiality.

24
00:00:40,710 --> 00:00:42,210
This is the same thing that we're worried about

25
00:00:42,210 --> 00:00:43,970
with our encryption systems.

26
00:00:43,970 --> 00:00:45,170
When you're generating a key,

27
00:00:45,170 --> 00:00:47,640
you need to ensure that it's a strong key.

28
00:00:47,640 --> 00:00:49,880
Many implementations are going to rely on the user

29
00:00:49,880 --> 00:00:53,180
creating that initial key by entering in a password.

30
00:00:53,180 --> 00:00:54,013
For example,

31
00:00:54,013 --> 00:00:56,740
if you decide to use BitLocker or FileVault

32
00:00:56,740 --> 00:00:58,630
to encrypt the contents of your hard drive,

33
00:00:58,630 --> 00:01:00,880
it's going to ask you to create a master password

34
00:01:00,880 --> 00:01:03,240
that's going to be used as the key for the encryption.

35
00:01:03,240 --> 00:01:05,570
So if you choose a weak password as a key,

36
00:01:05,570 --> 00:01:07,760
it doesn't matter that the algorithm being used

37
00:01:07,760 --> 00:01:09,710
is using the advanced encryption system,

38
00:01:09,710 --> 00:01:11,210
and it's currently unbreakable.

39
00:01:11,210 --> 00:01:13,970
If someone can break your key by guessing your password,

40
00:01:13,970 --> 00:01:16,850
they can compromise the confidentiality of your files.

41
00:01:16,850 --> 00:01:17,683
We've already talked about

42
00:01:17,683 --> 00:01:19,750
the importance of secure key exchange

43
00:01:19,750 --> 00:01:21,900
when we were talking about symmetric encryption.

44
00:01:21,900 --> 00:01:25,100
Most of the time we do this by using asymmetric methods

45
00:01:25,100 --> 00:01:26,500
to encrypt the symmetric key,

46
00:01:26,500 --> 00:01:28,970
and then transmit it securely over a network.

47
00:01:28,970 --> 00:01:31,330
This is the basic concept of the Diffie-Hellman algorithm,

48
00:01:31,330 --> 00:01:32,163
for example.

49
00:01:32,163 --> 00:01:33,960
And it's used in many other places, too,

50
00:01:33,960 --> 00:01:35,620
such as VPN connections,

51
00:01:35,620 --> 00:01:37,350
SSL or TLS connections,

52
00:01:37,350 --> 00:01:38,570
and others.

53
00:01:38,570 --> 00:01:39,880
Now it's important that they key

54
00:01:39,880 --> 00:01:42,750
is also securely stored when you're not using it.

55
00:01:42,750 --> 00:01:43,900
Just like a password,

56
00:01:43,900 --> 00:01:46,490
if that key is left out and somebody else can find it,

57
00:01:46,490 --> 00:01:48,370
you now can have them decrypt your files

58
00:01:48,370 --> 00:01:50,500
and breach your confidentiality.

59
00:01:50,500 --> 00:01:52,360
Finally, it's important to remember that,

60
00:01:52,360 --> 00:01:53,580
like your passwords,

61
00:01:53,580 --> 00:01:56,000
your keys need to be changed periodically.

62
00:01:56,000 --> 00:01:58,800
If you've been using the same encryption key for 10 years,

63
00:01:58,800 --> 00:02:01,170
that means an attacker has had 10 years worth of time

64
00:02:01,170 --> 00:02:03,110
to try to break into your information.

65
00:02:03,110 --> 00:02:04,330
By changing your key,

66
00:02:04,330 --> 00:02:05,820
you reset the clock on the attack

67
00:02:05,820 --> 00:02:08,210
and make the attacker have to start all over again,

68
00:02:08,210 --> 00:02:09,700
giving you additional security

69
00:02:09,700 --> 00:02:12,092
and confidentiality to your files.

70
00:02:12,092 --> 00:02:14,576
(electronic tones reverberating)