1
00:00:00,690 --> 00:00:01,523
In the lessons,

2
00:00:01,523 --> 00:00:04,110
I've spoken a lot about encryption keys.

3
00:00:04,110 --> 00:00:05,220
I've also mentioned earlier

4
00:00:05,220 --> 00:00:06,930
that the strength of any encryption

5
00:00:06,930 --> 00:00:09,330
is based on the security of that key.

6
00:00:09,330 --> 00:00:10,163
Because of this,

7
00:00:10,163 --> 00:00:12,690
it's important to understand proper key management,

8
00:00:12,690 --> 00:00:15,150
but what exactly is key management?

9
00:00:15,150 --> 00:00:17,490
Well, key management refers to how an organization

10
00:00:17,490 --> 00:00:19,830
is going to generate, exchange, store,

11
00:00:19,830 --> 00:00:21,660
and use encryption keys.

12
00:00:21,660 --> 00:00:22,560
Let's pretend for a moment

13
00:00:22,560 --> 00:00:24,660
that you're a manager of an office building.

14
00:00:24,660 --> 00:00:25,650
In this office building,

15
00:00:25,650 --> 00:00:27,690
there are 50 different offices for rent.

16
00:00:27,690 --> 00:00:28,680
As the building manager,

17
00:00:28,680 --> 00:00:30,960
it's your responsibility to ensure that each company

18
00:00:30,960 --> 00:00:32,340
that rents an office from you

19
00:00:32,340 --> 00:00:33,900
gets the proper key.

20
00:00:33,900 --> 00:00:34,890
If you were to make a mistake

21
00:00:34,890 --> 00:00:36,630
and gave my key to a different tenant,

22
00:00:36,630 --> 00:00:38,040
they could go into my office

23
00:00:38,040 --> 00:00:39,900
and breach my confidentiality.

24
00:00:39,900 --> 00:00:41,400
This is the same thing that we're worried about

25
00:00:41,400 --> 00:00:43,170
with our encryption systems.

26
00:00:43,170 --> 00:00:44,400
When you're generating a key,

27
00:00:44,400 --> 00:00:46,830
you need to ensure that it's a strong key.

28
00:00:46,830 --> 00:00:48,660
Many implementations are going to rely on

29
00:00:48,660 --> 00:00:50,640
the user creating that initial key

30
00:00:50,640 --> 00:00:52,380
by entering in a password.

31
00:00:52,380 --> 00:00:55,950
For example, if you decide to use BitLocker or FileVault

32
00:00:55,950 --> 00:00:57,840
to encrypt the contents of your hard drive,

33
00:00:57,840 --> 00:01:00,060
it's going to ask you to create a master password

34
00:01:00,060 --> 00:01:02,460
that's going to be used as the key for the encryption.

35
00:01:02,460 --> 00:01:04,769
So if you choose a weak password as the key,

36
00:01:04,769 --> 00:01:06,960
it doesn't matter that the algorithm being used

37
00:01:06,960 --> 00:01:08,970
is using the advanced encryption system

38
00:01:08,970 --> 00:01:10,410
and it's currently unbreakable.

39
00:01:10,410 --> 00:01:13,170
If someone can break your key by guessing your password,

40
00:01:13,170 --> 00:01:16,050
they can compromise the confidentiality of your files.

41
00:01:16,050 --> 00:01:17,460
We've already talked about the importance

42
00:01:17,460 --> 00:01:18,960
of secure key exchange

43
00:01:18,960 --> 00:01:21,120
when we were talking about symmetric encryption,

44
00:01:21,120 --> 00:01:22,500
most of the time we do this

45
00:01:22,500 --> 00:01:25,680
by using asymmetric methods to encrypt the symmetric key

46
00:01:25,680 --> 00:01:28,170
and then transmit it securely over a network.

47
00:01:28,170 --> 00:01:29,340
This is the basic concept

48
00:01:29,340 --> 00:01:31,320
of the Diffie-Hellman Algorithm, for example,

49
00:01:31,320 --> 00:01:33,150
and it's used in many other places too,

50
00:01:33,150 --> 00:01:34,830
such as VPN Connections,

51
00:01:34,830 --> 00:01:37,770
SSL, or TLS connections, and others.

52
00:01:37,770 --> 00:01:40,590
Now, it's important that the key is also securely stored

53
00:01:40,590 --> 00:01:41,940
when you're not using it.

54
00:01:41,940 --> 00:01:43,110
Just like a password,

55
00:01:43,110 --> 00:01:44,310
if that key is left out

56
00:01:44,310 --> 00:01:45,690
and somebody else can find it,

57
00:01:45,690 --> 00:01:47,580
you now can have them decrypt your files

58
00:01:47,580 --> 00:01:49,710
and breach your confidentiality.

59
00:01:49,710 --> 00:01:51,360
Finally, it's important to remember

60
00:01:51,360 --> 00:01:52,770
that like your passwords,

61
00:01:52,770 --> 00:01:55,230
your keys need to be changed periodically.

62
00:01:55,230 --> 00:01:57,990
If you've been using the same encryption key for 10 years,

63
00:01:57,990 --> 00:02:00,360
that means an attacker's had 10 years' worth of time

64
00:02:00,360 --> 00:02:02,310
to try to break into your information.

65
00:02:02,310 --> 00:02:03,540
By changing your key,

66
00:02:03,540 --> 00:02:05,010
you reset the clock on the attack

67
00:02:05,010 --> 00:02:07,440
and make the attacker to start all over again,

68
00:02:07,440 --> 00:02:08,880
giving you additional security

69
00:02:08,880 --> 00:02:10,773
and confidentiality to your files.