6.1 KiB
| tags | |
|---|---|
|
8.24 Use of cryptography
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Secure_configuration | #Protection |
Control
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.
Purpose
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.
Guidance
General
When using cryptography, the following should be considered:
a) the topic-specific policy on cryptography defined by the organization, including the general principles for the protection of information. A topic-specific policy on the use of cryptography is necessary to maximize the benefits and minimize the risks of using cryptographic techniques and to avoid inappropriate or incorrect use;
b) identifying the required level of protection and the classification of the information andconsequently establishing the type, strength and quality of the cryptographic algorithms required;
c) the use of cryptography for protection of information held on mobile user endpoint devices or storage media and transmitted over networks to such devices or storage media;
d) the approach to key management, including methods to deal with the generation and protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;
e) roles and responsibilities for:
1) the implementation of the rules for the effective use of cryptography;
2) the key management, including key generation (see 8.24);
f) the standards to be adopted, as well as cryptographic algorithms, cipher strength, cryptographic solutions and usage practices that are approved or required for use in the organization;
g) the impact of using encrypted information on controls that rely on content inspection (e.g. malware detection or content filtering).
When implementing the organization’s rules for effective use of cryptography, the regulations and national restrictions that can apply to the use of cryptographic techniques in different parts of the world should be taken into consideration as well as the issues of trans-border flow of encrypted information (see 5.31).
The contents of service level agreements or contracts with external suppliers of cryptographic services (e.g. with a certification authority) should cover issues of liability, reliability of services and response times for the provision of services (see 5.22).
Key management
Appropriate key management requires secure processes for generating, storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys.
A key management system should be based on an agreed set of standards, procedures and secure methods for:
a) generating keys for different cryptographic systems and different applications;
b) issuing and obtaining public key certificates;
c) distributing keys to intended entities, including how to activate keys when received;
d) storing keys, including how authorized users obtain access to keys;
e) changing or updating keys including rules on when to change keys and how this will be done;
f) dealing with compromised keys;
g) revoking keys including how to withdraw or deactivate keys [e.g. when keys have been compromised or when a user leaves an organization (in which case keys should also be archived)];
h) recovering keys that are lost or corrupted;
i) backing up or archiving keys;
j) destroying keys;
k) logging and auditing of key management related activities;
l) setting activation and deactivation dates for keys so that the keys can only be used for the period of time according to the organization's rules on key management;
m) handling legal requests for access to cryptographic keys (e.g. encrypted information can be required to be made available in an unencrypted form as evidence in a court case).
All cryptographic keys should be protected against modification and loss. In addition, secret and private keys need protection against unauthorized use as well as disclosure. Equipment used to generate, store and archive keys should be physically protected.
In addition to integrity, for many use cases, the authenticity of public keys should also be considered.
Other information
The authenticity of public keys is usually addressed by public key management processes using certificate authorities and public key certificates, but it is also possible to address it by using technologies such as applying manual processes for small number keys.
Cryptography can be used to achieve different information security objectives, for example:
a) confidentiality: using encryption of information to protect sensitive or critical information, either stored or transmitted;
b) integrity or authenticity: using digital signatures or message authentication codes to verify the authenticity or integrity of stored or transmitted sensitive or critical information. Using algorithms for the purpose of file integrity checking;
c) non-repudiation: using cryptographic techniques to provide evidence of the occurrence or non-occurrence of an event or action;
d) authentication: using cryptographic techniques to authenticate users and other system entities requesting access to or transacting with system users, entities and resources.
The ISO/IEC 11770 series provides further information on key management.