By Tam Hulusi

Key Management
for Physical
Access Control
Whether a physical or digital key, policies and practices
for their use must be in place

H
ow many keys have you
us e d s o f ar to day? Fo r
most of us, this question
calls to mind a limited number of
traditional keys that we use at home,
to start our car, to open a file cabi-
net, and so on. It is relatively easy
to keep track of these keys because
they are so visible and so frequent-
ly needed. And if we do misplace
or lose a traditional key, we have a
straightforward means of replacing
it — we simply call a locksmith or
the car dealership, and request a
new one. If the loss is due to a theft,
we may take the extra precaution of
requesting that the lock be re-keyed,
so that the stolen key will no longer
work.
Ask someone who is responsible
for the security of an entire building,
or who manages the access privileg-
es of a large and varied workforce,
about keys and you will get a very
different type of response. In today’s
corporate security environment, tra-
ditional keys have given way to a
variety of digital keys inside access
tokens such as key cards. Imple -
menting secure access control for
thousands of doors or other assets,
and ensuring that the individuals
authorized for access will get it read-
ily while everyone else will be kept
out is a challenging task. It requires
a combination of hardware (often in

[S-18] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] ——————————————————————————————— MAY/JUNE

the form of key cards and card read-
ers), software, an understanding of
digital security and encryption, and
carefully developed key management
policies and practices.
T his ar ticl e p res e nt s an ove r-
view of the decisions and process-
es involved in successful physical
access control from a key manage-
ment perspective.
Key management
fundamentals
Keeping track of digital keys is called
key management. The purpose of a
key management system is to pro-
vide the information necessar y to
enforce a key management policy.
The primar y way a key manage -
ment system does this is by keeping
a cradle-to-grave record of the life
of every key, every when, why and
how of its creation, use, breach and
destruction. That may sound like an
impossible task—and it would be if
digital keys were managed along the
same lines as the traditional keys in
our pockets.
IT professionals and key manage-
ment vendors have worked for years
to design key management systems
that will serve the needs of all types
and sizes of organizations. A key
management system enables you
to see and monitor the digital keys
that are deployed in your corporation
with the same degree of detail as
you track your personal keychain, or
manage the accounts receivable and
other internal systems.
I will focus on the three primary
phases in the life of a managed key:
key generation, key usage and key
breach. While it may be helpful to
have in mind the keys inside a smart
card such as an HID iCLASS card,
these three phases define the life of
any managed key, no matter where it
is stored or where it is used.
Key generation
Whether it is a physical key or a digi-
tal key, the management of a key
MAY/JUNE ——————————————————————————————— [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010]
starts with key generation. You have
probably noticed that there are some
keys in your pocket or purse that the
local hardware store can duplicate
and some that it cannot.
In we ll - manage d s ys tems , key
generation takes place in a carefully
controlled environment. Each and
every key generation is recorded in
a permanent log. The log includes
when, where, what, why, how and
who. In not-so-well-managed sys-
tems, no records are made of who is
generating keys, why they are being
generated, what they going to be
used for or how they are going to
be protected. A moment’s reflection
tells you that unmanaged key gen-
eration is the headwater of a river of
downstream trouble.
It is during the generation phase
that decisions about cryptographic
algorithms, key length and key dis-
tribution are made. For example, in
the smart card case, this is the time
to decide questions such as whether
cards may share keys for specif ic
types of access or whether all keys
must be unique.
Key use
O n e w ay th e p hysic al
keys and digital keys are
exactly alike is that you
cannot use them unless
you actually possess the
key. The obviousness of
this statement for physi-
cal keys is matched by
the lack of obviousness
of the statement for
digital keys. This stark difference in
awareness is due in part to the fact
that while we all understand what
having a physical key means, it is not
so clear what “having” a digital key
means in practice.
In both cases, it means that if an
interloper takes the key from you
while you are in the act of using
it, that interloper can subsequent-
ly use it too. In particular, in the
digital key case, it means that the
key is exposed in its unprotected,
unwrapped, unclothed and natural
form for everyone to see. That con-
stitutes a key breach, which requires
remedial action. So protecting the
digital key during use becomes a
high priority for key management.
Key management is not “fire and
forget ” — or, in the specific case
of digital keys, “generate and for-
get.” Best-practice key management
is a continuous process that moni-
tors the health of every key every
day and is prepared to take immedi-
ate action should the health of a key
start to fail. This is one reason why
forward-looking companies are start-
ing to offer key management servic-
es to its access control customers.
Key breach
Quite unlike the management of
physical keys, the management of
digital keys is often disconnected
from the physical manifestation
of the keys themselves. One
area where this becomes
most evident is policies
regarding key breaches.
Key breach means that some inci-
dent has exposed the key to unau-
thorized use. In the case of a physi-
cal key, it does not mean necessarily
that a malicious person is in posses-
sion of the key; and in the case of a
digital key, it does not mean that the
person knows the value of the key. It
just means that somebody can use
the key that should not be able to.
In physical reality, key breach can
[S-19]
mean an authorized user losing the
key, or somebody making a unau-
thorized copy of the key. But physical
key breach can also mean getting
hold of a master key, learning how
to bump a lock, or coming into pos-
session of a good set of lock picks.
In whatever form, the breach of a
physical key — both the breach itself
and the harvesting of the breach —
will have numerous physical manifes-
tations that careful observation has a
very good chance of detecting.
It is quite different in digital real-
ity. Indeed, one of the most trouble-
some — and most ignored — chal-
lenges of digital key management is
detecting key breach. Unless some-
thing really egregious takes place
whose only logical cause could be
the compromise of a key, digital key
breach may go undiscovered and
therefore unaddressed.
Let ’s assume that a key breach
has been discovered. In the case
of a physical key loss, one remedy
is to change all the locks that the
breached key fits and then issue a
new key to each authorized person.
In almost every case, the list of locks
[S-20] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] ———————————————————————————————
Further Reading
Matt Blaze’s classic paper on master keys is a beautiful
case study of the similarities and differences of physical and
cryptographic keys: http://www.crypto.com/papers/mk.pdf
and the list of people are complete-
ly known. Knowing the list of locks
is usually sufficient, since rekeying
the locks will cause the key hold-
ers to step forward and request a
replacement.
What has to be done in the case
of a breached digital key is just as
obvious. The key has to be rolled.
But doing that for a digital key is as
no means as straightforward. First,
the responsible key manager has to
locate all the places and situations in
which the digital key is being used.
In the case of a physical access con-
trol system, this process might be
as easy as in the case of physical
key since, after all, the digital door
access is replacing a physical lock.
In other cases — for example cards
used to log - in to computers, or
for document encryption and data
access — it may not be so easy to
find all the breached keys.
Even when an instance of the
breached value is found, changing
it to a new value can surface pre-
viously unacknowledged problems.
One problem can be acquiring the
authorization to change the key value
at all. Just because a digital key is in
use does not mean that somebody
can be found who can change it. In
fact, there are cases in which policy
decisions may make it impossible to
change the value.
Suppose that somebody in securi-
ty or IT can be found that does have
the authorization to change the key
value. It is highly likely that proce-
dures for generating a new key value
and for getting it into a form that
can be used for key rolling are not
frequently practiced even if they are
known. All aspects of key breach
detection and key rolling need to be
addressed in practice to ensure that
the written policies are possible and
cost-effective to implement when-
ever the need arises.
To reconnect with the realities and
practicalities of the key management
for digital keys, it may be helpful to
work backward from a key breach
scenario. The surfacing of a road-
block to key rolling and recover y
from a key breach well before an
actual security issue arises has obvi-
ous advantages. It may also help to
shine more light on other areas in an
existing key management program
where policies and practices are less
than optimal.
Key management benefits
This overview of key management
processes provides a starting point
for evaluating your company’s cur-
re nt key mana g e m e nt p r ac tices
— whether you are working with a
turnkey system from a vendor, or
have implemented selected policies
internally. It may also raise questions
about the value of developing a com-
prehensive key management strat-
egy. According to BITS, a security
MAY/JUNE
working group for the financial ser-
vices industry, a good key manage- Tam Hulusi is senior vice president of strate-
ment program can assist in accom- gic innovation and intellectual property at HID
plishing the following: Global, the trusted leader in providing access
and ID management solutions for the delivery
of secure identity.
t
Improve usability and effective-
ness of key and key usage;
t
Increase reliability and effi-
ciency of key structure and key
implementation;
t
Reduce costs by leveraging com-
mon infrastructure and administra-
tive processes;
t
Reduce complexity and improve
transparency by re-using well-
defined processes and interfaces;
t
Automate manual steps to
reduce human error and improve
consistency;
t
Support a variety of keys con-
sumed by a variety of encryption/
decryption processes delivered
by commercial, open-source and
customer-developed applications
on multiple platforms;
t
Allow for segregation of key man-
agement from encryption/decryp-
tion operations;
t
Improve transparency by aligning
and integrating with the business-
es processes; and
t
Provide evidence of having
implemented sound and secure
practices.

Strong keys coupled with best-

practice key management are at the
foundation of token-based access
control systems. Strong keys alone
are not sufficient. If you are running
a keyed security system, then either
you buy a key management system
and put in place a continuously-run-
ning key management process, or
you seek a vendor that can provide
these ser vices. Running a keyed
security system without a key man-
agement system underneath should
not be considered an option.
Visit www.securityinfowatch.com/ste/einquiry and Select No. 389

MAY/JUNE ——————————————————————————————— [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] [S-21]