The cryptocurrency market is growing at an unprecedented pace. Currently, the global market cap is over $1 trillion, with multiple public-listed companies, like MicroStrategy, holding cryptocurrency in their treasury.
Along with this growth comes an increased need for security, which is why key management is so important. Cryptocurrency exchanges, wallets, and other platforms handle large amounts of money and personal information, so it’s crucial that they have robust security measures in place.
Improper key management can lead to loss of funds, data leaks, and data breaches, causing severe repercussions. According to IBM, a single data breach can account for a loss of over $4.3 million on average globally.
For instance, when the founder of one of the early and then-largest Canadian cryptocurrency exchanges, QuadrigaCX, passed away, he took the only password to the company’s cold wallet to his grave. This led to a loss of over $215 million in customer funds that were stored in the cold wallet, of which only $46 million was recovered.
But key management practices, as they stand today, leave much to be desired.
In this article, we’ll take a look at what key management is, its importance, and how we are innovating in this space to make it a safe haven for you.
Table of Contents
What is Key Management?
In simple terms, key management is the process of creating, storing, and using cryptographic keys. A key is a string of characters that is used to encrypt and decrypt data.
Cryptocurrency protocols and key management systems today are primarily built upon Public Key Infrastructure (PKI) that uses asymmetric cryptography.
So, what is asymmetric cryptography, and how is it different from symmetric cryptography?
What is Symmetric Cryptography?
Symmetric cryptography is a technique where the same key is used to encrypt and decrypt data.
Imagine you want to send a secret box to your friend whose lock can only be opened by both of you. To do this, you both need to have the same key to open the lock.
In the above analogy, the contents of the box are the data, the lock is the encryption, and the key is the private key.
The downside to this is that you need a secure mode of delivery for the key. And you cannot entrust sharing the key with multiple people because if it gets leaked, then unwelcome parties may intercept your communications.
Asymmetric cryptography fixes this.
What is Asymmetric Cryptography?
Asymmetric cryptography is a branch of cryptography where two different but mathematically related keys are used to encrypt and decrypt data. One key, known as the public key, is used to encrypt data, while the other key, known as the private key, is used to decrypt it.
The two keys are generated together and are mathematically related such that if one key is used to encrypt data, then only the other key can decrypt it.
This is what’s known as a public-private key pair.
The public key can be shared with anyone, while the private key must be kept secret. So, if someone wants to send you a message, they can use your public key to encrypt it, and only your private key can decrypt it.
This is how most cryptocurrency wallets work. When you create a wallet, you are given a public and a private key. The public key is like your bank account number and is used to receive funds, while the private key is like your PIN and is used to send funds.
If someone wants to send you cryptocurrency, they can look up your public key and send it to your wallet. Only you, with your private key, can decrypt and spend those funds.
The Importance of Key Management
As we’ve seen, keys play a vital role in keeping our data and communications safe. Cryptocurrency exchanges, wallets, and other platforms handle large amounts of money and personal information, so it’s crucial that they have robust security measures in place.
If a key is lost or stolen, the consequences can be severe. For example, if an attacker gains access to a cryptocurrency exchange’s private keys, they could drain the exchange of all its funds.
A key management system is a set of policies and procedures for generating, distributing, storing, using, and destroying keys.
The main goal of a key management system is to ensure that the keys are available when needed and are not compromised or lost.
There are many different key management systems, but they all share three common features, such as:
- A way to generate keys
- A way to store keys
- A way to recover keys
A good key management system should be able to do all of the above in a secure and efficient manner.
The 3 Parts to Effective Key Management
There are three parts to effective key management:
The first part is generating strong keys. This can be done using a variety of methods, such as random number generators or entropy sources.
The second part is storing keys securely. This usually involves storing keys in a secure location, such as a hardware security module (HSM) or a secure enclave.
The third part is allowing for easy recovery of lost or stolen keys. This can be done by backing up keys in a secure location or using a key management service that provides key recovery capabilities.
1. Generating Strong Keys
One of the most important aspects of key management is generating strong keys. A strong key is one that is resistant to attack. But that takes a toll on usability. If it did not, then it is likely not secure.
For a key to be strong, it should be random and convoluted enough that it would be infeasible for an attacker to guess. Therefore, users end up with a long and hard-to-remember private key that they typically store in unsafe places like hard drives or easily accessible notepads. Thus, defying the purpose of a “strong key.”
There are a variety of methods that can be used to generate strong keys, such as:
Random number generators: A random number generator (RNG) is a device that generates random numbers. RNGs can be used to generate cryptographic keys.
Entropy sources: An entropy source is a source of randomness that can be used to generate cryptographic keys. Entropy sources include things like noise from an electronic circuit or the motion of a mouse.
Hashing algorithms: A hashing algorithm is a mathematical function that takes an input and produces an output. Hashing algorithms can be used to generate cryptographic keys.
2. Storing Keys Securely
Once keys have been generated, they need to be stored in a secure location. For large enterprises, keys are often stored on centralized servers.
In the case of individuals, the go-to solution is on-device storage. By storing keys on the device, the entity is able to give custody to the asset owner and comply with regional data protection laws. But this binds the user to the device, which is less than ideal.
This poses a greater threat in the case of Self Sovereign Identity (SSI). If SSI is associated with on-device private keys, then any person who has the device could effortlessly impersonate the owner without consent.
There are a variety of methods that can be used to store keys securely, such as:
Hardware security modules: A hardware security module (HSM) is a physical device that stores cryptographic keys and performs cryptographic operations. HSMs are used to store keys in a safe and tamper-resistant environment.
Secure enclaves: A secure enclave is a hardware-based security measure that isolates cryptographic keys from the rest of the system. Secure enclaves are used to store keys in a safe and tamper-resistant environment.
Key vaults: A key vault is a software-based security measure that stores cryptographic keys in a safe and tamper-resistant environment. Key vaults are used to store keys in a safe and tamper-resistant environment.
3. Allowing for Easy Recovery of Lost or Stolen Keys
Key recovery is a tough nut to crack in cryptography. Unlike in web2 applications, the cryptographic keys cannot be reset through a “forgot password” feature. If a user loses their private key, they lose access to their digital assets.
According to Chainalysis, as many as 3.8 million BTC might be lost forever owing to the loss of keys. This number was also supported by Unchained Capital after they used a different estimation method. This is close to 20% maximum BTC circulation.
Hence, redundancy is crucial for effective key management. If a key is lost or stolen, it should be possible to recover. There are a variety of methods that can be used to allow for easy recovery of lost or stolen keys, such as:
Backing up keys: Keys can be backed up in a secure location, such as an HSM or a secure enclave. Most involve a 12-word or 24-word passphrase, using which the keys can be recovered. These should be stored offline on paper or metal for greater security.
Using a key management service: A key management service is a cloud-based service that provides key recovery capabilities. Key management services usually allow for the recovery of lost or stolen keys using an encrypted backup file or a recovery phrase.
Current Innovations in Key Management
Innovations in key management are constantly being made to improve security and efficiency. Some current innovations include:
Keyless signature schemes: A keyless signature scheme allows for the verification of digital signatures without the need for a cryptographic key. This mitigates the risk of key compromise. Note that keys are still required to create signatures.
Quantum key distribution: Quantum key distribution (QKD) is a method of distributing cryptographic keys using quantum mechanics. QKD is more secure than traditional key-based methods and is beginning to be used in commercial applications.
Future of Key Management
As the need for security continues to grow, so too will the importance of key management. Future innovations in key management are likely to focus on increasing security, improving usability, and reducing costs.
As we move towards a more connected and privacy-focused future, we can expect to see greater innovation around key management protocols.
We need something better yet simpler. Developers should care more for their user’s security and privacy and be more careful about how they manage keys.