Cryptography Key Management

Study Notes

Creation: generating a new cryptographic key using key generation algorithms or methods, e.g., creating a new symmetric or asymmetric cryptographic key pair.
Distribution: securely sharing or disseminating cryptographic keys to authorized entities or devices, e.g., distributing encryption keys through secure channels like SSL/TLS or key exchange protocols like Diffie-Hellman.
Archival: securely storing or archiving cryptographic keys for potential future use or historical records, e.g., archiving older cryptographic keys in secure storage systems or databases.
Revocation: invalidating or revoking keys that are compromised, no longer needed, or considered insecure, e.g., revoking a digital certificate or encryption key in case of a security breach.
Expiry: setting a predefined expiration date for cryptographic keys to ensure regular key rotation and enhanced security, e.g., setting a validity period for digital certificates or periodically changing encryption keys.
Destruction: securely eliminating cryptographic keys that are no longer required or have reached their end-of-life, e.g., irreversibly deleting or destroying cryptographic keys from storage devices or memory.

Data Protection Act 2018: regulates the processing and safeguarding of personal data by organizations and ensures individuals' rights regarding their personal information, e.g., ensuring fair and lawful use of personal data by organizations and protecting individuals' privacy rights.
Single Point of Failure: refers to any component in a network that, if it malfunctions or goes offline, can cause significant downtime or complete disruption of services, e.g., a core switch that, if it malfunctions, disconnects multiple departments in an organization, rendering them unable to communicate.

Approaches to Error Control: detect and correct errors that occur during data transmission to ensure accurate and reliable communication, e.g., using parity bits in RAID configurations to identify and rectify data corruption in storage systems.
Capacity: determines the maximum load a network or its components can handle without compromising performance, e.g., analyzing a server's CPU and memory usage to ensure it can handle the expected increase in user demand during peak hours.

Attacks: identify and mitigate malicious activities targeting the network, such as flooding it with excessive traffic to disrupt services (DDoS), e.g., a web server overwhelmed by millions of connection requests per second, causing it to crash and deny service to genuine users.
Available Bandwidth: measures the amount of data that can be transmitted over a network in each time, e.g., considering a fiber-optic connection rated at 1 Gbps (Gigabit per second).
Restricting Application Use: limits and restricts application use, helping manage bandwidth, security risks, or compliance requirements, e.g., a healthcare organization restricts access to social media platforms on work devices to comply with patient privacy regulations (HIPAA).
Restricting Traffic at the Border: controls inbound and outbound data flows for security, compliance, or performance reasons, e.g., an e-commerce company employing border traffic restrictions, filtering inbound traffic for potential DDoS attacks and restricting outbound traffic to block unauthorized access to internal systems.

Firewall Misconfiguration: refers to incorrect settings or rules in firewalls, potentially leading to security vulnerabilities or disruptions in network traffic, e.g., a financial institution misconfigures its firewall rules, unintentionally allowing external access to sensitive financial data servers.

Virtual vs. Physical: virtual resources are simulated by software, allowing flexibility, scalability, and resource optimization, while physical resources involve tangible hardware, providing dedicated resources but often with limitations on scalability and flexibility, e.g., running multiple operating systems on a single physical server using virtualization software like VMware or Hyper-V.
Cloud-based Infrastructure: offers a vast array of cloud computing services like storage, computing power, and databases, e.g., AWS, Azure, or GCP.
Infrastructure as a Service (IaaS): rents virtual machines from a cloud provider like DigitalOcean to host websites or databases, providing virtualized computing resources over the internet on a pay-as-you-go basis.

Data at Rest vs. Data in Transit: data at rest refers to stored data, while data in transit refers to moving data, e.g., storing files on a hard drive or database records (data at rest) and sending information over a network during online transactions (data in transit).
Hashing: a process of converting data into a fixed-size string, e.g., generating checksums for file integrity verification using MD5 and storing passwords securely by hashing them before storage using SHA-256.