The disclosure relates generally to cryptography, and more specifically, to implementing a lightweight cryptographic service for a simplified key life-cycle management.
In general, asymmetric encryption is a technology that involves public and private key pairs for the purpose of identity, data integrity and data protection. One common use of asymmetric encryption is by secure sockets layer/transport layer security (SSL/TLS), which is used to encrypt a “secret key” used to generate a symmetric key that is ultimately used to encrypt data transmitted between nodes on a network. Another popular use of asymmetric encryption is digital signing, where data is hashed and the hash is subsequently encrypted with a private key, guaranteeing the data was “signed” by a particular identity (i.e., the owner of the private key), and guarantees the data has not changed (integrity) after it was signed. Typically, key pairs are stored in key stores or key databases, which associate the private key with a digital certificate, which contains the paired public key. The digital certificate can be distributed across a network, allowing applications to, for example, verify digital signatures and encrypt/decrypt data. Key pairs require key life-cycle management in that they ultimately expire and need to be renewed, and sometimes become compromised and end up on a revocation list requiring that they are no longer used. Key life-cycle management also requires that public keys (in digital certificates) are distributed and registered in appropriate key databases around a network so that they can be used by applications when needed. An enterprise may have hundreds or even thousands of key pairs to manage which can be a complex and time consuming task. A failure in key life-cycle management can result in application or system failure.
Digital certificates are also costly. For example, a server certificate issued by a trusted certificate authority (CA) may cost a yearly fee times the number of certificates used by an enterprise. For this reason, certificates are typically used by servers only, and not clients that can count in the thousands. In some cases an enterprise may issue their own certificates, but this introduces the problem of propagating the private CA or root certificate to key stores that will need to trust certificates issued by the enterprise, both internally and externally.