In the spirit of "ten unavoidable security truths", and numerous other top-ten lists, here’s a list of ten key truths that apply to public / private key pairs:
- Your private key has to be private to you. It cannot be created by anyone else.
- Anyone who has your private key is you, for the purposes to which that key is applied.
- If you have a private key that was generated by your employer, then that key identifies you as a part of the employer. It cannot be used to uniquely identify you, because the key was generated under your employer’s control.
- Keys associated with expired or revoked certificates are not always useless – you can use them to decrypt a file that they encrypted a long time ago; you can also verify the time-stamped signature of a document, if the certificate was valid at the time of the signature.
- A key is a number – it cannot expire, it is the associated certificate that expires. Similarly, the certificate, not the key, is what is revoked after exposure.
- A key is not a certificate. A certificate is a statement (usually of ownership) about a key pair, and contains the public key.
- Too short of a key is no key at all, and an exposed private key is no key at all.
- Protecting a password or key by encrypting it may do nothing more than extend the problem by a level – now you have to protect the key used to encrypt the password / key.
- Revocation of a certificate applies only to trusting parties who actually bother to check for revocation.
- A key derived from a password has the same strength as the password, no matter how long the key.
Note that this list describes what happens when cryptography is working perfectly. There are other key facts that apply to broken cryptography and broken process:
- You cannot increase entropy by repeating bits, or by padding with constant or predictable values.
- If someone creates a private key for you, they can become you using that key.
- Protecting anything by using a password or key to feed a yes/no gate requires the attacker to only fool the yes/no gate. Encrypted USB drive manufacturers found this out recently to their embarrassment.
- Inventing your own crypto – or the processes around it – is always a bad idea. Research others’ ideas and use them, particularly published standards.
- Even the longest strongest key in the world can be defeated by a big enough bribe to the key-holder.
- If the price of a card number on the black market is $1, then access to a million card numbers is equivalent to a million dollars. Who do you pay well enough that they can ignore that value?
- A key or password that is never updated as it passes through many hands is vulnerable to abuse by each of those hands.
- Broken cryptographic algorithms cannot be made better by increasing the length of the key or by applying the algorithm more times.
- All cryptographic algorithms become broken in time. The trick is to choose one that lasts longer than your need to protect your data.
- When you lose the private key through insufficient key management, you have lost the data it protected.
- Even a good cryptographic algorithm can be destroyed by a poor key-generation algorithm.
Note that these lists are rather arbitrarily scoped to ten – there may be more important truths I’ve forgotten, or items I’ve included that aren’t really so important.