IBE for key management

A few months ago, Trust Catalyst released their 2008 Encryption and Key Management Industry Benchmark Report. Here's the data from this report that shows how challenging the 330 people who responded to Trust Catalyst's survey rated various areas of key management. What's interesting is that all of the top three challenges listed here are ones that are particularly easy to solve if you use identity-based encryption (IBE).


With IBE, it's easy to calculate keys as they're needed. This makes it practical to use short-lived keys, and if you do this, there's no need at all to revoke keys.

And because IBE keys are calculated, there's no need at all to back them up. Calculating an IBE key a second time is no more difficult that calculating it the first time, so instead of keeping a secure archive of keys, you don’t need to archive IBE keys at all. Instead of getting a key from the secure archive server, you just recalculate it when you need it, which makes backing up and recovering IBE keys extremely easy.

Similarly, because you can calculate any IBE decryption keys from just a single system-wide master secret when you need them, making IBE keys accessible to a disaster recovery site is extremely easy. Even if you can't reach an IBE key server from a disaster recovery site, it's easy to get a key server up and running in the disaster recover site in just a few minutes. All you need to do is configure a key server with the master secret, and you're done. This takes no more than a few minutes, so this problem is also extremely easy if you're using IBE.

In the light of Trust Catalyst's report, I have to wonder why more people aren't using IBE for things other than email. It seems to be the logical choice because it makes what seems to be the biggest challenges of key management extremely easy.

Leave a Reply

Your email address will not be published. Required fields are marked *