101
0/228
Loading content...
Every Security Association ultimately depends on one critical element: cryptographic keys. The strongest encryption algorithm becomes worthless if its keys are predictable, improperly stored, or remain in use too long. Key management—the discipline of handling keys throughout their lifecycle—is where theoretical security meets operational reality.
Consider this sobering truth: most real-world cryptographic failures aren't algorithm weaknesses. They're key management failures:
This page explores key management comprehensively—from theoretical principles to practical implementation, ensuring your IPSec deployments are secured not just in algorithm choice, but in the entire key lifecycle.
By the end of this page, you will understand the complete key lifecycle, key derivation functions, secure storage practices, rotation strategies, and key escrow considerations. This knowledge applies not just to IPSec, but to any system requiring cryptographic key management.
Cryptographic keys have a defined lifecycle with distinct phases. Each phase has specific security requirements and potential vulnerabilities.
The Six Phases of Key Lifecycle:
| Phase | Description | Security Considerations |
|---|---|---|
| Generation | Creating new key material | Randomness quality, algorithm compliance, key size |
| Distribution | Transmitting keys to authorized parties | Secure channels, authentication, key wrapping |
| Storage | Protecting keys at rest | Encryption, access control, HSM usage |
| Use | Active cryptographic operations | Leakage prevention, side-channel resistance |
| Rotation | Replacing keys before compromise or expiry | Seamless transition, backward compatibility |
| Destruction | Secure deletion when no longer needed | Complete erasure, backup handling |
A failure at ANY phase can compromise security. Perfect generation means nothing if distribution is insecure. Secure storage is pointless if destruction fails and keys are recoverable from backups. Key management requires attention to every phase.
Key generation is the foundation of all cryptographic security. A key's strength ultimately depends on its unpredictability—if an attacker can guess or predict the key, no algorithm can protect you.
Requirements for Secure Key Generation:
Entropy Sources:
Ultimately, all randomness comes from physical sources. Modern systems harvest entropy from:
| Source | Quality | Availability |
|---|---|---|
| Hardware RNG (RDRAND/RDSEED) | High | Modern Intel/AMD CPUs |
| Interrupt timing | Medium | All systems, varies by load |
| Disk I/O timing | Medium | Systems with spinning disks |
| Network packet timing | Low-Medium | Networked systems |
| User input timing | Medium | Interactive systems only |
| Thermal noise | High | Dedicated hardware |
| TPM RNG | High | Systems with TPM |
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051
// Secure Key Generation - Best Practices // ✅ CORRECT: Use OS-provided CSPRNGimport { randomBytes } from 'crypto'; function generateAES256Key(): Buffer { // crypto.randomBytes uses OS entropy pool // On Linux: /dev/urandom // On Windows: CryptGenRandom // On modern systems: Hardware RNG when available return randomBytes(32); // 256 bits} // ✅ CORRECT: Generate key for IKE pre-shared keyfunction generatePSK(lengthBytes: number = 32): string { const bytes = randomBytes(lengthBytes); // Base64 encode for configuration file storage return bytes.toString('base64');} // ❌ WRONG: Using predictable sourcesfunction INSECURE_generateKey(): Buffer { // Math.random() is NOT cryptographically secure! const key = Buffer.alloc(32); for (let i = 0; i < 32; i++) { key[i] = Math.floor(Math.random() * 256); } return key;} // ❌ WRONG: Insufficient entropyfunction INSECURE_keyFromPassword(password: string): Buffer { // Simple hash of password has limited entropy // If password is "Password123", key space is tiny return crypto.createHash('sha256').update(password).digest();} // ✅ CORRECT: Password-based key derivation with proper KDFasync function deriveKeyFromPassword( password: string, salt: Buffer, iterations: number = 100000): Promise<Buffer> { // PBKDF2/Argon2 stretches limited password entropy return new Promise((resolve, reject) => { crypto.pbkdf2(password, salt, iterations, 32, 'sha256', (err, key) => { if (err) reject(err); else resolve(key); }); });}The Debian OpenSSL bug (2006-2008) removed entropy seeding, making keys predictable from just the process ID—effectively 15 bits instead of 128+. Millions of SSL certificates and SSH keys were compromised. This happened in widely-deployed, security-critical software. Key generation bugs are real and devastating.
Key Derivation Functions transform input material (shared secrets, passwords, or other keys) into cryptographic keys. Unlike simple hashing, KDFs are designed specifically for key generation with security properties tailored to that purpose.
Why KDFs Instead of Direct Hashing?
KDFs Used in IPSec/IKE:
PRF+ is IKEv2's key derivation function, built from any PRF (Pseudo-Random Function, typically HMAC).
PRF+(K, S) = T1 | T2 | T3 | ...
Where:
T1 = PRF(K, S | 0x01)
T2 = PRF(K, T1 | S | 0x02)
T3 = PRF(K, T2 | S | 0x03)
...
Properties:
Example Usage:
// Derive IKE SA keys
{SK_d, SK_ai, SK_ar, SK_ei, SK_er, SK_pi, SK_pr} =
PRF+(SKEYSEED, Ni | Nr | SPIi | SPIr)
// Derive Child SA keys
KEYMAT = PRF+(SK_d, Ni | Nr)
Never use the same derived key for multiple purposes. Even from the same master secret, derive separate keys for encryption, authentication, and each direction. Include context/labels in derivation (e.g., 'client-encrypt', 'server-encrypt') to ensure keys remain independent even if one is compromised.
Distribution is often the most vulnerable phase—keys must travel from where they're generated to where they'll be used. The classic problem: how do you securely share a secret with someone you've never communicated with securely?
Distribution Methods:
| Method | Security Level | Use Case | Drawbacks |
|---|---|---|---|
| Diffie-Hellman (IKE) | High | Automated SA establishment | Requires mutual authentication to prevent MITM |
| Pre-Shared Key (manual) | Medium | Small-scale deployments | Secure distribution channel needed |
| PKI/Certificates | High | Enterprise VPNs | PKI infrastructure required |
| Key Wrapping | High | Key transport | Requires pre-existing shared key |
| KMS (Key Management System) | High | Enterprise scale | Centralized trust, complexity |
| Physical Transfer | Varies | Initial bootstrap | Doesn't scale, human error risk |
Diffie-Hellman: The Gold Standard for IPSec:
IKE's use of Diffie-Hellman elegantly solves the key distribution problem. Two parties who have never communicated can establish a shared secret that no eavesdropper can determine:
12345678910111213141516171819202122232425262728293031323334
// Diffie-Hellman Key Exchange (Conceptual) // Public parameters (known to everyone, including attackers):// g = generator// p = large prime (or elliptic curve parameters) // Initiator:i_private = random() // Private: never leaves initiatori_public = g^i_private mod p // Public: sent to responder // Responder:r_private = random() // Private: never leaves responderr_public = g^r_private mod p // Public: sent to initiator // Shared secret computation:// Initiator computes: shared = (r_public)^i_private mod p// = (g^r_private)^i_private mod p// = g^(r_private * i_private) mod p // Responder computes: shared = (i_public)^r_private mod p// = (g^i_private)^r_private mod p// = g^(i_private * r_private) mod p // Both arrive at the same shared secret!// Attacker observes: g, p, i_public, r_public// To compute shared secret, attacker needs i_private or r_private// This requires solving discrete logarithm - computationally infeasible // IKE DH Groups (key sizes):// Group 14: 2048-bit MODP (minimum recommended)// Group 19: 256-bit ECP (NIST P-256 elliptic curve)// Group 20: 384-bit ECP (NIST P-384 elliptic curve)// Group 21: 521-bit ECP (NIST P-521 elliptic curve)// Group 31: Curve25519 (modern, efficient)Diffie-Hellman alone doesn't prevent man-in-the-middle attacks. An attacker could perform separate DH exchanges with each party, sitting invisibly in the middle. This is why IKE combines DH with authentication—proving identity prevents MITM. Never use unauthenticated DH!
Keys at rest are vulnerable. An attacker with filesystem access, a backup tape, or database dump can extract stored keys. Secure key storage protects against these threats.
Storage Hierarchy (Increasing Security):
Hardware Security Modules (HSMs):
HSMs are specialized cryptographic hardware that generates, stores, and uses keys in a physically protected environment:
| Feature | Description | Security Benefit |
|---|---|---|
| Tamper resistance | Physical destruction if opened | Prevents physical key extraction |
| Key generation | True RNG on-board | Keys never exist outside HSM |
| Cryptographic operations | Encrypt/decrypt/sign on HSM | Keys never in host memory |
| Access control | M-of-N key shares, PINs | No single person can access keys |
| Audit logging | Tamper-evident logs | All key usage is recorded |
| FIPS validation | Certified implementations | Regulatory compliance |
123456789101112131415161718192021222324252627282930313233343536
// Key Storage Patterns // ❌ NEVER: Plaintext in configurationipsec_config = { psk: "SuperSecretKey123!", // Visible to anyone with file access} // ⚠️ BETTER: Environment variable (still visible in process list)const psk = process.env.IPSEC_PSK; // ✅ GOOD: Encrypted configuration with secure master keyconst config = loadEncryptedConfig(masterKeyFromHSM);const psk = config.decrypt('ipsec_psk'); // ✅ BETTER: Key Management Service integrationconst kms = new KeyManagementClient();const psk = await kms.getSecret('ipsec/production/psk', { auditContext: { requestor: 'vpn-gateway-01' }}); // ✅ BEST: HSM-based keys (key never leaves HSM)const hsm = new HSMClient();// Key is REFERENCED, not retrievedconst keyHandle = await hsm.getKeyHandle('ipsec-sa-key-001');// Cryptographic operations happen ON the HSMconst encrypted = await hsm.encrypt(keyHandle, plaintext); // Memory Protection During Use:// - Minimize time keys are in memory// - Use secure memory (mlock, no swap)// - Zero memory after usefunction secureCleanup(keyBuffer: Buffer): void { // Overwrite with zeros before release keyBuffer.fill(0); // Some systems support explicit secure free}Encrypting keys just moves the problem: you need to protect the encryption key. Eventually, there's a root of trust—often an HSM-protected master key, a TPM-sealed key, or human-memorized credentials. Design your system knowing this root exists and protect it accordingly.
Keys shouldn't last forever. Even without known compromise, keys should be rotated periodically to limit exposure from potential undetected breaches and to ensure cryptographic limits aren't exceeded.
Why Rotate Keys?
IPSec Key Rotation in Practice:
IPSec uses multiple layers of key rotation:
| Key Type | Typical Lifetime | Rotation Mechanism | Impact of Rotation |
|---|---|---|---|
| Child SA keys | Minutes to hours | CREATE_CHILD_SA rekey | New keys for traffic, minimal disruption |
| IKE SA keys | Hours to days | CREATE_CHILD_SA for IKE rekey | New management channel, child SAs preserved |
| Pre-shared keys | Months to years | Manual update on both peers | Requires coordinated configuration change |
| Certificates | 1-3 years | Certificate renewal/reissue | Gradual rollout, CRL/OCSP updates |
| CA certificates | 10-20 years | Root rotation (rare) | Major trust infrastructure change |
123456789101112131415161718192021222324252627282930313233343536373839404142
// Key Rotation Best Practices // SA Lifetime Configuration Example (StrongSwan)connections { site-to-site { // Child SA (IPSec) lifetimes children { tunnel { // Rotate after 1 hour OR 1GB of traffic life_time = 1h life_bytes = 1g // Start rekeying at 90% of lifetime rekey_time = 54m // 0.9 * 60 = 54 rekey_bytes = 900m // 0.9 * 1000 = 900 // Hard limit (delete if not rekeyed by then) over_time = 10m // Extra 10 minutes allowed } } // IKE SA lifetime rekey_time = 4h // Rekey IKE SA every 4 hours over_time = 30m // Grace period }} // Operational Key Rotation Checklist:// 1. Monitor SA lifetimes and rekey success rates// 2. Alert on rekey failures (indicates peer issues)// 3. Ensure time synchronization (lifetime mismatches cause issues)// 4. Test rotation under load (traffic continuity)// 5. Log all rotations for audit trail // PSK Rotation Procedure (Manual):// 1. Generate new PSK: openssl rand -base64 48// 2. Document and secure the new PSK// 3. Schedule maintenance window// 4. Update both endpoints simultaneously// 5. Verify new IKE SA establishes correctly// 6. Revoke access to old PSK// 7. Update any backups/documentationIKE's soft/hard lifetime system enables seamless Child SA rotation without traffic interruption. As soft lifetime approaches, a new SA is negotiated while the old one remains active. Traffic transitions to the new SA, and the old one is deleted. Properly configured, users never notice rotations occurring.
When keys are no longer needed, they must be destroyed—completely and irreversibly. Inadequate destruction means keys can be recovered from old backups, decommissioned hardware, or forensic analysis.
Destruction Challenges:
Secure Destruction Practices:
| Medium | Destruction Method | Verification |
|---|---|---|
| RAM | Overwrite with zeros/random, immediate free | Difficult to verify; assume cleared |
| Magnetic disk | Overwrite multiple passes, degaussing | Cryptographic erasure preferred |
| SSD/Flash | Cryptographic erasure (TRIM + erase block) | Security erase command, verify |
| HSM | HSM-controlled key deletion | HSM provides confirmation |
| Backups | Delete AND overwrite backup media | Audit backup destruction |
| Cloud storage | Provider deletion + customer-managed encryption | Verify provider SLA |
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748
// Secure Key Destruction in Code // ✅ CORRECT: Zero memory before releasefunction destroyKey(keyBuffer: Buffer): void { // Fill with zeros keyBuffer.fill(0); // Some languages/runtimes support explicit secure free // Node.js: Buffer is garbage collected, but zeroing prevents copies // In C: use explicit_bzero() or SecureZeroMemory() // These prevent optimizer from removing "dead" stores} // ✅ CORRECT: Crypto library cleanupimport { webcrypto } from 'crypto'; async function useAndDestroyKey() { const key = await webcrypto.subtle.generateKey( { name: 'AES-GCM', length: 256 }, true, // extractable for destruction ['encrypt', 'decrypt'] ); try { // Use the key await encrypt(key, data); } finally { // Some implementations don't expose explicit destruction // Best practice: use non-extractable keys when possible // Key material stays in secure enclave }} // ⚠️ Be aware of copies:function AVOID_thisCopiesKey(key: Buffer): void { const keyString = key.toString('hex'); // Creates a copy! console.log('Key hash:', hash(keyString)); // String persists key.fill(0); // Original zeroed, but keyString still exists!} // SA Deletion in IPSec:// When SA is deleted:// 1. Remove from SAD (reference deleted)// 2. Zero all key material in SA structure// 3. Free memory// 4. Send DELETE notification to peer// 5. Peer performs same cleanupFor encrypted data, destroying the key effectively destroys the data—even if ciphertext remains on disk. This "crypto-shredding" is faster than overwriting large datasets and is the preferred approach for cloud data deletion. Ensure the key truly can't be recovered!
We've explored the full lifecycle of cryptographic key management—the operational discipline that determines whether your cryptographic systems are truly secure.
Module Complete:
This concludes our deep dive into Security Associations. You now understand:
With this knowledge, you can configure, troubleshoot, and secure IPSec deployments at a professional level. You understand not just what to configure, but why each parameter matters for security.
Congratulations! You've mastered Security Associations—from abstract concept to practical key management. This knowledge is foundational for anyone working with VPNs, IPSec implementations, or network security architecture. You're now equipped to design, deploy, and maintain secure network layer communications.