Remember also that we need to achieve true randomness. Truly random stuff is tough, because computers are very specifically designed very logical, they're one minded, they're focused. And they're designed to be predictive, and to be predictable. This is the value and the power of computer. We say go off and do that, keep running until you finish, and that's what they do. So computers, by the very nature and design, are not random, the're very specifically designed to not be random. So when we ask them to be random, it's very hard for them to do that. So as a result, creating true randomness is a challenge for us, but we've talked a lot about in our earlier conversations, in the knowledge area here in cryptography, about the need for randomness. The need to not have patterns. The need to not allow those patterns to emerge and become exposed so that somebody can break the sanctity and the viability of the cryptography, uncovering the secret information. This is a problem. So we gotta think about this. So we want to try to inject as much randomness as possible into the system. So we use what are called pseudo random number generators, or random generation, where we try to randomly generate things, using programs that run algorithms, that try to spit out random initialization vectors, things like that. That's good, but even then, remember, not really random. When we say truly random, we say we want to get as close to that as possible. But the name of the product, or the name of the application, pseudorandom number generation means we're going to try to approximate random generation. But we're not going to get all the way there, because a program that runs has certain rules, and it's going to use certain things, and it's going to do things a certain way. And so the problem becomes, it may not be possible to get truly random. But we get as close as we can. And the closer to random we get, the better our systems are, the more likely they are to not be compromised, because it's going to be that much tougher for somebody to figure out what it was we did, in order to compromise it. So we do want to use randomness as much as possible in the process. We talked about the fact that key length is the critical factor for success in terms of longevity, and the security of the cryptography solution. The longer the key is, the more likely it is to be non-compromisable within a reasonable amount of time. Because the longer the key length is, the more possibilities there are that that key is going to be generated in the field that is so big, the key space, that it's going to be very difficult to find the key and pull it out of the system. Remember, 4,096 bits, 4,096 times 4,096, minus one, divided by two. It's going to have a lot of zeroes on the end of that solution, or the number of keys. So the longer the key, the bigger the key, the more stronger it is, or the stronger it ultimately will be. So please be aware of that. Keys control how an algorithm operates, remember? So the key is what we put into the black box solution, turning it on to allow it to run the conveyor belt to encipher or decipher. If we get the key, we got everything. All the attacks we talked about were all geared around trying to figure out the key. So we want to make sure we know that the longer the key, the stronger the system. It's very important as a kind of a logical progression there. We also want to talk about something known as key wrapping and key encrypted keys. Key wrapping is the idea of the process of using the Key Encrypting Key. What's called the KEK. The KEK, which is used as part of a key distribution or key exchange to then be able to effectively protect session keys. If you remember we talked about this idea of being able to symmetrically encrypt data because it's so quick to use symmetric encryption, bulk encryption. But then we have the problem of how we securely transmit the symmetric key. So we go ahead and we asymmetrically encrypt the symmetric key. We transmit the asymmetrically encrypted key securely, and then we unencrypt the key, and then unencrypt the data. Well, these are the moving parts that help us to do that. The Key Encrypting Key is used as part of a key distribution or key exchange when we want to send a private key to establish a session between two endpoints. If I want to be able to send and securely read information over here, and you're over here, and you want to be able to send and securely read information that we're going to exchange together. And we're using a symmetric system, we both have to have session keys, or private keys, symmetric keys, that are going to be used so that way we can exchange information. So what we're going to do is we're going to create a Key Encrypting Key that's going to encrypt our session key, our single-use private key. We're then going to wrap that key, that single-use session key, using a key wrapping technology like SSL, PGP, S/MIME, whatever it is. The key wrapping technology safeguards the key. We send the safeguarded and key wrapped key, the KEK, or the Key Encrypting Key, across the divide. We're able to then safeguard and authenticate the distribution of the session key. By doing that, we're able to then safely communicate between each other. So these are the moving parts that help us to do this. And these are the things that we want to be aware of, that we use in these systems to safeguard and to safely administer and set up an exchange. Keys and setup sessions, communication mechanisms between two individuals that want to exchange information securely. Let's talk about key distribution and figure out what we need to do. We were just talking about KEKs, Key Encrypting Keys, session keys, exchanging them privately and securely, key wrapping. When we think about those things, we really think about the process of key distribution, so we want to understand that it's part of key management life cycle as well. We know keys can be distributed in a number of ways, right, we can do what's calls out-of-band key exchange. We took a look at this early in our conversations about how we will transmit the secure private key, right? The single key that we have to get to everybody who wants to use the symmetric system, how do we do that? We may want to send it via email, we may call you up and give it to you verbally, we may write it down, so lots of ways to do it, but however we do it, it's going to be an out-of-band exchange. The goal there is to make sure we separate the key and the exchange of the key from the encrypted data. We don't want to put them together, that's the most important thing, we don't want to do that. We may use something called the Key Distribution Center, or a KDC concept for key management. The idea there is this is a centralized system that allows us to manage implementation of keys, issuing of them, tracking them. Making sure they're going to be sent out and distributed to people securely, making sure that we can revoke them if necessary. This may be one way of being able to manage key distribution centrally by using a concept like a KDC. They're implemented differently depending on the systems you use, in Windows, in Microsoft, in the LDAP directory, in Active Directory, we have our domain controllers, which are all KDCs, so they can be used for this. But, you may set up a separate key management system, proprietory system from an off the shelf vendor, and they will have their own key distribution process. And you may have to use their software to create KDCs. It really just depends, point is, this is one way we can manage the central distribution, by using this thought process and this concept.
